Loading ...

Play interactive tourEdit tour

Windows Analysis Report ZGNX11JMSc.exe

Overview

General Information

Sample Name:ZGNX11JMSc.exe
Analysis ID:448876
MD5:fcfb0ec70f1419ede8a534cc95cb61e9
SHA1:d3b529d77f1de00d63a75b3956d4bcf6bbce30ca
SHA256:ff1b034c7060724133c6df0aa8cf5411ec0e6775d3aca83a127617340a8c588a
Tags:32exeGuLoadertrojan
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
GuLoader behavior detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ZGNX11JMSc.exe (PID: 3152 cmdline: 'C:\Users\user\Desktop\ZGNX11JMSc.exe' MD5: FCFB0EC70F1419EDE8A534CC95CB61E9)
    • ZGNX11JMSc.exe (PID: 5880 cmdline: 'C:\Users\user\Desktop\ZGNX11JMSc.exe' MD5: FCFB0EC70F1419EDE8A534CC95CB61E9)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.yellow-wink.com/nff/"], "decoy": ["shinseikai.site", "creditmystartup.com", "howtovvbucks.com", "betterfromthebeginning.com", "oubacm.com", "stonalogov.com", "gentrypartyof8.com", "cuesticksandsupplies.com", "joelsavestheday.com", "llanobnb.com", "ecclogic.com", "miempaque.com", "cai23668.com", "miscdr.net", "twzhhq.com", "bloomandbrewcafe.com", "angcomleisure.com", "mafeeboutique.com", "300coin.club", "brooksranchhomes.com", "konversiondigital.com", "dominivision.com", "superiorshinedetailing.net", "thehomechef.global", "dating-web.site", "gcbsclubc.com", "mothererph.com", "pacleanfuel.com", "jerseryshorenflflagfootball.com", "roberthyatt.com", "wwwmacsports.com", "tearor.com", "american-ai.com", "mkyiyuan.com", "gempharmatechllc.com", "verdijvtc.com", "zimnik-bibo.one", "heatherdarkauthor.net", "dunn-labs.com", "automotivevita.com", "bersatubagaidulu.com", "gorillarecruiting.com", "mikecdmusic.com", "femuveewedre.com", "onyxmodsllc.com", "ooweesports.com", "dezeren.com", "foeweifgoor73dz.com", "sorchaashe.com", "jamiitulivu.com", "jifengshijie.com", "ranchfiberglas.com", "glendalesocialmediaagency.com", "icuvietnam.com", "404hapgood.com", "planetturmeric.com", "danfrem.com", "amazonautomationbusiness.com", "switchfinder.com", "diversifiedforest.com", "findnehomes.com", "rsyueda.com", "colombianmatrimony.com", "evan-dawson.info"]}

Threatname: GuLoader

{"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
ZGNX11JMSc.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.623756181.0000000002240000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x183f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1850c:$sqlite3step: 68 34 1C 7B E1
        • 0x18428:$sqlite3text: 68 38 2A 90 C5
        • 0x1854d:$sqlite3text: 68 38 2A 90 C5
        • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
        00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
          Click to see the 6 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.0.ZGNX11JMSc.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
            36.0.ZGNX11JMSc.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
              1.2.ZGNX11JMSc.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: ZGNX11JMSc.exeMalware Configuration Extractor: GuLoader {"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}
                Source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.yellow-wink.com/nff/"], "decoy": ["shinseikai.site", "creditmystartup.com", "howtovvbucks.com", "betterfromthebeginning.com", "oubacm.com", "stonalogov.com", "gentrypartyof8.com", "cuesticksandsupplies.com", "joelsavestheday.com", "llanobnb.com", "ecclogic.com", "miempaque.com", "cai23668.com", "miscdr.net", "twzhhq.com", "bloomandbrewcafe.com", "angcomleisure.com", "mafeeboutique.com", "300coin.club", "brooksranchhomes.com", "konversiondigital.com", "dominivision.com", "superiorshinedetailing.net", "thehomechef.global", "dating-web.site", "gcbsclubc.com", "mothererph.com", "pacleanfuel.com", "jerseryshorenflflagfootball.com", "roberthyatt.com", "wwwmacsports.com", "tearor.com", "american-ai.com", "mkyiyuan.com", "gempharmatechllc.com", "verdijvtc.com", "zimnik-bibo.one", "heatherdarkauthor.net", "dunn-labs.com", "automotivevita.com", "bersatubagaidulu.com", "gorillarecruiting.com", "mikecdmusic.com", "femuveewedre.com", "onyxmodsllc.com", "ooweesports.com", "dezeren.com", "foeweifgoor73dz.com", "sorchaashe.com", "jamiitulivu.com", "jifengshijie.com", "ranchfiberglas.com", "glendalesocialmediaagency.com", "icuvietnam.com", "404hapgood.com", "planetturmeric.com", "danfrem.com", "amazonautomationbusiness.com", "switchfinder.com", "diversifiedforest.com", "findnehomes.com", "rsyueda.com", "colombianmatrimony.com", "evan-dawson.info"]}
                Multi AV Scanner detection for submitted fileShow sources
                Source: ZGNX11JMSc.exeVirustotal: Detection: 20%Perma Link
                Yara detected FormBookShow sources
                Source: Yara matchFile source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORY
                Source: ZGNX11JMSc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                Source: Binary string: netstat.pdbGCTL source: ZGNX11JMSc.exe, 00000024.00000003.1041284039.0000000000A58000.00000004.00000001.sdmp
                Source: Binary string: netstat.pdb source: ZGNX11JMSc.exe, 00000024.00000003.1041284039.0000000000A58000.00000004.00000001.sdmp
                Source: Binary string: wntdll.pdbUGP source: ZGNX11JMSc.exe, 00000024.00000002.1048163880.000000001E120000.00000040.00000001.sdmp
                Source: Binary string: wntdll.pdb source: ZGNX11JMSc.exe
                Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: ZGNX11JMSc.exe

                Networking:

                barindex
                C2 URLs / IPs found in malware configurationShow sources
                Source: Malware configuration extractorURLs: www.yellow-wink.com/nff/
                Source: Malware configuration extractorURLs: http://ceattire.com/bin_UYDMbHwI28.bin
                Source: Joe Sandbox ViewASN Name: SERVERIR SERVERIR
                Source: global trafficHTTP traffic detected: GET /bin_UYDMbHwI28.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ceattire.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /bin_UYDMbHwI28.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ceattire.comCache-Control: no-cache
                Source: unknownDNS traffic detected: queries for: ceattire.com
                Source: ZGNX11JMSc.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: ZGNX11JMSc.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: ZGNX11JMSc.exe, 00000024.00000002.1042870245.0000000000A21000.00000004.00000020.sdmpString found in binary or memory: http://ceattire.com/
                Source: ZGNX11JMSc.exe, 00000024.00000003.1040714283.0000000000A36000.00000004.00000001.sdmpString found in binary or memory: http://ceattire.com/bin_UYDMbHwI28.bin
                Source: ZGNX11JMSc.exe, 00000024.00000002.1042829626.00000000009F8000.00000004.00000020.sdmpString found in binary or memory: http://ceattire.com/bin_UYDMbHwI28.binI
                Source: ZGNX11JMSc.exe, 00000024.00000002.1042829626.00000000009F8000.00000004.00000020.sdmpString found in binary or memory: http://ceattire.com/bin_UYDMbHwI28.binK
                Source: ZGNX11JMSc.exe, 00000024.00000002.1042870245.0000000000A21000.00000004.00000020.sdmpString found in binary or memory: http://ceattire.com/o
                Source: ZGNX11JMSc.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: ZGNX11JMSc.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: ZGNX11JMSc.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: ZGNX11JMSc.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: ZGNX11JMSc.exeString found in binary or memory: http://ocsp.digicert.com0C
                Source: ZGNX11JMSc.exeString found in binary or memory: http://ocsp.digicert.com0O
                Source: ZGNX11JMSc.exeString found in binary or memory: http://www.digicert.com/CPS0
                Source: ZGNX11JMSc.exeString found in binary or memory: https://www.digicert.com/CPS0

                E-Banking Fraud:

                barindex
                Yara detected FormBookShow sources
                Source: Yara matchFile source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORY

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeProcess Stats: CPU usage > 98%
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022468CC NtWriteVirtualMemory,1_2_022468CC
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_0224879F NtProtectVirtualMemory,1_2_0224879F
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02248C82 NtSetInformationThread,1_2_02248C82
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022454E5 NtAllocateVirtualMemory,1_2_022454E5
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022442CD NtWriteVirtualMemory,1_2_022442CD
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02241B1A NtWriteVirtualMemory,1_2_02241B1A
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02241B5F NtWriteVirtualMemory,1_2_02241B5F
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02244B8E NtWriteVirtualMemory,1_2_02244B8E
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022443F1 NtWriteVirtualMemory,1_2_022443F1
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02247036 NtWriteVirtualMemory,1_2_02247036
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02244071 NtWriteVirtualMemory,1_2_02244071
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02242958 NtWriteVirtualMemory,1_2_02242958
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02241E2C NtWriteVirtualMemory,1_2_02241E2C
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02244785 NtWriteVirtualMemory,1_2_02244785
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_0224341B NtWriteVirtualMemory,1_2_0224341B
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02248CD5 NtSetInformationThread,1_2_02248CD5
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_0224251E NtWriteVirtualMemory,1_2_0224251E
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02248D58 NtSetInformationThread,1_2_02248D58
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022455AC NtAllocateVirtualMemory,1_2_022455AC
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189A00 NtProtectVirtualMemory,LdrInitializeThunk,36_2_1E189A00
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189A20 NtResumeThread,LdrInitializeThunk,36_2_1E189A20
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189A50 NtCreateFile,LdrInitializeThunk,36_2_1E189A50
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189660 NtAllocateVirtualMemory,LdrInitializeThunk,36_2_1E189660
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1896E0 NtFreeVirtualMemory,LdrInitializeThunk,36_2_1E1896E0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189710 NtQueryInformationToken,LdrInitializeThunk,36_2_1E189710
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189780 NtMapViewOfSection,LdrInitializeThunk,36_2_1E189780
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1897A0 NtUnmapViewOfSection,LdrInitializeThunk,36_2_1E1897A0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189840 NtDelayExecution,LdrInitializeThunk,36_2_1E189840
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189860 NtQuerySystemInformation,LdrInitializeThunk,36_2_1E189860
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1898F0 NtReadVirtualMemory,LdrInitializeThunk,36_2_1E1898F0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189910 NtAdjustPrivilegesToken,LdrInitializeThunk,36_2_1E189910
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189540 NtReadFile,LdrInitializeThunk,36_2_1E189540
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1899A0 NtCreateSection,LdrInitializeThunk,36_2_1E1899A0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1895D0 NtClose,LdrInitializeThunk,36_2_1E1895D0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189610 NtEnumerateValueKey,36_2_1E189610
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189A10 NtQuerySection,36_2_1E189A10
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189650 NtQueryValueKey,36_2_1E189650
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189670 NtQueryInformationProcess,36_2_1E189670
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189A80 NtOpenDirectoryObject,36_2_1E189A80
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1896D0 NtCreateKey,36_2_1E1896D0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E18A710 NtOpenProcessToken,36_2_1E18A710
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189B00 NtSetValueKey,36_2_1E189B00
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189730 NtQueryVirtualMemory,36_2_1E189730
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189770 NtSetInformationFile,36_2_1E189770
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E18A770 NtOpenThread,36_2_1E18A770
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189760 NtOpenProcess,36_2_1E189760
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E18A3B0 NtGetContextThread,36_2_1E18A3B0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189FE0 NtCreateMutant,36_2_1E189FE0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189820 NtEnumerateKey,36_2_1E189820
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E18B040 NtSuspendThread,36_2_1E18B040
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1898A0 NtWriteVirtualMemory,36_2_1E1898A0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E18AD30 NtSetContextThread,36_2_1E18AD30
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189520 NtWaitForSingleObject,36_2_1E189520
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189950 NtQueueApcThread,36_2_1E189950
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189560 NtWriteFile,36_2_1E189560
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1899D0 NtCreateProcessEx,36_2_1E1899D0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1895F0 NtQueryInformationFile,36_2_1E1895F0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022408FD1_2_022408FD
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022468CC1_2_022468CC
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022458C91_2_022458C9
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02248C821_2_02248C82
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022454E51_2_022454E5
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022404CA1_2_022404CA
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022472C31_2_022472C3
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022442CD1_2_022442CD
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02241B2D1_2_02241B2D
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02241B1A1_2_02241B1A
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02247B731_2_02247B73
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02241B5F1_2_02241B5F
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022483851_2_02248385
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02244B8E1_2_02244B8E
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02243B9A1_2_02243B9A
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022443F11_2_022443F1
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022470361_2_02247036
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_0224100E1_2_0224100E
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_0224881D1_2_0224881D
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022440711_2_02244071
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022408451_2_02240845
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022408B31_2_022408B3
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022408E21_2_022408E2
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022420E31_2_022420E3
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022458F81_2_022458F8
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022480D41_2_022480D4
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_0224790A1_2_0224790A
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022471531_2_02247153
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022429581_2_02242958
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022429B01_2_022429B0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022451BE1_2_022451BE
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022421831_2_02242183
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02241E2C1_2_02241E2C
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022406101_2_02240610
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_0224767B1_2_0224767B
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02243E5E1_2_02243E5E
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022476B21_2_022476B2
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02243EC41_2_02243EC4
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02247F031_2_02247F03
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02243F0C1_2_02243F0C
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02247F6D1_2_02247F6D
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02240FB51_2_02240FB5
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022447851_2_02244785
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02240C241_2_02240C24
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_0224341B1_2_0224341B
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022484461_2_02248446
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02243C4E1_2_02243C4E
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02243CF01_2_02243CF0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022434C41_2_022434C4
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02248CD51_2_02248CD5
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_0224350F1_2_0224350F
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_0224251E1_2_0224251E
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02247D521_2_02247D52
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02248D581_2_02248D58
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02240D831_2_02240D83
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02240D9C1_2_02240D9C
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02245DCA1_2_02245DCA
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E166E3036_2_1E166E30
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E17EBB036_2_1E17EBB0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E15841F36_2_1E15841F
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E20100236_2_1E201002
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E15B09036_2_1E15B090
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E14F90036_2_1E14F900
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E140D2036_2_1E140D20
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E16412036_2_1E164120
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E211D5536_2_1E211D55
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E15D5E036_2_1E15D5E0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: String function: 1E14B150 appears 32 times
                Source: ZGNX11JMSc.exeStatic PE information: invalid certificate
                Source: ZGNX11JMSc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: ZGNX11JMSc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: ZGNX11JMSc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: ZGNX11JMSc.exe, 00000001.00000000.213248229.0000000000438000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameANTISOCIA.exe vs ZGNX11JMSc.exe
                Source: ZGNX11JMSc.exe, 00000024.00000002.1048619295.000000001E3CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ZGNX11JMSc.exe
                Source: ZGNX11JMSc.exe, 00000024.00000003.1041284039.0000000000A58000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs ZGNX11JMSc.exe
                Source: ZGNX11JMSc.exe, 00000024.00000002.1042709063.00000000009A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs ZGNX11JMSc.exe
                Source: ZGNX11JMSc.exe, 00000024.00000000.621492297.0000000000438000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameANTISOCIA.exe vs ZGNX11JMSc.exe
                Source: ZGNX11JMSc.exeBinary or memory string: OriginalFilenameANTISOCIA.exe vs ZGNX11JMSc.exe
                Source: ZGNX11JMSc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                Source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@6/1
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeFile created: C:\Users\user\AppData\Local\Temp\~DFF8A59228C9DEEDCA.TMPJump to behavior
                Source: ZGNX11JMSc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: ZGNX11JMSc.exeVirustotal: Detection: 20%
                Source: unknownProcess created: C:\Users\user\Desktop\ZGNX11JMSc.exe 'C:\Users\user\Desktop\ZGNX11JMSc.exe'
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeProcess created: C:\Users\user\Desktop\ZGNX11JMSc.exe 'C:\Users\user\Desktop\ZGNX11JMSc.exe'
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeProcess created: C:\Users\user\Desktop\ZGNX11JMSc.exe 'C:\Users\user\Desktop\ZGNX11JMSc.exe' Jump to behavior
                Source: ZGNX11JMSc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: netstat.pdbGCTL source: ZGNX11JMSc.exe, 00000024.00000003.1041284039.0000000000A58000.00000004.00000001.sdmp
                Source: Binary string: netstat.pdb source: ZGNX11JMSc.exe, 00000024.00000003.1041284039.0000000000A58000.00000004.00000001.sdmp
                Source: Binary string: wntdll.pdbUGP source: ZGNX11JMSc.exe, 00000024.00000002.1048163880.000000001E120000.00000040.00000001.sdmp
                Source: Binary string: wntdll.pdb source: ZGNX11JMSc.exe
                Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: ZGNX11JMSc.exe

                Data Obfuscation:

                barindex
                Yara detected GuLoaderShow sources
                Source: Yara matchFile source: 00000001.00000002.623756181.0000000002240000.00000040.00000001.sdmp, type: MEMORY
                Yara detected GuLoaderShow sources
                Source: Yara matchFile source: ZGNX11JMSc.exe, type: SAMPLE
                Source: Yara matchFile source: 1.0.ZGNX11JMSc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 36.0.ZGNX11JMSc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.ZGNX11JMSc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000024.00000000.621430446.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000000.213217103.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.623260641.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_0040495E push es; ret 1_2_00404963
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02061774 push edx; ret 1_2_020617A1
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02064205 push edx; ret 1_2_02064231
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02062A05 push edx; ret 1_2_02062A31
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02061205 push edx; ret 1_2_02061231
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02065A03 push edx; ret 1_2_02065A31
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02066214 push edx; ret 1_2_02066241
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02064A13 push edx; ret 1_2_02064A41
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02063213 push edx; ret 1_2_02063241
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02061A13 push edx; ret 1_2_02061A41
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02060218 push edx; ret 1_2_02060241
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02063A24 push edx; ret 1_2_02063A51
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02062224 push edx; ret 1_2_02062251
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02060A24 push edx; ret 1_2_02060A51
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02066A24 push edx; ret 1_2_02066A51
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02065225 push edx; ret 1_2_02065251
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02064233 push edx; ret 1_2_02064261
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02062A33 push edx; ret 1_2_02062A61
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02061233 push edx; ret 1_2_02061261
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02065A33 push edx; ret 1_2_02065A61
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02064A44 push edx; ret 1_2_02064A71
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02063244 push edx; ret 1_2_02063271
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02061A44 push edx; ret 1_2_02061A71
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02066244 push edx; ret 1_2_02066271
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02060248 push edx; ret 1_2_02060271
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02063A54 push edx; ret 1_2_02063A81
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02062254 push edx; ret 1_2_02062281
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02066A54 push edx; ret 1_2_02066A81
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02065253 push edx; ret 1_2_02065281
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02060A58 push edx; ret 1_2_02060A81
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02065A64 push edx; ret 1_2_02065A91

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Modifies the prolog of user mode functions (user mode inline hooks)Show sources
                Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xEE
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022408FD TerminateProcess,1_2_022408FD
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022468CC NtWriteVirtualMemory,1_2_022468CC
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022442CD NtWriteVirtualMemory,1_2_022442CD
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02241B1A NtWriteVirtualMemory,1_2_02241B1A
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02241B5F NtWriteVirtualMemory,1_2_02241B5F
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022443F1 NtWriteVirtualMemory,1_2_022443F1
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02247036 NtWriteVirtualMemory,1_2_02247036
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02244071 NtWriteVirtualMemory,1_2_02244071
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02240845 TerminateProcess,1_2_02240845
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022408B3 TerminateProcess,1_2_022408B3
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022408E2 TerminateProcess,1_2_022408E2
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_0224790A 1_2_0224790A
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02242958 NtWriteVirtualMemory,1_2_02242958
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02241E2C NtWriteVirtualMemory,1_2_02241E2C
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_0224767B 1_2_0224767B
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02246F9E 1_2_02246F9E
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02240C24 TerminateProcess,1_2_02240C24
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_0224742D 1_2_0224742D
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_0224341B NtWriteVirtualMemory,1_2_0224341B
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_0224251E NtWriteVirtualMemory,1_2_0224251E
                Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 00000000022401BE second address: 00000000022401BE instructions:
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 00000000022470C1 second address: 00000000022470D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002248DB2 second address: 0000000002248DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002248DFF second address: 0000000002248DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007FA2E4BBF2EFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002247A0D second address: 0000000002247A0D instructions:
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002247D7F second address: 0000000002247D7F instructions:
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002248035 second address: 0000000002248035 instructions:
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002240ADA second address: 0000000002240ADA instructions:
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002240DB2 second address: 0000000002240DB2 instructions:
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002241092 second address: 0000000002241092 instructions:
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 000000000224110D second address: 000000000224110D instructions:
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000000567062 second address: 000000000056707C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add dword ptr [ebp+0000019Dh], 431ADB4Eh 0x00000014 pushad 0x00000015 mov edx, 0000008Fh 0x0000001a rdtsc
                Tries to detect Any.runShow sources
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                Source: ZGNX11JMSc.exe, 00000001.00000002.623763596.0000000002250000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
                Source: ZGNX11JMSc.exe, 00000001.00000002.623763596.0000000002250000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
                Tries to detect virtualization through RDTSC time measurementsShow sources
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 00000000022401BE second address: 00000000022401BE instructions:
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 00000000022470C1 second address: 00000000022470D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002248DB2 second address: 0000000002248DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002248DFF second address: 0000000002248DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007FA2E4BBF2EFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002247A0D second address: 0000000002247A0D instructions:
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 00000000022475BB second address: 00000000022475BB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 52600CA0h 0x00000013 xor eax, 275578A5h 0x00000018 xor eax, AF7E784Ah 0x0000001d xor eax, DA4B0C4Eh 0x00000022 cpuid 0x00000024 jmp 00007FA2E4BBF35Eh 0x00000026 test dl, dl 0x00000028 bt ecx, 1Fh 0x0000002c test dx, ax 0x0000002f jc 00007FA2E4BBF90Eh 0x00000035 test bx, bx 0x00000038 test eax, ebx 0x0000003a popad 0x0000003b call 00007FA2E4BBF45Ah 0x00000040 lfence 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002247D7F second address: 0000000002247D7F instructions:
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002248035 second address: 0000000002248035 instructions:
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002240ADA second address: 0000000002240ADA instructions:
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002240DB2 second address: 0000000002240DB2 instructions:
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002241092 second address: 0000000002241092 instructions:
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 000000000224110D second address: 000000000224110D instructions:
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 00000000005675BB second address: 00000000005675BB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 52600CA0h 0x00000013 xor eax, 275578A5h 0x00000018 xor eax, AF7E784Ah 0x0000001d xor eax, DA4B0C4Eh 0x00000022 cpuid 0x00000024 jmp 00007FA2E439A94Eh 0x00000026 test dl, dl 0x00000028 bt ecx, 1Fh 0x0000002c test dx, ax 0x0000002f jc 00007FA2E439AEFEh 0x00000035 test bx, bx 0x00000038 test eax, ebx 0x0000003a popad 0x0000003b call 00007FA2E439AA4Ah 0x00000040 lfence 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000000566FB5 second address: 0000000000567020 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov ebx, 9A3693F5h 0x00000008 cmp cx, cx 0x0000000b sub ebx, C476974Ah 0x00000011 test ax, 00008AFBh 0x00000015 sub ebx, E4232D93h 0x0000001b add ebx, 0E643128h 0x00000021 mov bx, word ptr [edx+ebx] 0x00000025 mov ax, word ptr [eax] 0x00000028 cmp dl, FFFFFFB4h 0x0000002b xor ax, cx 0x0000002e cmp bx, cx 0x00000031 xor bx, ax 0x00000034 mov word ptr [ebp+00000275h], di 0x0000003b mov di, 3896h 0x0000003f xor di, 7DA2h 0x00000044 test dx, ax 0x00000047 xor di, 97D1h 0x0000004c cmp cx, cx 0x0000004f xor di, 88A8h 0x00000054 pushad 0x00000055 mov si, 5497h 0x00000059 cmp si, 5497h 0x0000005e jne 00007FA2E4BBEECAh 0x00000064 popad 0x00000065 pushad 0x00000066 mov edx, 000000DBh 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000000567020 second address: 0000000000566FB5 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp bx, di 0x00000006 mov di, word ptr [ebp+00000275h] 0x0000000d je 00007FA2E439A936h 0x0000000f inc cx 0x00000011 jmp 00007FA2E439A899h 0x00000016 test al, A3h 0x00000018 mov eax, dword ptr [ebp+64h] 0x0000001b pushad 0x0000001c mov edx, 00000063h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000000567062 second address: 000000000056707C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add dword ptr [ebp+0000019Dh], 431ADB4Eh 0x00000014 pushad 0x00000015 mov edx, 0000008Fh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 000000000056707C second address: 000000000056707C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 sub dword ptr [ebp+0000019Dh], 293F2C89h 0x0000000d sub dword ptr [ebp+0000019Dh], E4024E33h 0x00000017 pushad 0x00000018 mov bh, 30h 0x0000001a cmp bh, 00000030h 0x0000001d jne 00007FA2E4397793h 0x00000023 popad 0x00000024 cmp ebx, dword ptr [ebp+0000019Dh] 0x0000002a jnl 00007FA2E439A929h 0x0000002c add ebx, 02h 0x0000002f jmp 00007FA2E439A8BFh 0x00000031 test bh, 0000005Ch 0x00000034 xor word ptr [eax+ebx], cx 0x00000038 test dl, FFFFFF99h 0x0000003b mov dword ptr [ebp+0000019Dh], CA26A2BDh 0x00000045 test bx, ax 0x00000048 pushad 0x00000049 nop 0x0000004a nop 0x0000004b mov eax, 00000001h 0x00000050 cpuid 0x00000052 popad 0x00000053 add dword ptr [ebp+0000019Dh], 431ADB4Eh 0x0000005d pushad 0x0000005e mov edx, 0000008Fh 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022408FD rdtsc 1_2_022408FD
                Source: ZGNX11JMSc.exe, 00000001.00000002.623763596.0000000002250000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
                Source: ZGNX11JMSc.exe, 00000024.00000002.1042829626.00000000009F8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
                Source: ZGNX11JMSc.exe, 00000024.00000003.1031145557.0000000000A43000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW,
                Source: ZGNX11JMSc.exe, 00000001.00000002.623763596.0000000002250000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging:

                barindex
                Hides threads from debuggersShow sources
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022408FD rdtsc 1_2_022408FD
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E189A00 NtProtectVirtualMemory,LdrInitializeThunk,36_2_1E189A00
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02246B93 mov eax, dword ptr fs:[00000030h]1_2_02246B93
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022450CA mov eax, dword ptr fs:[00000030h]1_2_022450CA
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02242958 mov eax, dword ptr fs:[00000030h]1_2_02242958
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_022471A9 mov eax, dword ptr fs:[00000030h]1_2_022471A9
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_0224341B mov eax, dword ptr fs:[00000030h]1_2_0224341B
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 1_2_02247D52 mov eax, dword ptr fs:[00000030h]1_2_02247D52
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E14AA16 mov eax, dword ptr fs:[00000030h]36_2_1E14AA16
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E14AA16 mov eax, dword ptr fs:[00000030h]36_2_1E14AA16
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E163A1C mov eax, dword ptr fs:[00000030h]36_2_1E163A1C
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E17A61C mov eax, dword ptr fs:[00000030h]36_2_1E17A61C
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E17A61C mov eax, dword ptr fs:[00000030h]36_2_1E17A61C
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E14C600 mov eax, dword ptr fs:[00000030h]36_2_1E14C600
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E14C600 mov eax, dword ptr fs:[00000030h]36_2_1E14C600
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E14C600 mov eax, dword ptr fs:[00000030h]36_2_1E14C600
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E178E00 mov eax, dword ptr fs:[00000030h]36_2_1E178E00
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E158A0A mov eax, dword ptr fs:[00000030h]36_2_1E158A0A
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1FFE3F mov eax, dword ptr fs:[00000030h]36_2_1E1FFE3F
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E14E620 mov eax, dword ptr fs:[00000030h]36_2_1E14E620
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E218A62 mov eax, dword ptr fs:[00000030h]36_2_1E218A62
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1D4257 mov eax, dword ptr fs:[00000030h]36_2_1E1D4257
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E149240 mov eax, dword ptr fs:[00000030h]36_2_1E149240
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E149240 mov eax, dword ptr fs:[00000030h]36_2_1E149240
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E149240 mov eax, dword ptr fs:[00000030h]36_2_1E149240
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E149240 mov eax, dword ptr fs:[00000030h]36_2_1E149240
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E157E41 mov eax, dword ptr fs:[00000030h]36_2_1E157E41
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E157E41 mov eax, dword ptr fs:[00000030h]36_2_1E157E41
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E157E41 mov eax, dword ptr fs:[00000030h]36_2_1E157E41
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E157E41 mov eax, dword ptr fs:[00000030h]36_2_1E157E41
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E157E41 mov eax, dword ptr fs:[00000030h]36_2_1E157E41
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E157E41 mov eax, dword ptr fs:[00000030h]36_2_1E157E41
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E18927A mov eax, dword ptr fs:[00000030h]36_2_1E18927A
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E16AE73 mov eax, dword ptr fs:[00000030h]36_2_1E16AE73
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E16AE73 mov eax, dword ptr fs:[00000030h]36_2_1E16AE73
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E16AE73 mov eax, dword ptr fs:[00000030h]36_2_1E16AE73
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E16AE73 mov eax, dword ptr fs:[00000030h]36_2_1E16AE73
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E16AE73 mov eax, dword ptr fs:[00000030h]36_2_1E16AE73
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E15766D mov eax, dword ptr fs:[00000030h]36_2_1E15766D
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1FB260 mov eax, dword ptr fs:[00000030h]36_2_1E1FB260
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1FB260 mov eax, dword ptr fs:[00000030h]36_2_1E1FB260
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E17D294 mov eax, dword ptr fs:[00000030h]36_2_1E17D294
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E17D294 mov eax, dword ptr fs:[00000030h]36_2_1E17D294
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E210EA5 mov eax, dword ptr fs:[00000030h]36_2_1E210EA5
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E210EA5 mov eax, dword ptr fs:[00000030h]36_2_1E210EA5
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E210EA5 mov eax, dword ptr fs:[00000030h]36_2_1E210EA5
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1DFE87 mov eax, dword ptr fs:[00000030h]36_2_1E1DFE87
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E15AAB0 mov eax, dword ptr fs:[00000030h]36_2_1E15AAB0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E15AAB0 mov eax, dword ptr fs:[00000030h]36_2_1E15AAB0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E17FAB0 mov eax, dword ptr fs:[00000030h]36_2_1E17FAB0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1452A5 mov eax, dword ptr fs:[00000030h]36_2_1E1452A5
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1452A5 mov eax, dword ptr fs:[00000030h]36_2_1E1452A5
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1452A5 mov eax, dword ptr fs:[00000030h]36_2_1E1452A5
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1452A5 mov eax, dword ptr fs:[00000030h]36_2_1E1452A5
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1452A5 mov eax, dword ptr fs:[00000030h]36_2_1E1452A5
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1C46A7 mov eax, dword ptr fs:[00000030h]36_2_1E1C46A7
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1736CC mov eax, dword ptr fs:[00000030h]36_2_1E1736CC
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1FFEC0 mov eax, dword ptr fs:[00000030h]36_2_1E1FFEC0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E188EC7 mov eax, dword ptr fs:[00000030h]36_2_1E188EC7
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1716E0 mov ecx, dword ptr fs:[00000030h]36_2_1E1716E0
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E218ED6 mov eax, dword ptr fs:[00000030h]36_2_1E218ED6
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1576E2 mov eax, dword ptr fs:[00000030h]36_2_1E1576E2
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E16F716 mov eax, dword ptr fs:[00000030h]36_2_1E16F716
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1DFF10 mov eax, dword ptr fs:[00000030h]36_2_1E1DFF10
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1DFF10 mov eax, dword ptr fs:[00000030h]36_2_1E1DFF10
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E17A70E mov eax, dword ptr fs:[00000030h]36_2_1E17A70E
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E17A70E mov eax, dword ptr fs:[00000030h]36_2_1E17A70E
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E17E730 mov eax, dword ptr fs:[00000030h]36_2_1E17E730
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E21070D mov eax, dword ptr fs:[00000030h]36_2_1E21070D
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E21070D mov eax, dword ptr fs:[00000030h]36_2_1E21070D
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E144F2E mov eax, dword ptr fs:[00000030h]36_2_1E144F2E
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E144F2E mov eax, dword ptr fs:[00000030h]36_2_1E144F2E
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E20131B mov eax, dword ptr fs:[00000030h]36_2_1E20131B
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E218F6A mov eax, dword ptr fs:[00000030h]36_2_1E218F6A
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E14F358 mov eax, dword ptr fs:[00000030h]36_2_1E14F358
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E14DB40 mov eax, dword ptr fs:[00000030h]36_2_1E14DB40
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E15EF40 mov eax, dword ptr fs:[00000030h]36_2_1E15EF40
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E173B7A mov eax, dword ptr fs:[00000030h]36_2_1E173B7A
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E173B7A mov eax, dword ptr fs:[00000030h]36_2_1E173B7A
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E14DB60 mov ecx, dword ptr fs:[00000030h]36_2_1E14DB60
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E15FF60 mov eax, dword ptr fs:[00000030h]36_2_1E15FF60
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E218B58 mov eax, dword ptr fs:[00000030h]36_2_1E218B58
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E158794 mov eax, dword ptr fs:[00000030h]36_2_1E158794
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E215BA5 mov eax, dword ptr fs:[00000030h]36_2_1E215BA5
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E17B390 mov eax, dword ptr fs:[00000030h]36_2_1E17B390
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1C7794 mov eax, dword ptr fs:[00000030h]36_2_1E1C7794
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1C7794 mov eax, dword ptr fs:[00000030h]36_2_1E1C7794
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1C7794 mov eax, dword ptr fs:[00000030h]36_2_1E1C7794
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E151B8F mov eax, dword ptr fs:[00000030h]36_2_1E151B8F
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E151B8F mov eax, dword ptr fs:[00000030h]36_2_1E151B8F
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1FD380 mov ecx, dword ptr fs:[00000030h]36_2_1E1FD380
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E20138A mov eax, dword ptr fs:[00000030h]36_2_1E20138A
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1837F5 mov eax, dword ptr fs:[00000030h]36_2_1E1837F5
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1703E2 mov eax, dword ptr fs:[00000030h]36_2_1E1703E2
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1703E2 mov eax, dword ptr fs:[00000030h]36_2_1E1703E2
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1703E2 mov eax, dword ptr fs:[00000030h]36_2_1E1703E2
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1703E2 mov eax, dword ptr fs:[00000030h]36_2_1E1703E2
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1703E2 mov eax, dword ptr fs:[00000030h]36_2_1E1703E2
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1703E2 mov eax, dword ptr fs:[00000030h]36_2_1E1703E2
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1C7016 mov eax, dword ptr fs:[00000030h]36_2_1E1C7016
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1C7016 mov eax, dword ptr fs:[00000030h]36_2_1E1C7016
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1C7016 mov eax, dword ptr fs:[00000030h]36_2_1E1C7016
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]36_2_1E1C6C0A
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]36_2_1E1C6C0A
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]36_2_1E1C6C0A
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]36_2_1E1C6C0A
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]36_2_1E201C06
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]36_2_1E201C06
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]36_2_1E201C06
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]36_2_1E201C06
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]36_2_1E201C06
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]36_2_1E201C06
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]36_2_1E201C06
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]36_2_1E201C06
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]36_2_1E201C06
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]36_2_1E201C06
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]36_2_1E201C06
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]36_2_1E201C06
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]36_2_1E201C06
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]36_2_1E201C06
                Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 36_2_1E21740D mov eax, dword ptr fs:[00000030h]