Source: mTGDPqzxwu.exe |
ReversingLabs: Detection: 42% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 80.8% probability |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006F71E0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
0_2_006F71E0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006F7180 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext, |
0_2_006F7180 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006F7240 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
0_2_006F7240 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006CF49C _strdup,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strchr,fopen,free,CertOpenStore,_strdup,GetLastError,free,free,free,CryptStringToBinaryA,free,CertCloseStore,CertFindCertificateInStore,free,CertCloseStore,free,fseek,ftell,fread,fclose,MultiByteToWideChar,fseek,fclose,PFXImportCertStore,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,CertFreeCertificateContext,CertCloseStore,memset,memset,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,memset,strtol,strchr,strncmp,strncmp,strncmp,strncmp,strchr,CertFreeCertificateContext,free, |
0_2_006CF49C |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006CD730 BCryptGenRandom, |
0_2_006CD730 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006CD7F0 BCryptGenRandom, |
0_2_006CD7F0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006F5860 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext, |
0_2_006F5860 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006F58E0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
0_2_006F58E0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006F58C0 CryptHashData, |
0_2_006F58C0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006CD8A0 memset,BCryptGenRandom, |
0_2_006CD8A0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006F0940 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError, |
0_2_006F0940 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006F5D10 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, |
0_2_006F5D10 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006F0E10 CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx, |
0_2_006F0E10 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006CEF40 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
0_2_006CEF40 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006F7FA0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
0_2_006F7FA0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: -----BEGIN PUBLIC KEY----- |
0_2_006AD8A0 |
Source: mTGDPqzxwu.exe |
Binary or memory string: -----BEGIN PUBLIC KEY----- |
|
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: mov dword ptr [ebx+04h], 424D53FFh |
0_2_006E2B00 |
Source: mTGDPqzxwu.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: mTGDPqzxwu.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: |
Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\netbios1.pdb7 source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\DriverInjectDll-master\bin\driver_inject_x64.pdb source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\ReplayClientTest.pdb source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\HookGameACE.pdb&& source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\Projects\InLineHookLib\Release\G_Game.pdb'' source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\Projects\InLineHookLib\Release\G_Game.pdb source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\netbios.pdb source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\netbios.pdb7 source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\JQMain.pdb source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\HookGameACE.pdb source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\netbios1.pdb source: mTGDPqzxwu.exe |
Source: unknown |
DNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3) |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006910C0 #266,#265,#266,#265,WSARecv,#111,EnterCriticalSection,LeaveCriticalSection,#266, |
0_2_006910C0 |
Source: global traffic |
DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa |
Source: mTGDPqzxwu.exe |
String found in binary or memory: http://27.25.156.102:9999/style.html |
Source: mTGDPqzxwu.exe |
String found in binary or memory: http://27.25.156.102:9999/style.htmlSoftware |
Source: mTGDPqzxwu.exe |
String found in binary or memory: http://sf.symcb.com/sf.crl0f |
Source: mTGDPqzxwu.exe |
String found in binary or memory: http://sf.symcb.com/sf.crt0 |
Source: mTGDPqzxwu.exe |
String found in binary or memory: http://sf.symcd.com0& |
Source: mTGDPqzxwu.exe |
String found in binary or memory: https://curl.se/docs/alt-svc.html |
Source: mTGDPqzxwu.exe |
String found in binary or memory: https://curl.se/docs/alt-svc.html# |
Source: mTGDPqzxwu.exe |
String found in binary or memory: https://curl.se/docs/hsts.html |
Source: mTGDPqzxwu.exe |
String found in binary or memory: https://curl.se/docs/hsts.html# |
Source: mTGDPqzxwu.exe |
String found in binary or memory: https://curl.se/docs/http-cookies.html |
Source: mTGDPqzxwu.exe |
String found in binary or memory: https://curl.se/docs/http-cookies.html# |
Source: mTGDPqzxwu.exe |
String found in binary or memory: https://d.symcb.com/cps0% |
Source: mTGDPqzxwu.exe |
String found in binary or memory: https://d.symcb.com/rpa0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_0068DB70 memset,memset,SHGetSpecialFolderPathA,_time64,OpenClipboard,GetClipboardData,GlobalSize,malloc,GlobalLock,memset,GlobalUnlock,CloseClipboard,SendMessageW,#296,#296,SendMessageW,#4815,SendMessageW,#8067,#290,#13656,#13656,#1045,#290,#13656,#1045,#290,#290,#4815,#1045,#1045,#290,GetPrivateProfileIntW,#1045,#13656,#290,#290,WritePrivateProfileStringW,WritePrivateProfileStringW,#1045,#1045,WritePrivateProfileStringW,#290,#290,WritePrivateProfileStringW,#1045,#1045,#13656,#1045,#1045,fopen,fclose, |
0_2_0068DB70 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_0068DB70 memset,memset,SHGetSpecialFolderPathA,_time64,OpenClipboard,GetClipboardData,GlobalSize,malloc,GlobalLock,memset,GlobalUnlock,CloseClipboard,SendMessageW,#296,#296,SendMessageW,#4815,SendMessageW,#8067,#290,#13656,#13656,#1045,#290,#13656,#1045,#290,#290,#4815,#1045,#1045,#290,GetPrivateProfileIntW,#1045,#13656,#290,#290,WritePrivateProfileStringW,WritePrivateProfileStringW,#1045,#1045,WritePrivateProfileStringW,#290,#290,WritePrivateProfileStringW,#1045,#1045,#13656,#1045,#1045,fopen,fclose, |
0_2_0068DB70 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006F5D10 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, |
0_2_006F5D10 |
Source: mTGDPqzxwu.exe, type: SAMPLE |
Matched rule: Rule for beacon reflective loader Author: unknown |
Source: 0.2.mTGDPqzxwu.exe.7323d8.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Rule for beacon reflective loader Author: unknown |
Source: 0.0.mTGDPqzxwu.exe.680000.0.unpack, type: UNPACKEDPE |
Matched rule: Rule for beacon reflective loader Author: unknown |
Source: 0.0.mTGDPqzxwu.exe.7323d8.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Rule for beacon reflective loader Author: unknown |
Source: 0.2.mTGDPqzxwu.exe.680000.0.unpack, type: UNPACKEDPE |
Matched rule: Rule for beacon reflective loader Author: unknown |
Source: 00000000.00000000.2165468102.000000000072D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Rule for beacon reflective loader Author: unknown |
Source: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Rule for beacon reflective loader Author: unknown |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006868F0: memset,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,memset,DeviceIoControl,memmove,malloc,free, |
0_2_006868F0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_00685CE0 OpenSCManagerA,OpenServiceA,GetLastError,MessageBoxA,CloseServiceHandle,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,ControlService,DeleteService,GetLastError, |
0_2_00685CE0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006F1010 |
0_2_006F1010 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006C91E0 |
0_2_006C91E0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006EB240 |
0_2_006EB240 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006C02B0 |
0_2_006C02B0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006D1320 |
0_2_006D1320 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006A5300 |
0_2_006A5300 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006D43E0 |
0_2_006D43E0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006CC420 |
0_2_006CC420 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006E6410 |
0_2_006E6410 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006CF49C |
0_2_006CF49C |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006DE500 |
0_2_006DE500 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006F3510 |
0_2_006F3510 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006866C0 |
0_2_006866C0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_00686720 |
0_2_00686720 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_00698710 |
0_2_00698710 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006B1A30 |
0_2_006B1A30 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006CAAE0 |
0_2_006CAAE0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006EFB00 |
0_2_006EFB00 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_00683E70 |
0_2_00683E70 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006C9E20 |
0_2_006C9E20 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006DEEF0 |
0_2_006DEEF0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006F7F50 |
0_2_006F7F50 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006E3F90 |
0_2_006E3F90 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006E9F90 |
0_2_006E9F90 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: String function: 006B59A0 appears 38 times |
|
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: String function: 006BC8B0 appears 38 times |
|
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: String function: 006B5830 appears 299 times |
|
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: String function: 006BC910 appears 77 times |
|
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: String function: 006F4570 appears 32 times |
|
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: String function: 006B5870 appears 81 times |
|
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: String function: 006BF570 appears 43 times |
|
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: String function: 006B5760 appears 427 times |
|
Source: mTGDPqzxwu.exe |
Static PE information: Resource name: DLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
Source: mTGDPqzxwu.exe |
Static PE information: Resource name: DRV type: PE32+ executable (native) x86-64, for MS Windows |
Source: mTGDPqzxwu.exe |
Static PE information: Resource name: G_GAMEE type: PE32 executable (console) Intel 80386, for MS Windows |
Source: mTGDPqzxwu.exe |
Static PE information: Resource name: OLDDLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
Source: mTGDPqzxwu.exe, 00000000.00000000.2165468102.000000000072D000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameJQMain.exe8 vs mTGDPqzxwu.exe |
Source: mTGDPqzxwu.exe, 00000000.00000000.2165468102.000000000072D000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameInPut.dll: vs mTGDPqzxwu.exe |
Source: mTGDPqzxwu.exe, 00000000.00000000.2165468102.000000000072D000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamewjs3.dll: vs mTGDPqzxwu.exe |
Source: mTGDPqzxwu.exe |
Binary or memory string: OriginalFilenameJQMain.exe8 vs mTGDPqzxwu.exe |
Source: mTGDPqzxwu.exe |
Binary or memory string: OriginalFilenameInPut.dll: vs mTGDPqzxwu.exe |
Source: mTGDPqzxwu.exe |
Binary or memory string: OriginalFilenamewjs3.dll: vs mTGDPqzxwu.exe |
Source: mTGDPqzxwu.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: mTGDPqzxwu.exe, type: SAMPLE |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 0.2.mTGDPqzxwu.exe.7323d8.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 0.0.mTGDPqzxwu.exe.680000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 0.0.mTGDPqzxwu.exe.7323d8.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 0.2.mTGDPqzxwu.exe.680000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 00000000.00000000.2165468102.000000000072D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13 |
Source: mTGDPqzxwu.exe |
Binary string: \Device\CrashDumpUpload\DosDevices\CrashDumpUpload |
Source: classification engine |
Classification label: mal72.evad.winEXE@1/0@1/0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: OpenSCManagerA,OpenServiceA,GetLastError,MessageBoxA,CloseServiceHandle,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,ControlService,DeleteService,GetLastError, |
0_2_00685CE0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_00685030 CreateToolhelp32Snapshot,memset,#290,#290,Process32FirstW,CloseHandle,#5110,StrCmpW,#296,#4815,OpenFileMappingW,#1045,#5110,StrCmpW,#296,#4815,OpenFileMappingW,MapViewOfFile,OpenProcess,GetProcessTimes,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,_time64,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,#1045,Process32NextW,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,TerminateProcess,#1045,CloseHandle,#1045,#1045, |
0_2_00685030 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_00687050 memset,memset,memset,memset,P_LoadSystem,P_UserLogin,P_GetLoginValue,P_GetLoginValue,#296,#296,#1526,P_GetLoginValue,#290,#4815,#1045,#13806,P_GetDataValue,VirtualQuery,FindResourceW,#1045,#1045,SizeofResource,LoadResource,LockResource,memset,memset,fopen,fwrite,fclose,fclose,fclose,#1045,#1045,#13806, |
0_2_00687050 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_00685CE0 OpenSCManagerA,OpenServiceA,GetLastError,MessageBoxA,CloseServiceHandle,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,ControlService,DeleteService,GetLastError, |
0_2_00685CE0 |
Source: mTGDPqzxwu.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: mTGDPqzxwu.exe |
ReversingLabs: Detection: 42% |
Source: mTGDPqzxwu.exe |
String found in binary or memory: :8085/add |
Source: mTGDPqzxwu.exe |
String found in binary or memory: iphlpapi.dllif_nametoindexws2_32FreeAddrInfoExWGetAddrInfoExCancelGetAddrInfoExWkernel32LoadLibraryExA\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %u |
Source: mTGDPqzxwu.exe |
String found in binary or memory: :8085/add |
Source: mTGDPqzxwu.exe |
String found in binary or memory: A%dUnknown exceptionbad cast1721829950816Timestampapplication/jsonContent-TypelsjCustom-Header:8085/addhttp://UIN{"id":"UIN","txt":"data"}data:8085/query{"id":"UIN"}vector<bool> too longmap/set<T> too longalnumalnumalphaalphablankblankcntrlcntrldddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacessupperupperwwxdigitxdigitabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_ |
Source: mTGDPqzxwu.exe |
String found in binary or memory: Unknown exceptionbad cast1721829950816Timestampapplication/jsonContent-TypelsjCustom-Header:8085/addhttp://UIN{"id":"UIN","txt":"data"}data:8085/query{"id":"UIN"}vector<bool> too longmap/set<T> too longalnumalnumalphaalphablankblankcntrlcntrldddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacessupperupperwwxdigitxdigitabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_: httpslist<T> too long4 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Section loaded: mfc140u.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Section loaded: msvcp140.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Section loaded: plfl32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Section loaded: vcruntime140.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: mTGDPqzxwu.exe |
Static file information: File size 5087232 > 1048576 |
Source: mTGDPqzxwu.exe |
Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x43f800 |
Source: mTGDPqzxwu.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: mTGDPqzxwu.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: mTGDPqzxwu.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: mTGDPqzxwu.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: mTGDPqzxwu.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: mTGDPqzxwu.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: mTGDPqzxwu.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: mTGDPqzxwu.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\netbios1.pdb7 source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\DriverInjectDll-master\bin\driver_inject_x64.pdb source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\ReplayClientTest.pdb source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\HookGameACE.pdb&& source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\Projects\InLineHookLib\Release\G_Game.pdb'' source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\Projects\InLineHookLib\Release\G_Game.pdb source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\netbios.pdb source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\netbios.pdb7 source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\JQMain.pdb source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\HookGameACE.pdb source: mTGDPqzxwu.exe |
Source: |
Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\netbios1.pdb source: mTGDPqzxwu.exe |
Source: mTGDPqzxwu.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: mTGDPqzxwu.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: mTGDPqzxwu.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: mTGDPqzxwu.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: mTGDPqzxwu.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006B9100 #115,#116,GetModuleHandleA,GetProcAddress,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,QueryPerformanceFrequency, |
0_2_006B9100 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_0069D1D6 push ecx; ret |
0_2_0069D1E9 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_0068AA10 memset,memset,memset,memset,SHGetFolderPathA,SHGetSpecialFolderPathA,memset,GetPrivateProfileIntA,_time64,fopen,fwrite,fclose,GetFileAttributesA,CreateDirectoryA,CreateDirectoryA,GetFileAttributesA,CreateDirectoryA,WritePrivateProfileStringA,memset,memset,memset,memset,memset,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,#13656,atoll,atoll,atoll,GetTickCount,GetTickCount,GetPrivateProfileIntA,GetTickCount,GetPrivateProfileIntA,#13656,memset,memset,memset,memset,memset,memset,memset,_access,_access,_access,#13656,memset,GetPrivateProfileStringA,memset,_time64,#13656,atoll,#13656,_access,GetPrivateProfileStringA,#13656,memset,GetPrivateProfileStringA,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,_access,memset,GetPrivateProfileStringA,_access,#13656,memset,memcpy,_time64,#13656, |
0_2_0068AA10 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_00685CE0 OpenSCManagerA,OpenServiceA,GetLastError,MessageBoxA,CloseServiceHandle,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,ControlService,DeleteService,GetLastError, |
0_2_00685CE0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_00687B80 IsIconic,memset,#890,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#1391,#11038, |
0_2_00687B80 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_00681620 memset,memset,LoadLibraryW,#296,#296,#4815,#4815,#4815,GetCurrentDirectoryW,#5110,SetCurrentDirectoryW,SetCurrentDirectoryW,#5110,LoadLibraryW,SetCurrentDirectoryW,#1045,#1045,GetProcAddress,GetProcAddress,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_00681620 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: malloc,malloc,GetAdaptersInfo,GetAdaptersInfo,free,malloc,GetAdaptersInfo,strstr,strstr,free, |
0_2_006867F0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_00691D70 P_GetLoginValue,#115,#111,CreateIoCompletionPort,CreateIoCompletionPort,CreateIoCompletionPort,CloseHandle,GetLastError,GetSystemInfo,CloseHandle,_beginthreadex,_beginthreadex,CloseHandle,_beginthreadex,CloseHandle, |
0_2_00691D70 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_0069D37B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_0069D37B |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_006B9100 #115,#116,GetModuleHandleA,GetProcAddress,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,QueryPerformanceFrequency, |
0_2_006B9100 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_0069D37B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_0069D37B |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_0069D50D SetUnhandledExceptionFilter, |
0_2_0069D50D |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_0069CC6C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_0069CC6C |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_00685030 CreateToolhelp32Snapshot,memset,#290,#290,Process32FirstW,CloseHandle,#5110,StrCmpW,#296,#4815,OpenFileMappingW,#1045,#5110,StrCmpW,#296,#4815,OpenFileMappingW,MapViewOfFile,OpenProcess,GetProcessTimes,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,_time64,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,#1045,Process32NextW,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,TerminateProcess,#1045,CloseHandle,#1045,#1045, |
0_2_00685030 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_00689AC0 CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,#286,#5110,StrCmpW,#1045,Process32NextW,CloseHandle, |
0_2_00689AC0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_00689BC0 CreateToolhelp32Snapshot,memset,Process32FirstW,CloseHandle,StrCmpW,StrCmpW,StrCmpW,StrCmpW,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,Process32NextW,CloseHandle, |
0_2_00689BC0 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_00689D90 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateToolhelp32Snapshot,memset,Process32FirstW,StrCmpW,Process32NextW,CloseHandle,#296,memset,GetWindowTextW,StrCmpW,OpenProcess,TerminateProcess,CloseHandle,GetWindowThreadProcessId,CreateThread,GetTickCount,GetTickCount,OpenProcess,TerminateProcess,CloseHandle,#1045, |
0_2_00689D90 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_00684E60 CreateToolhelp32Snapshot,memset,#290,Process32FirstW,#5110,StrCmpW,#296,#4815,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,#1045,Process32NextW,CloseHandle,#1045, |
0_2_00684E60 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_0069D5B6 cpuid |
0_2_0069D5B6 |
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe |
Code function: 0_2_0069D26D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_0069D26D |