Loading ...

Play interactive tourEdit tour

Analysis Report uncategorized_3.0.0.0b.vir

Overview

General Information

Sample Name:uncategorized_3.0.0.0b.vir (renamed file extension from vir to exe)
Analysis ID:247303
MD5:8e326a09b93cc447d0ea9a3992bb4962
SHA1:0a57892f4f92507f0f3405228274c5bfeb1103c5
SHA256:f990daf6364d6aeb0a8482a8fdab098b5790f29f2f34dd38ef4a83ac36827fe9

Most interesting Screenshot:

Detection

ZeusVM
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected ZeusVM e-Banking Trojan
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Yara detected Generic Dropper
Allocates memory in foreign processes
Contains VNC / remote desktop functionality (version string found)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Drops batch files with force delete cmd (self deletion)
Found Tor onion address
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May initialize a security null descriptor
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: uncategorized_3.0.0.0b.exe PID: 2772JoeSecurity_GenericDropperYara detected Generic DropperJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: uncategorized_3.0.0.0b.exeAvira: detected
    Antivirus detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeAvira: detection malicious, Label: HEUR/AGEN.1009057
    Multi AV Scanner detection for submitted fileShow sources
    Source: uncategorized_3.0.0.0b.exeVirustotal: Detection: 85%Perma Link
    Source: uncategorized_3.0.0.0b.exeMetadefender: Detection: 11%Perma Link
    Source: uncategorized_3.0.0.0b.exeReversingLabs: Detection: 92%
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: uncategorized_3.0.0.0b.exeJoe Sandbox ML: detected
    Source: 18.0.TuMYMYbmZdZpXjmSr.exe.14d0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 0.0.uncategorized_3.0.0.0b.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 16.0.TuMYMYbmZdZpXjmSr.exe.14d0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 18.2.TuMYMYbmZdZpXjmSr.exe.14d0000.2.unpackAvira: Label: TR/Spy.Gen
    Source: 0.2.uncategorized_3.0.0.0b.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 5.3.kyud.exe.2b50000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 10.2.TuMYMYbmZdZpXjmSr.exe.d20000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 23.2.TuMYMYbmZdZpXjmSr.exe.12e0000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 23.0.TuMYMYbmZdZpXjmSr.exe.1bf0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 9.2.TuMYMYbmZdZpXjmSr.exe.f60000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 15.2.TuMYMYbmZdZpXjmSr.exe.14d0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 3.2.uncategorized_3.0.0.0b.exe.2230000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 11.0.TuMYMYbmZdZpXjmSr.exe.e00000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 15.0.TuMYMYbmZdZpXjmSr.exe.14d0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 15.2.TuMYMYbmZdZpXjmSr.exe.1600000.2.unpackAvira: Label: TR/Spy.Gen
    Source: 21.0.TuMYMYbmZdZpXjmSr.exe.19b0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 19.2.TuMYMYbmZdZpXjmSr.exe.1200000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 16.2.TuMYMYbmZdZpXjmSr.exe.14d0000.2.unpackAvira: Label: TR/Spy.Gen
    Source: 3.3.uncategorized_3.0.0.0b.exe.2ab0000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 22.0.TuMYMYbmZdZpXjmSr.exe.fa0000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 5.0.kyud.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 17.2.TuMYMYbmZdZpXjmSr.exe.d00000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 3.2.uncategorized_3.0.0.0b.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 16.2.TuMYMYbmZdZpXjmSr.exe.7c0000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 14.2.TuMYMYbmZdZpXjmSr.exe.14d0000.2.unpackAvira: Label: TR/Spy.Gen
    Source: 14.2.TuMYMYbmZdZpXjmSr.exe.ac0000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 24.2.TuMYMYbmZdZpXjmSr.exe.14d0000.2.unpackAvira: Label: TR/Spy.Gen
    Source: 3.3.uncategorized_3.0.0.0b.exe.2ab0000.1.unpackAvira: Label: TR/Dropper.Gen
    Source: 21.2.TuMYMYbmZdZpXjmSr.exe.1140000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 21.2.TuMYMYbmZdZpXjmSr.exe.19b0000.2.unpackAvira: Label: TR/Spy.Gen
    Source: 11.2.TuMYMYbmZdZpXjmSr.exe.770000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 10.2.TuMYMYbmZdZpXjmSr.exe.e50000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 9.0.TuMYMYbmZdZpXjmSr.exe.f60000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 8.2.explorer.exe.6090000.23.unpackAvira: Label: TR/Spy.Gen
    Source: 22.2.TuMYMYbmZdZpXjmSr.exe.fa0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 24.2.TuMYMYbmZdZpXjmSr.exe.c00000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 3.1.uncategorized_3.0.0.0b.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 23.2.TuMYMYbmZdZpXjmSr.exe.1bf0000.2.unpackAvira: Label: TR/Spy.Gen
    Source: 9.2.TuMYMYbmZdZpXjmSr.exe.1090000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 10.0.TuMYMYbmZdZpXjmSr.exe.d20000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 8.0.explorer.exe.6090000.23.unpackAvira: Label: TR/Spy.Gen
    Source: 14.0.TuMYMYbmZdZpXjmSr.exe.14d0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 22.2.TuMYMYbmZdZpXjmSr.exe.1a0000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 18.2.TuMYMYbmZdZpXjmSr.exe.a60000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 4.2.kyud.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 20.0.TuMYMYbmZdZpXjmSr.exe.19d0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 4.0.kyud.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 5.1.kyud.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 20.2.TuMYMYbmZdZpXjmSr.exe.19d0000.2.unpackAvira: Label: TR/Spy.Gen
    Source: 17.0.TuMYMYbmZdZpXjmSr.exe.d00000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 19.2.TuMYMYbmZdZpXjmSr.exe.f20000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 11.2.TuMYMYbmZdZpXjmSr.exe.e00000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 3.0.uncategorized_3.0.0.0b.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 20.2.TuMYMYbmZdZpXjmSr.exe.10e0000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 24.0.TuMYMYbmZdZpXjmSr.exe.14d0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 17.2.TuMYMYbmZdZpXjmSr.exe.130000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 19.0.TuMYMYbmZdZpXjmSr.exe.1200000.0.unpackAvira: Label: TR/Spy.Gen
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_0050B34A CryptUnprotectData,LocalFree,3_2_0050B34A
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00501AA7 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,3_2_00501AA7
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_0050B34A CryptUnprotectData,LocalFree,3_1_0050B34A
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00501AA7 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,3_1_00501AA7
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_0050B34A CryptUnprotectData,LocalFree,5_1_0050B34A
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00501AA7 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,5_1_00501AA7
    Source: C:\Windows\explorer.exeCode function: 8_2_06099614 __swprintf_l,CryptUnprotectData,LocalFree,__swprintf_l,8_2_06099614
    Source: C:\Windows\explorer.exeCode function: 8_2_060AF374 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,8_2_060AF374
    Source: C:\Windows\explorer.exeCode function: 8_2_06091078 CryptReleaseContext,8_2_06091078
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_0106B34A CryptUnprotectData,LocalFree,9_2_0106B34A
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_01061AA7 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,9_2_01061AA7
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_005092B4 GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,3_2_005092B4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_005092B4 GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,3_1_005092B4
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_005092B4 GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,5_1_005092B4
    Source: C:\Windows\explorer.exeCode function: 8_2_06091548 IsBadReadPtr,NetUserEnum,8_2_06091548
    Source: C:\Windows\explorer.exeCode function: 8_2_06091568 NetUserEnum,8_2_06091568
    Source: C:\Windows\explorer.exeCode function: 8_2_060A7064 LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,8_2_060A7064
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_010692B4 GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,9_2_010692B4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00506D11 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,3_2_00506D11
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00506DCE FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,3_2_00506DCE
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00506D11 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,3_1_00506D11
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00506DCE FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,3_1_00506DCE
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00506D11 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,5_1_00506D11
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00506DCE FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,5_1_00506DCE
    Source: C:\Windows\explorer.exeCode function: 8_2_060B5A68 FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,8_2_060B5A68
    Source: C:\Windows\explorer.exeCode function: 8_2_060B5994 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,8_2_060B5994
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_01066D11 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,9_2_01066D11
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_01066DCE FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,9_2_01066DCE

    Networking:

    barindex
    Found Tor onion addressShow sources
    Source: uncategorized_3.0.0.0b.exe, 00000000.00000003.485476782.0000000003AF0000.00000004.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: uncategorized_3.0.0.0b.exe, 00000003.00000002.541844486.0000000000400000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: kyud.exe, 00000005.00000003.546928310.0000000002437000.00000004.00000040.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: explorer.exe, 00000008.00000000.582216030.0000000006090000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000009.00000002.887586914.0000000001090000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 0000000A.00000002.889504480.0000000000E50000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 0000000B.00000002.888501066.0000000000770000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 0000000E.00000000.682759357.00000000014D0000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 0000000F.00000002.890484803.00000000014D0000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000010.00000002.889685239.00000000014D0000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000011.00000000.736153350.0000000000D00000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000012.00000002.892880427.00000000014D0000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000013.00000002.896737167.0000000000F20000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000014.00000002.885809347.00000000010E0000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000015.00000002.889417041.00000000019B0000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000016.00000002.883253659.00000000001A0000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000017.00000002.886044741.00000000012E0000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000018.00000002.890622384.00000000014D0000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: Joe Sandbox ViewIP Address: 3.0.0.0 3.0.0.0
    Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00512021 getaddrinfo,freeaddrinfo,getsockname,getpeername,recv,recvfrom,getaddrinfo,freeaddrinfo,sendto,recvfrom,sendto,select,3_2_00512021
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: explorer.exe, 00000008.00000002.896359912.0000000003360000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: uncategorized_3.0.0.0b.exe, kyud.exe, explorer.exe, TuMYMYbmZdZpXjmSr.exe, TuMYMYbmZdZpXjmSr.exe, 0000000A.00000002.889504480.0000000000E50000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000B.00000002.888501066.0000000000770000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000E.00000000.682759357.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000F.00000002.890484803.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000010.00000002.889685239.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000011.00000000.736153350.0000000000D00000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000012.00000002.892880427.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000013.00000002.896737167.0000000000F20000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000014.00000002.885809347.00000000010E0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000015.00000002.889417041.00000000019B0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000016.00000002.883253659.00000000001A0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000017.00000002.886044741.00000000012E0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000018.00000002.890622384.00000000014D0000.00000040.00000001.sdmpString found in binary or memory: http://www.google.com/webhp
    Source: uncategorized_3.0.0.0b.exe, 00000000.00000003.485476782.0000000003AF0000.00000004.00000001.sdmp, uncategorized_3.0.0.0b.exe, 00000003.00000002.541844486.0000000000400000.00000040.00000001.sdmp, kyud.exe, 00000005.00000001.534799577.0000000000400000.00000040.00020000.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000009.00000000.634946336.0000000000F60000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000A.00000002.887082743.0000000000D20000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000B.00000002.889000635.0000000000E00000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000E.00000000.682759357.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000F.00000002.890484803.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000010.00000002.889685239.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000011.00000000.736153350.0000000000D00000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000012.00000002.892880427.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000013.00000000.769856539.0000000001200000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000014.00000002.891187548.00000000019D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000015.00000002.889417041.00000000019B0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000016.00000000.818061761.0000000000FA0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000017.00000000.835119633.0000000001BF0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000018.00000002.890622384.00000000014D0000.00000040.00000001.sdmpString found in binary or memory: http://www.google.com/webhpbc4
    Source: uncategorized_3.0.0.0b.exe, 00000000.00000003.485476782.0000000003AF0000.00000004.00000001.sdmp, uncategorized_3.0.0.0b.exe, 00000003.00000002.541844486.0000000000400000.00000040.00000001.sdmp, kyud.exe, 00000005.00000003.546928310.0000000002437000.00000004.00000040.sdmp, explorer.exe, 00000008.00000000.582216030.0000000006090000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000009.00000002.887586914.0000000001090000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000A.00000002.889504480.0000000000E50000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000B.00000002.888501066.0000000000770000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000E.00000000.682759357.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000F.00000002.890484803.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000010.00000002.889685239.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000011.00000000.736153350.0000000000D00000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000012.00000002.892880427.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000013.00000002.896737167.0000000000F20000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000014.00000002.885809347.00000000010E0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000015.00000002.889417041.00000000019B0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000016.00000002.883253659.00000000001A0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000017.00000002.886044741.00000000012E0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000018.00000002.890622384.00000000014D0000.00000040.00000001.sdmpString found in binary or memory: http://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.oni
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004FEB56 GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock,3_2_004FEB56
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004FE962 EnterCriticalSection,GetTickCount,GetForegroundWindow,GetWindowTextW,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,3_2_004FE962
    Source: uncategorized_3.0.0.0b.exe, 00000000.00000002.487845748.00000000007EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

    E-Banking Fraud:

    barindex
    Detected ZeusVM e-Banking TrojanShow sources
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00517A92 lstrcmpiA,lstrcmpiA,lstrcmpiA,3_2_00517A92
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00517A92 lstrcmpiA,lstrcmpiA,lstrcmpiA,3_1_00517A92
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00517A92 lstrcmpiA,lstrcmpiA,lstrcmpiA,5_1_00517A92
    Source: C:\Windows\explorer.exeCode function: 8_2_060BB298 lstrcmpiA,lstrcmpiA,8_2_060BB298
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_01077A92 lstrcmpiA,lstrcmpiA,lstrcmpiA,9_2_01077A92
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004FCAD4 OpenDesktopW,CreateDesktopW,3_2_004FCAD4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00516268 NtQueryDirectoryFile,TlsGetValue,RtlUnicodeStringToAnsiString,NtQueryDirectoryFile,RtlUnicodeStringToAnsiString,RtlFreeAnsiString,RtlUnicodeStringToAnsiString,RtlFreeAnsiString,RtlFreeAnsiString,3_2_00516268
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_005165CE TlsGetValue,NtCreateFile,3_2_005165CE
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00516759 NtEnumerateKey,NtEnumerateKey,NtEnumerateKey,NtEnumerateKey,3_2_00516759
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_0050A713 GetModuleFileNameW,CreateProcessW,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,3_2_0050A713
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_005168B9 NtEnumerateValueKey,PathQuoteSpacesW,NtEnumerateValueKey,NtEnumerateValueKey,3_2_005168B9
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00515CAF NtQueryInformationProcess,OpenProcess,CloseHandle,CloseHandle,NtCreateThread,3_2_00515CAF
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00515E43 NtCreateUserProcess,GetProcessId,OpenProcess,CloseHandle,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,3_2_00515E43
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00514E03 NtCreateUserProcess,NtCreateThread,3_2_00514E03
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00514F47 LdrLoadDll,NtQueryDirectoryFile,NtCreateFile,NtEnumerateKey,NtEnumerateValueKey,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,recv,WSARecv,connect,WSAConnect,getaddrinfo,GetAddrInfoW,gethostbyname,WSAAsyncGetHostByName,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,3_2_00514F47
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00516268 NtQueryDirectoryFile,TlsGetValue,RtlUnicodeStringToAnsiString,NtQueryDirectoryFile,RtlUnicodeStringToAnsiString,RtlFreeAnsiString,RtlUnicodeStringToAnsiString,RtlFreeAnsiString,RtlFreeAnsiString,3_1_00516268
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_005165CE TlsGetValue,NtCreateFile,3_1_005165CE
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00516759 NtEnumerateKey,NtEnumerateKey,NtEnumerateKey,NtEnumerateKey,3_1_00516759
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_0050A713 GetModuleFileNameW,CreateProcessW,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,3_1_0050A713
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_005168B9 NtEnumerateValueKey,PathQuoteSpacesW,NtEnumerateValueKey,NtEnumerateValueKey,3_1_005168B9
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00515CAF NtQueryInformationProcess,OpenProcess,CloseHandle,CloseHandle,NtCreateThread,3_1_00515CAF
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00515E43 NtCreateUserProcess,GetProcessId,OpenProcess,CloseHandle,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,3_1_00515E43
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00514E03 NtCreateUserProcess,NtCreateThread,3_1_00514E03
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00514F47 LdrLoadDll,NtQueryDirectoryFile,NtCreateFile,NtEnumerateKey,NtEnumerateValueKey,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,#3,#19,WSASend,#16,WSARecv,#4,WSAConnect,getaddrinfo,GetAddrInfoW,#52,#103,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,3_1_00514F47
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00516268 NtQueryDirectoryFile,TlsGetValue,RtlUnicodeStringToAnsiString,NtQueryDirectoryFile,RtlUnicodeStringToAnsiString,RtlFreeAnsiString,RtlUnicodeStringToAnsiString,RtlFreeAnsiString,RtlFreeAnsiString,5_1_00516268
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_005165CE TlsGetValue,NtCreateFile,5_1_005165CE
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00516759 NtEnumerateKey,NtEnumerateKey,NtEnumerateKey,NtEnumerateKey,5_1_00516759
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_0050A713 GetModuleFileNameW,CreateProcessW,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,5_1_0050A713
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_005168B9 NtEnumerateValueKey,PathQuoteSpacesW,NtEnumerateValueKey,NtEnumerateValueKey,5_1_005168B9
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00515CAF NtQueryInformationProcess,OpenProcess,CloseHandle,CloseHandle,NtCreateThread,5_1_00515CAF
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00515E43 NtCreateUserProcess,GetProcessId,OpenProcess,CloseHandle,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,5_1_00515E43
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00514E03 NtCreateUserProcess,NtCreateThread,5_1_00514E03
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00514F47 LdrLoadDll,NtQueryDirectoryFile,NtCreateFile,NtEnumerateKey,NtEnumerateValueKey,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,#3,#19,WSASend,#16,WSARecv,#4,WSAConnect,getaddrinfo,GetAddrInfoW,#52,#103,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,5_1_00514F47
    Source: C:\Windows\explorer.exeCode function: 8_2_060B767C GetModuleFileNameW,CreateProcessW,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,8_2_060B767C
    Source: C:\Windows\explorer.exeCode function: 8_2_060966F8 NtQueryDirectoryFile,LdrLoadDll,NtCreateFile,NtEnumerateKey,NtEnumerateValueKey,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,recv,WSARecv,connect,WSAConnect,getaddrinfo,GetAddrInfoW,gethostbyname,WSAAsyncGetHostByName,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,8_2_060966F8
    Source: C:\Windows\explorer.exeCode function: 8_2_0609E78C NtCreateUserProcess,GetProcessId,OpenProcess,CloseHandle,Wow64GetThreadContext,Wow64SetThreadContext,VirtualFreeEx,CloseHandle,GetThreadContext,RtlUserThreadStart,SetThreadContext,8_2_0609E78C
    Source: C:\Windows\explorer.exeCode function: 8_2_0609EFB4 TlsGetValue,NtCreateFile,8_2_0609EFB4
    Source: C:\Windows\explorer.exeCode function: 8_2_06096530 NtCreateUserProcess,NtCreateThread,8_2_06096530
    Source: C:\Windows\explorer.exeCode function: 8_2_0609E5D8 NtQueryInformationProcess,OpenProcess,CloseHandle,CloseHandle,NtCreateThread,8_2_0609E5D8
    Source: C:\Windows\explorer.exeCode function: 8_2_0609EB80 NtQueryDirectoryFile,TlsGetValue,RtlUnicodeStringToAnsiString,RtlFreeAnsiString,NtQueryDirectoryFile,RtlUnicodeStringToAnsiString,RtlFreeAnsiString,RtlUnicodeStringToAnsiString,RtlFreeAnsiString,RtlFreeAnsiString,8_2_0609EB80
    Source: C:\Windows\explorer.exeCode function: 8_2_0609F3F4 NtEnumerateValueKey,PathQuoteSpacesW,NtEnumerateValueKey,NtEnumerateValueKey,8_2_0609F3F4
    Source: C:\Windows\explorer.exeCode function: 8_2_0609F1D0 NtEnumerateKey,NtEnumerateKey,NtEnumerateKey,NtEnumerateKey,8_2_0609F1D0
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00502311 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,3_2_00502311
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004FF06B InitiateSystemShutdownExW,ExitWindowsEx,3_2_004FF06B
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004FDF60 ExitWindowsEx,3_2_004FDF60
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_004FF06B InitiateSystemShutdownExW,ExitWindowsEx,3_1_004FF06B
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_004FDF60 ExitWindowsEx,3_1_004FDF60
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_004FF06B InitiateSystemShutdownExW,ExitWindowsEx,5_1_004FF06B
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_004FDF60 ExitWindowsEx,5_1_004FDF60
    Source: C:\Windows\explorer.exeCode function: 8_2_060A9C7C InitiateSystemShutdownExW,ExitWindowsEx,8_2_060A9C7C
    Source: C:\Windows\explorer.exeCode function: 8_2_060AB938 ExitWindowsEx,8_2_060AB938
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_0105F06B InitiateSystemShutdownExW,ExitWindowsEx,9_2_0105F06B
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_0105DF60 ExitWindowsEx,9_2_0105DF60
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 0_2_004018BC0_2_004018BC
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_005120213_2_00512021
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004173B83_2_004173B8
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_0041F51C3_2_0041F51C
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_005037953_2_00503795
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004197A43_2_004197A4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004168143_2_00416814
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004019233_2_00401923
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004219B43_2_004219B4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00423A603_2_00423A60
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00405B533_2_00405B53
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00510BF43_2_00510BF4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_0042AC843_2_0042AC84
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00415CA43_2_00415CA4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00423EB03_2_00423EB0
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00417EBC3_2_00417EBC
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_005120213_1_00512021
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_004173B83_1_004173B8
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_0041F51C3_1_0041F51C
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_005037953_1_00503795
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_004197A43_1_004197A4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_004168143_1_00416814
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_004019233_1_00401923
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_004219B43_1_004219B4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00423A603_1_00423A60
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00405B533_1_00405B53
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00510BF43_1_00510BF4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_0042AC843_1_0042AC84
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00415CA43_1_00415CA4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00423EB03_1_00423EB0
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00417EBC3_1_00417EBC
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_005120215_1_00512021
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_004173B85_1_004173B8
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_0041F51C5_1_0041F51C
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_005037955_1_00503795
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_004197A45_1_004197A4
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_004168145_1_00416814
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_004019235_1_00401923
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_004219B45_1_004219B4
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00423A605_1_00423A60
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00405B535_1_00405B53
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00510BF45_1_00510BF4
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_0042AC845_1_0042AC84
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00415CA45_1_00415CA4
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00423EB05_1_00423EB0
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00417EBC5_1_00417EBC
    Source: C:\Windows\explorer.exeCode function: 8_2_060A577C8_2_060A577C
    Source: C:\Windows\explorer.exeCode function: 8_2_060B17708_2_060B1770
    Source: C:\Windows\explorer.exeCode function: 8_2_060A4C788_2_060A4C78
    Source: C:\Windows\explorer.exeCode function: 8_2_060934998_2_06093499
    Source: C:\Windows\explorer.exeCode function: 8_2_060B85448_2_060B8544
    Source: C:\Windows\explorer.exeCode function: 8_2_060A35648_2_060A3564
    Source: C:\Windows\explorer.exeCode function: 8_2_060ACDDC8_2_060ACDDC
    Source: C:\Windows\explorer.exeCode function: 8_2_060AF2748_2_060AF274
    Source: C:\Windows\explorer.exeCode function: 8_2_060AC2A48_2_060AC2A4
    Source: C:\Windows\explorer.exeCode function: 8_2_060B13208_2_060B1320
    Source: C:\Windows\explorer.exeCode function: 8_2_060BA8448_2_060BA844
    Source: C:\Windows\explorer.exeCode function: 8_2_060A70648_2_060A7064
    Source: C:\Windows\explorer.exeCode function: 8_2_060A40D48_2_060A40D4
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_010720219_2_01072021
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F773B89_2_00F773B8
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F7F51C9_2_00F7F51C
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_010637959_2_01063795
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F797A49_2_00F797A4
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F768149_2_00F76814
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F819B49_2_00F819B4
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F619239_2_00F61923
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F83A609_2_00F83A60
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_01070BF49_2_01070BF4
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F65B539_2_00F65B53
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F75CA49_2_00F75CA4
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F8AC849_2_00F8AC84
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F83EB09_2_00F83EB0
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F77EBC9_2_00F77EBC
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeProcess token adjusted: SecurityJump to behavior
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: String function: 01068290 appears 31 times
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: String function: 00508290 appears 62 times
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: String function: 00508290 appears 31 times
    Source: C:\Windows\explorer.exeCode function: String function: 06091540 appears 42 times
    Source: kyud.exe.3.drStatic PE information: No import functions for PE file found
    Source: uncategorized_3.0.0.0b.exeStatic PE information: No import functions for PE file found
    Source: uncategorized_3.0.0.0b.exe, 00000000.00000003.468277911.0000000003068000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDino1.exe vs uncategorized_3.0.0.0b.exe
    Source: uncategorized_3.0.0.0b.exe, 00000003.00000000.484541601.000000000040E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDino1.exe vs uncategorized_3.0.0.0b.exe
    Source: uncategorized_3.0.0.0b.exeBinary or memory string: *\AD:\iuguvvvuvyguy848949\REeB.vbp
    Source: uncategorized_3.0.0.0b.exe, 00000000.00000002.487368672.000000000040C000.00000004.00020000.sdmp, kyud.exe, 00000004.00000002.536650308.000000000040C000.00000004.00020000.sdmpBinary or memory string: fx&@*\AD:\iuguvvvuvyguy848949\REeB.vbp
    Source: uncategorized_3.0.0.0b.exe, 00000000.00000003.481712632.0000000000851000.00000004.00000001.sdmp, uncategorized_3.0.0.0b.exe, 00000003.00000000.484521578.0000000000401000.00000020.00020000.sdmp, kyud.exe, 00000004.00000003.519430846.0000000003192000.00000004.00000001.sdmp, kyud.exe, 00000005.00000000.533351617.0000000000401000.00000020.00020000.sdmpBinary or memory string: @*\AD:\iuguvvvuvyguy848949\REeB.vbp
    Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winEXE@10/2@0/1
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004FA990 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,3_2_004FA990
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004FAB0D CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,3_2_004FAB0D
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_004FA990 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,3_1_004FA990
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_004FAB0D CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,3_1_004FAB0D
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_004FA990 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,5_1_004FA990
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_004FAB0D CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,5_1_004FAB0D
    Source: C:\Windows\explorer.exeCode function: 8_2_060B74F4 CertOpenSystemStoreW,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,8_2_060B74F4
    Source: C:\Windows\explorer.exeCode function: 8_2_060B7298 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,__swprintf_l,CertCloseStore,8_2_060B7298
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_0105A990 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,9_2_0105A990
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_0105AB0D CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,9_2_0105AB0D
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_0050207E GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,3_2_0050207E
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_0050207E GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,3_1_0050207E
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_0050207E GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,5_1_0050207E
    Source: C:\Windows\explorer.exeCode function: 8_2_060AF9A8 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,8_2_060AF9A8
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_0106207E GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,9_2_0106207E
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00502029 CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,3_2_00502029
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00508501 CoCreateInstance,3_2_00508501
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeFile created: C:\Users\user\AppData\Roaming\SuezuJump to behavior
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-8BA9-DD3461D44E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-C3A1-DD3429DC4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-0BAA-DD34E1D74E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-CFB3-DD3425CE4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-D7A9-DD343DD44E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-D7A5-DD343DD84E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-27A4-DD34CDD94E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-A3B2-DD3449CF4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-03A6-DD34E9DB4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-C7AC-DD342DD14E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-FBA0-DD3411DD4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-07AD-DD34EDD04E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-53AA-DD34B9D74E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-8FAC-DD3465D14E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-E3AE-DD3409D34E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-D7B3-DD343DCE4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-C7AD-DD342DD04E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Local\{48483783-4B5E-DC49-B5F4-FCC45F896FB5}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-8FA3-DD3465DE4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-EFB1-DD3405CC4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-07A2-DD34EDDF4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-9BA2-DD3471DF4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-F7A9-DD341DD44E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-F7A1-DD341DDC4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-9FA9-DD3475D44E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-13A6-DD34F9DB4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-1FA4-DD34F5D94E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-67B3-DD348DCE4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-B3A7-DD3459DA4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-43AE-DD34A9D34E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-7BA2-DD3491DF4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-0FA7-DD34E5DA4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-2FB3-DD34C5CE4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-33A3-DD34D9DE4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-CBB3-DD3421CE4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-6BA1-DD3481DC4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-EBAA-DD3401D74E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-D3A6-DD3439DB4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-3FB3-DD34D5CE4E45}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:744:120:WilError_01
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-6FA5-DD3485D84E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-7BA7-DD3491DA4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-97AB-DD347DD64E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-5BA5-DD34B1D84E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-9FA6-DD3475DB4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-6FA4-DD3485D94E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-B3A6-DD3459DB4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-5FAD-DD34B5D04E45}
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{925112C8-6E15-0650-B5F4-FCC45F896FB5}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-37A1-DD34DDDC4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-BBA0-DD3451DD4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-8BA2-DD3461DF4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-E7B0-DD340DCD4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-77A1-DD349DDC4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-6FA9-DD3485D44E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-7FAB-DD3495D64E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-47A3-DD34ADDE4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-D7AB-DD343DD64E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-7FA2-DD3495DF4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-13AA-DD34F9D74E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-E7A0-DD340DDD4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-0FB3-DD34E5CE4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-9FAF-DD3475D24E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-9BA1-DD3471DC4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-B7A5-DD345DD84E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-67B2-DD348DCF4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-EBA2-DD3401DF4E45}
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeFile created: C:\Users\user\AppData\Local\Temp\tmp758a7bb0.batJump to behavior
    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\tmp758a7bb0.bat'
    Source: uncategorized_3.0.0.0b.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: uncategorized_3.0.0.0b.exeVirustotal: Detection: 85%
    Source: uncategorized_3.0.0.0b.exeMetadefender: Detection: 11%
    Source: uncategorized_3.0.0.0b.exeReversingLabs: Detection: 92%
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeFile read: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exe 'C:\Users\user\Desktop\uncategorized_3.0.0.0b.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exe C:\Users\user\Desktop\uncategorized_3.0.0.0b.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Suezu\kyud.exe C:\Users\user\AppData\Roaming\Suezu\kyud.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Suezu\kyud.exe C:\Users\user\AppData\Roaming\Suezu\kyud.exe
    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\tmp758a7bb0.bat'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeProcess created: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exe C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeJump to behavior
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeProcess created: C:\Users\user\AppData\Roaming\Suezu\kyud.exe C:\Users\user\AppData\Roaming\Suezu\kyud.exeJump to behavior
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\tmp758a7bb0.bat'Jump to behavior
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeProcess created: C:\Users\user\AppData\Roaming\Suezu\kyud.exe C:\Users\user\AppData\Roaming\Suezu\kyud.exeJump to behavior
    Source: uncategorized_3.0.0.0b.exeStatic file information: File size 1245316 > 1048576
    Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.590678113.000000000BAE0000.00000002.00000001.sdmp
    Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.590678113.000000000BAE0000.00000002.00000001.sdmp

    Data Obfuscation:

    barindex
    Detected unpacking (changes PE section rights)Show sources
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeUnpacked PE file: 3.2.uncategorized_3.0.0.0b.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.data:W;.reloc:R;
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeUnpacked PE file: 3.2.uncategorized_3.0.0.0b.exe.400000.0.unpack
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_005092B4 GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,