Loading ...

Play interactive tourEdit tour

Analysis Report uncategorized_3.0.0.0b.vir

Overview

General Information

Sample Name:uncategorized_3.0.0.0b.vir (renamed file extension from vir to exe)
Analysis ID:247303
MD5:8e326a09b93cc447d0ea9a3992bb4962
SHA1:0a57892f4f92507f0f3405228274c5bfeb1103c5
SHA256:f990daf6364d6aeb0a8482a8fdab098b5790f29f2f34dd38ef4a83ac36827fe9

Most interesting Screenshot:

Detection

ZeusVM
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected ZeusVM e-Banking Trojan
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Yara detected Generic Dropper
Allocates memory in foreign processes
Contains VNC / remote desktop functionality (version string found)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Drops batch files with force delete cmd (self deletion)
Found Tor onion address
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May initialize a security null descriptor
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: uncategorized_3.0.0.0b.exe PID: 2772JoeSecurity_GenericDropperYara detected Generic DropperJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: uncategorized_3.0.0.0b.exeAvira: detected
    Antivirus detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeAvira: detection malicious, Label: HEUR/AGEN.1009057
    Multi AV Scanner detection for submitted fileShow sources
    Source: uncategorized_3.0.0.0b.exeVirustotal: Detection: 85%Perma Link
    Source: uncategorized_3.0.0.0b.exeMetadefender: Detection: 11%Perma Link
    Source: uncategorized_3.0.0.0b.exeReversingLabs: Detection: 92%
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: uncategorized_3.0.0.0b.exeJoe Sandbox ML: detected
    Source: 18.0.TuMYMYbmZdZpXjmSr.exe.14d0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 0.0.uncategorized_3.0.0.0b.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 16.0.TuMYMYbmZdZpXjmSr.exe.14d0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 18.2.TuMYMYbmZdZpXjmSr.exe.14d0000.2.unpackAvira: Label: TR/Spy.Gen
    Source: 0.2.uncategorized_3.0.0.0b.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 5.3.kyud.exe.2b50000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 10.2.TuMYMYbmZdZpXjmSr.exe.d20000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 23.2.TuMYMYbmZdZpXjmSr.exe.12e0000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 23.0.TuMYMYbmZdZpXjmSr.exe.1bf0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 9.2.TuMYMYbmZdZpXjmSr.exe.f60000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 15.2.TuMYMYbmZdZpXjmSr.exe.14d0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 3.2.uncategorized_3.0.0.0b.exe.2230000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 11.0.TuMYMYbmZdZpXjmSr.exe.e00000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 15.0.TuMYMYbmZdZpXjmSr.exe.14d0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 15.2.TuMYMYbmZdZpXjmSr.exe.1600000.2.unpackAvira: Label: TR/Spy.Gen
    Source: 21.0.TuMYMYbmZdZpXjmSr.exe.19b0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 19.2.TuMYMYbmZdZpXjmSr.exe.1200000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 16.2.TuMYMYbmZdZpXjmSr.exe.14d0000.2.unpackAvira: Label: TR/Spy.Gen
    Source: 3.3.uncategorized_3.0.0.0b.exe.2ab0000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 22.0.TuMYMYbmZdZpXjmSr.exe.fa0000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 5.0.kyud.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 17.2.TuMYMYbmZdZpXjmSr.exe.d00000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 3.2.uncategorized_3.0.0.0b.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 16.2.TuMYMYbmZdZpXjmSr.exe.7c0000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 14.2.TuMYMYbmZdZpXjmSr.exe.14d0000.2.unpackAvira: Label: TR/Spy.Gen
    Source: 14.2.TuMYMYbmZdZpXjmSr.exe.ac0000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 24.2.TuMYMYbmZdZpXjmSr.exe.14d0000.2.unpackAvira: Label: TR/Spy.Gen
    Source: 3.3.uncategorized_3.0.0.0b.exe.2ab0000.1.unpackAvira: Label: TR/Dropper.Gen
    Source: 21.2.TuMYMYbmZdZpXjmSr.exe.1140000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 21.2.TuMYMYbmZdZpXjmSr.exe.19b0000.2.unpackAvira: Label: TR/Spy.Gen
    Source: 11.2.TuMYMYbmZdZpXjmSr.exe.770000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 10.2.TuMYMYbmZdZpXjmSr.exe.e50000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 9.0.TuMYMYbmZdZpXjmSr.exe.f60000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 8.2.explorer.exe.6090000.23.unpackAvira: Label: TR/Spy.Gen
    Source: 22.2.TuMYMYbmZdZpXjmSr.exe.fa0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 24.2.TuMYMYbmZdZpXjmSr.exe.c00000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 3.1.uncategorized_3.0.0.0b.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 23.2.TuMYMYbmZdZpXjmSr.exe.1bf0000.2.unpackAvira: Label: TR/Spy.Gen
    Source: 9.2.TuMYMYbmZdZpXjmSr.exe.1090000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 10.0.TuMYMYbmZdZpXjmSr.exe.d20000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 8.0.explorer.exe.6090000.23.unpackAvira: Label: TR/Spy.Gen
    Source: 14.0.TuMYMYbmZdZpXjmSr.exe.14d0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 22.2.TuMYMYbmZdZpXjmSr.exe.1a0000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 18.2.TuMYMYbmZdZpXjmSr.exe.a60000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 4.2.kyud.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 20.0.TuMYMYbmZdZpXjmSr.exe.19d0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 4.0.kyud.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 5.1.kyud.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 20.2.TuMYMYbmZdZpXjmSr.exe.19d0000.2.unpackAvira: Label: TR/Spy.Gen
    Source: 17.0.TuMYMYbmZdZpXjmSr.exe.d00000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 19.2.TuMYMYbmZdZpXjmSr.exe.f20000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 11.2.TuMYMYbmZdZpXjmSr.exe.e00000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 3.0.uncategorized_3.0.0.0b.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 20.2.TuMYMYbmZdZpXjmSr.exe.10e0000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 24.0.TuMYMYbmZdZpXjmSr.exe.14d0000.1.unpackAvira: Label: TR/Spy.Gen
    Source: 17.2.TuMYMYbmZdZpXjmSr.exe.130000.0.unpackAvira: Label: TR/Spy.Gen
    Source: 19.0.TuMYMYbmZdZpXjmSr.exe.1200000.0.unpackAvira: Label: TR/Spy.Gen
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_0050B34A CryptUnprotectData,LocalFree,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00501AA7 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_0050B34A CryptUnprotectData,LocalFree,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00501AA7 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_0050B34A CryptUnprotectData,LocalFree,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00501AA7 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
    Source: C:\Windows\explorer.exeCode function: 8_2_06099614 __swprintf_l,CryptUnprotectData,LocalFree,__swprintf_l,
    Source: C:\Windows\explorer.exeCode function: 8_2_060AF374 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
    Source: C:\Windows\explorer.exeCode function: 8_2_06091078 CryptReleaseContext,
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_0106B34A CryptUnprotectData,LocalFree,
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_01061AA7 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_005092B4 GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_005092B4 GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_005092B4 GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,
    Source: C:\Windows\explorer.exeCode function: 8_2_06091548 IsBadReadPtr,NetUserEnum,
    Source: C:\Windows\explorer.exeCode function: 8_2_06091568 NetUserEnum,
    Source: C:\Windows\explorer.exeCode function: 8_2_060A7064 LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_010692B4 GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00506D11 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00506DCE FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00506D11 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00506DCE FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00506D11 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00506DCE FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
    Source: C:\Windows\explorer.exeCode function: 8_2_060B5A68 FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
    Source: C:\Windows\explorer.exeCode function: 8_2_060B5994 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_01066D11 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_01066DCE FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,

    Networking:

    barindex
    Found Tor onion addressShow sources
    Source: uncategorized_3.0.0.0b.exe, 00000000.00000003.485476782.0000000003AF0000.00000004.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: uncategorized_3.0.0.0b.exe, 00000003.00000002.541844486.0000000000400000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: kyud.exe, 00000005.00000003.546928310.0000000002437000.00000004.00000040.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: explorer.exe, 00000008.00000000.582216030.0000000006090000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000009.00000002.887586914.0000000001090000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 0000000A.00000002.889504480.0000000000E50000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 0000000B.00000002.888501066.0000000000770000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 0000000E.00000000.682759357.00000000014D0000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 0000000F.00000002.890484803.00000000014D0000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000010.00000002.889685239.00000000014D0000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000011.00000000.736153350.0000000000D00000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000012.00000002.892880427.00000000014D0000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000013.00000002.896737167.0000000000F20000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000014.00000002.885809347.00000000010E0000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000015.00000002.889417041.00000000019B0000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000016.00000002.883253659.00000000001A0000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000017.00000002.886044741.00000000012E0000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: TuMYMYbmZdZpXjmSr.exe, 00000018.00000002.890622384.00000000014D0000.00000040.00000001.sdmpString found in binary or memory: .tmphttp://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.onion127.1.0.1127.1.0.2127.1.0.3firefox.exePR_GetNameForIdentityPR_SetErrorPR_GetErrorHostContent-Lengthhttp://NSS layerSSLhttps://RefererUser-AgentContent-TypeAuthorization
    Source: Joe Sandbox ViewIP Address: 3.0.0.0 3.0.0.0
    Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00512021 getaddrinfo,freeaddrinfo,getsockname,getpeername,recv,recvfrom,getaddrinfo,freeaddrinfo,sendto,recvfrom,sendto,select,
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: explorer.exe, 00000008.00000002.896359912.0000000003360000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: uncategorized_3.0.0.0b.exe, kyud.exe, explorer.exe, TuMYMYbmZdZpXjmSr.exe, TuMYMYbmZdZpXjmSr.exe, 0000000A.00000002.889504480.0000000000E50000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000B.00000002.888501066.0000000000770000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000E.00000000.682759357.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000F.00000002.890484803.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000010.00000002.889685239.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000011.00000000.736153350.0000000000D00000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000012.00000002.892880427.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000013.00000002.896737167.0000000000F20000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000014.00000002.885809347.00000000010E0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000015.00000002.889417041.00000000019B0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000016.00000002.883253659.00000000001A0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000017.00000002.886044741.00000000012E0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000018.00000002.890622384.00000000014D0000.00000040.00000001.sdmpString found in binary or memory: http://www.google.com/webhp
    Source: uncategorized_3.0.0.0b.exe, 00000000.00000003.485476782.0000000003AF0000.00000004.00000001.sdmp, uncategorized_3.0.0.0b.exe, 00000003.00000002.541844486.0000000000400000.00000040.00000001.sdmp, kyud.exe, 00000005.00000001.534799577.0000000000400000.00000040.00020000.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000009.00000000.634946336.0000000000F60000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000A.00000002.887082743.0000000000D20000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000B.00000002.889000635.0000000000E00000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000E.00000000.682759357.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000F.00000002.890484803.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000010.00000002.889685239.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000011.00000000.736153350.0000000000D00000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000012.00000002.892880427.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000013.00000000.769856539.0000000001200000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000014.00000002.891187548.00000000019D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000015.00000002.889417041.00000000019B0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000016.00000000.818061761.0000000000FA0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000017.00000000.835119633.0000000001BF0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000018.00000002.890622384.00000000014D0000.00000040.00000001.sdmpString found in binary or memory: http://www.google.com/webhpbc4
    Source: uncategorized_3.0.0.0b.exe, 00000000.00000003.485476782.0000000003AF0000.00000004.00000001.sdmp, uncategorized_3.0.0.0b.exe, 00000003.00000002.541844486.0000000000400000.00000040.00000001.sdmp, kyud.exe, 00000005.00000003.546928310.0000000002437000.00000004.00000040.sdmp, explorer.exe, 00000008.00000000.582216030.0000000006090000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000009.00000002.887586914.0000000001090000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000A.00000002.889504480.0000000000E50000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000B.00000002.888501066.0000000000770000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000E.00000000.682759357.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 0000000F.00000002.890484803.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000010.00000002.889685239.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000011.00000000.736153350.0000000000D00000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000012.00000002.892880427.00000000014D0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000013.00000002.896737167.0000000000F20000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000014.00000002.885809347.00000000010E0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000015.00000002.889417041.00000000019B0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000016.00000002.883253659.00000000001A0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000017.00000002.886044741.00000000012E0000.00000040.00000001.sdmp, TuMYMYbmZdZpXjmSr.exe, 00000018.00000002.890622384.00000000014D0000.00000040.00000001.sdmpString found in binary or memory: http://www.google.com/webhpbcchrome.exews2_32.dllGetAddrInfoExW.onion127.1.0.1127.1.0.2127.1.0.3.oni
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: explorer.exe, 00000008.00000000.592305395.000000000CB96000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004FEB56 GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004FE962 EnterCriticalSection,GetTickCount,GetForegroundWindow,GetWindowTextW,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,
    Source: uncategorized_3.0.0.0b.exe, 00000000.00000002.487845748.00000000007EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

    E-Banking Fraud:

    barindex
    Detected ZeusVM e-Banking TrojanShow sources
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00517A92 lstrcmpiA,lstrcmpiA,lstrcmpiA,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00517A92 lstrcmpiA,lstrcmpiA,lstrcmpiA,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00517A92 lstrcmpiA,lstrcmpiA,lstrcmpiA,
    Source: C:\Windows\explorer.exeCode function: 8_2_060BB298 lstrcmpiA,lstrcmpiA,
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_01077A92 lstrcmpiA,lstrcmpiA,lstrcmpiA,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004FCAD4 OpenDesktopW,CreateDesktopW,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00516268 NtQueryDirectoryFile,TlsGetValue,RtlUnicodeStringToAnsiString,NtQueryDirectoryFile,RtlUnicodeStringToAnsiString,RtlFreeAnsiString,RtlUnicodeStringToAnsiString,RtlFreeAnsiString,RtlFreeAnsiString,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_005165CE TlsGetValue,NtCreateFile,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00516759 NtEnumerateKey,NtEnumerateKey,NtEnumerateKey,NtEnumerateKey,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_0050A713 GetModuleFileNameW,CreateProcessW,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_005168B9 NtEnumerateValueKey,PathQuoteSpacesW,NtEnumerateValueKey,NtEnumerateValueKey,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00515CAF NtQueryInformationProcess,OpenProcess,CloseHandle,CloseHandle,NtCreateThread,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00515E43 NtCreateUserProcess,GetProcessId,OpenProcess,CloseHandle,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00514E03 NtCreateUserProcess,NtCreateThread,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00514F47 LdrLoadDll,NtQueryDirectoryFile,NtCreateFile,NtEnumerateKey,NtEnumerateValueKey,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,recv,WSARecv,connect,WSAConnect,getaddrinfo,GetAddrInfoW,gethostbyname,WSAAsyncGetHostByName,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00516268 NtQueryDirectoryFile,TlsGetValue,RtlUnicodeStringToAnsiString,NtQueryDirectoryFile,RtlUnicodeStringToAnsiString,RtlFreeAnsiString,RtlUnicodeStringToAnsiString,RtlFreeAnsiString,RtlFreeAnsiString,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_005165CE TlsGetValue,NtCreateFile,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00516759 NtEnumerateKey,NtEnumerateKey,NtEnumerateKey,NtEnumerateKey,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_0050A713 GetModuleFileNameW,CreateProcessW,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_005168B9 NtEnumerateValueKey,PathQuoteSpacesW,NtEnumerateValueKey,NtEnumerateValueKey,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00515CAF NtQueryInformationProcess,OpenProcess,CloseHandle,CloseHandle,NtCreateThread,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00515E43 NtCreateUserProcess,GetProcessId,OpenProcess,CloseHandle,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00514E03 NtCreateUserProcess,NtCreateThread,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00514F47 LdrLoadDll,NtQueryDirectoryFile,NtCreateFile,NtEnumerateKey,NtEnumerateValueKey,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,#3,#19,WSASend,#16,WSARecv,#4,WSAConnect,getaddrinfo,GetAddrInfoW,#52,#103,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00516268 NtQueryDirectoryFile,TlsGetValue,RtlUnicodeStringToAnsiString,NtQueryDirectoryFile,RtlUnicodeStringToAnsiString,RtlFreeAnsiString,RtlUnicodeStringToAnsiString,RtlFreeAnsiString,RtlFreeAnsiString,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_005165CE TlsGetValue,NtCreateFile,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00516759 NtEnumerateKey,NtEnumerateKey,NtEnumerateKey,NtEnumerateKey,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_0050A713 GetModuleFileNameW,CreateProcessW,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_005168B9 NtEnumerateValueKey,PathQuoteSpacesW,NtEnumerateValueKey,NtEnumerateValueKey,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00515CAF NtQueryInformationProcess,OpenProcess,CloseHandle,CloseHandle,NtCreateThread,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00515E43 NtCreateUserProcess,GetProcessId,OpenProcess,CloseHandle,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00514E03 NtCreateUserProcess,NtCreateThread,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00514F47 LdrLoadDll,NtQueryDirectoryFile,NtCreateFile,NtEnumerateKey,NtEnumerateValueKey,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,#3,#19,WSASend,#16,WSARecv,#4,WSAConnect,getaddrinfo,GetAddrInfoW,#52,#103,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,
    Source: C:\Windows\explorer.exeCode function: 8_2_060B767C GetModuleFileNameW,CreateProcessW,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
    Source: C:\Windows\explorer.exeCode function: 8_2_060966F8 NtQueryDirectoryFile,LdrLoadDll,NtCreateFile,NtEnumerateKey,NtEnumerateValueKey,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,recv,WSARecv,connect,WSAConnect,getaddrinfo,GetAddrInfoW,gethostbyname,WSAAsyncGetHostByName,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,
    Source: C:\Windows\explorer.exeCode function: 8_2_0609E78C NtCreateUserProcess,GetProcessId,OpenProcess,CloseHandle,Wow64GetThreadContext,Wow64SetThreadContext,VirtualFreeEx,CloseHandle,GetThreadContext,RtlUserThreadStart,SetThreadContext,
    Source: C:\Windows\explorer.exeCode function: 8_2_0609EFB4 TlsGetValue,NtCreateFile,
    Source: C:\Windows\explorer.exeCode function: 8_2_06096530 NtCreateUserProcess,NtCreateThread,
    Source: C:\Windows\explorer.exeCode function: 8_2_0609E5D8 NtQueryInformationProcess,OpenProcess,CloseHandle,CloseHandle,NtCreateThread,
    Source: C:\Windows\explorer.exeCode function: 8_2_0609EB80 NtQueryDirectoryFile,TlsGetValue,RtlUnicodeStringToAnsiString,RtlFreeAnsiString,NtQueryDirectoryFile,RtlUnicodeStringToAnsiString,RtlFreeAnsiString,RtlUnicodeStringToAnsiString,RtlFreeAnsiString,RtlFreeAnsiString,
    Source: C:\Windows\explorer.exeCode function: 8_2_0609F3F4 NtEnumerateValueKey,PathQuoteSpacesW,NtEnumerateValueKey,NtEnumerateValueKey,
    Source: C:\Windows\explorer.exeCode function: 8_2_0609F1D0 NtEnumerateKey,NtEnumerateKey,NtEnumerateKey,NtEnumerateKey,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00502311 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004FF06B InitiateSystemShutdownExW,ExitWindowsEx,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004FDF60 ExitWindowsEx,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_004FF06B InitiateSystemShutdownExW,ExitWindowsEx,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_004FDF60 ExitWindowsEx,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_004FF06B InitiateSystemShutdownExW,ExitWindowsEx,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_004FDF60 ExitWindowsEx,
    Source: C:\Windows\explorer.exeCode function: 8_2_060A9C7C InitiateSystemShutdownExW,ExitWindowsEx,
    Source: C:\Windows\explorer.exeCode function: 8_2_060AB938 ExitWindowsEx,
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_0105F06B InitiateSystemShutdownExW,ExitWindowsEx,
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_0105DF60 ExitWindowsEx,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 0_2_004018BC
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00512021
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004173B8
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_0041F51C
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00503795
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004197A4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00416814
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00401923
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004219B4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00423A60
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00405B53
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00510BF4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_0042AC84
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00415CA4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00423EB0
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00417EBC
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00512021
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_004173B8
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_0041F51C
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00503795
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_004197A4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00416814
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00401923
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_004219B4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00423A60
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00405B53
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00510BF4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_0042AC84
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00415CA4
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00423EB0
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00417EBC
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00512021
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_004173B8
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_0041F51C
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00503795
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_004197A4
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00416814
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00401923
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_004219B4
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00423A60
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00405B53
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00510BF4
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_0042AC84
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00415CA4
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00423EB0
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00417EBC
    Source: C:\Windows\explorer.exeCode function: 8_2_060A577C
    Source: C:\Windows\explorer.exeCode function: 8_2_060B1770
    Source: C:\Windows\explorer.exeCode function: 8_2_060A4C78
    Source: C:\Windows\explorer.exeCode function: 8_2_06093499
    Source: C:\Windows\explorer.exeCode function: 8_2_060B8544
    Source: C:\Windows\explorer.exeCode function: 8_2_060A3564
    Source: C:\Windows\explorer.exeCode function: 8_2_060ACDDC
    Source: C:\Windows\explorer.exeCode function: 8_2_060AF274
    Source: C:\Windows\explorer.exeCode function: 8_2_060AC2A4
    Source: C:\Windows\explorer.exeCode function: 8_2_060B1320
    Source: C:\Windows\explorer.exeCode function: 8_2_060BA844
    Source: C:\Windows\explorer.exeCode function: 8_2_060A7064
    Source: C:\Windows\explorer.exeCode function: 8_2_060A40D4
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_01072021
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F773B8
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F7F51C
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_01063795
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F797A4
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F76814
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F819B4
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F61923
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F83A60
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_01070BF4
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F65B53
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F75CA4
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F8AC84
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F83EB0
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F77EBC
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeProcess token adjusted: Security
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: String function: 01068290 appears 31 times
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: String function: 00508290 appears 62 times
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: String function: 00508290 appears 31 times
    Source: C:\Windows\explorer.exeCode function: String function: 06091540 appears 42 times
    Source: kyud.exe.3.drStatic PE information: No import functions for PE file found
    Source: uncategorized_3.0.0.0b.exeStatic PE information: No import functions for PE file found
    Source: uncategorized_3.0.0.0b.exe, 00000000.00000003.468277911.0000000003068000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDino1.exe vs uncategorized_3.0.0.0b.exe
    Source: uncategorized_3.0.0.0b.exe, 00000003.00000000.484541601.000000000040E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDino1.exe vs uncategorized_3.0.0.0b.exe
    Source: uncategorized_3.0.0.0b.exeBinary or memory string: *\AD:\iuguvvvuvyguy848949\REeB.vbp
    Source: uncategorized_3.0.0.0b.exe, 00000000.00000002.487368672.000000000040C000.00000004.00020000.sdmp, kyud.exe, 00000004.00000002.536650308.000000000040C000.00000004.00020000.sdmpBinary or memory string: fx&@*\AD:\iuguvvvuvyguy848949\REeB.vbp
    Source: uncategorized_3.0.0.0b.exe, 00000000.00000003.481712632.0000000000851000.00000004.00000001.sdmp, uncategorized_3.0.0.0b.exe, 00000003.00000000.484521578.0000000000401000.00000020.00020000.sdmp, kyud.exe, 00000004.00000003.519430846.0000000003192000.00000004.00000001.sdmp, kyud.exe, 00000005.00000000.533351617.0000000000401000.00000020.00020000.sdmpBinary or memory string: @*\AD:\iuguvvvuvyguy848949\REeB.vbp
    Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winEXE@10/2@0/1
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004FA990 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004FAB0D CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_004FA990 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_004FAB0D CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_004FA990 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_004FAB0D CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
    Source: C:\Windows\explorer.exeCode function: 8_2_060B74F4 CertOpenSystemStoreW,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
    Source: C:\Windows\explorer.exeCode function: 8_2_060B7298 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,__swprintf_l,CertCloseStore,
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_0105A990 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_0105AB0D CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_0050207E GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_0050207E GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_0050207E GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
    Source: C:\Windows\explorer.exeCode function: 8_2_060AF9A8 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_0106207E GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00502029 CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00508501 CoCreateInstance,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeFile created: C:\Users\user\AppData\Roaming\SuezuJump to behavior
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-8BA9-DD3461D44E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-C3A1-DD3429DC4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-0BAA-DD34E1D74E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-CFB3-DD3425CE4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-D7A9-DD343DD44E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-D7A5-DD343DD84E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-27A4-DD34CDD94E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-A3B2-DD3449CF4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-03A6-DD34E9DB4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-C7AC-DD342DD14E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-FBA0-DD3411DD4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-07AD-DD34EDD04E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-53AA-DD34B9D74E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-8FAC-DD3465D14E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-E3AE-DD3409D34E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-D7B3-DD343DCE4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-C7AD-DD342DD04E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Local\{48483783-4B5E-DC49-B5F4-FCC45F896FB5}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-8FA3-DD3465DE4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-EFB1-DD3405CC4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-07A2-DD34EDDF4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-9BA2-DD3471DF4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-F7A9-DD341DD44E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-F7A1-DD341DDC4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-9FA9-DD3475D44E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-13A6-DD34F9DB4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-1FA4-DD34F5D94E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-67B3-DD348DCE4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-B3A7-DD3459DA4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-43AE-DD34A9D34E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-7BA2-DD3491DF4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-0FA7-DD34E5DA4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-2FB3-DD34C5CE4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-33A3-DD34D9DE4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-CBB3-DD3421CE4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-6BA1-DD3481DC4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-EBAA-DD3401D74E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-D3A6-DD3439DB4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-3FB3-DD34D5CE4E45}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:744:120:WilError_01
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-6FA5-DD3485D84E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-7BA7-DD3491DA4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-97AB-DD347DD64E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-5BA5-DD34B1D84E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-9FA6-DD3475DB4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-6FA4-DD3485D94E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-B3A6-DD3459DB4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-5FAD-DD34B5D04E45}
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{925112C8-6E15-0650-B5F4-FCC45F896FB5}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-37A1-DD34DDDC4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-BBA0-DD3451DD4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-8BA2-DD3461DF4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-E7B0-DD340DCD4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-77A1-DD349DDC4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-6FA9-DD3485D44E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-7FAB-DD3495D64E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-47A3-DD34ADDE4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-D7AB-DD343DD64E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-7FA2-DD3495DF4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-13AA-DD34F9D74E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-E7A0-DD340DDD4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-0FB3-DD34E5CE4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-9FAF-DD3475D24E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-9BA1-DD3471DC4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-B7A5-DD345DD84E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-67B2-DD348DCF4E45}
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A5716C9B-1046-3170-EBA2-DD3401DF4E45}
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeFile created: C:\Users\user\AppData\Local\Temp\tmp758a7bb0.batJump to behavior
    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\tmp758a7bb0.bat'
    Source: uncategorized_3.0.0.0b.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: uncategorized_3.0.0.0b.exeVirustotal: Detection: 85%
    Source: uncategorized_3.0.0.0b.exeMetadefender: Detection: 11%
    Source: uncategorized_3.0.0.0b.exeReversingLabs: Detection: 92%
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeFile read: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exe 'C:\Users\user\Desktop\uncategorized_3.0.0.0b.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exe C:\Users\user\Desktop\uncategorized_3.0.0.0b.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Suezu\kyud.exe C:\Users\user\AppData\Roaming\Suezu\kyud.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Suezu\kyud.exe C:\Users\user\AppData\Roaming\Suezu\kyud.exe
    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\tmp758a7bb0.bat'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeProcess created: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exe C:\Users\user\Desktop\uncategorized_3.0.0.0b.exe
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeProcess created: C:\Users\user\AppData\Roaming\Suezu\kyud.exe C:\Users\user\AppData\Roaming\Suezu\kyud.exe
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\tmp758a7bb0.bat'
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeProcess created: C:\Users\user\AppData\Roaming\Suezu\kyud.exe C:\Users\user\AppData\Roaming\Suezu\kyud.exe
    Source: uncategorized_3.0.0.0b.exeStatic file information: File size 1245316 > 1048576
    Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.590678113.000000000BAE0000.00000002.00000001.sdmp
    Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.590678113.000000000BAE0000.00000002.00000001.sdmp

    Data Obfuscation:

    barindex
    Detected unpacking (changes PE section rights)Show sources
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeUnpacked PE file: 3.2.uncategorized_3.0.0.0b.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.data:W;.reloc:R;
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeUnpacked PE file: 3.2.uncategorized_3.0.0.0b.exe.400000.0.unpack
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_005092B4 GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,
    Source: kyud.exe.3.drStatic PE information: real checksum: 0x1b1af should be: 0x13b126
    Source: uncategorized_3.0.0.0b.exeStatic PE information: real checksum: 0x1b1af should be: 0x132240
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 0_2_00407F0A push FC01F4FFh; retf
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 0_2_0040AFF0 push ds; retf
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004030DC push esi; ret
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00402243 push cs; ret
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00402279 push cs; iretd
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00406473 push cs; ret
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004064A9 push cs; iretd
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00401BAD push es; iretd
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_00405DDD push es; iretd
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_004030DC push esi; ret
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00402243 push cs; ret
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00402279 push cs; iretd
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00406473 push cs; ret
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_004064A9 push cs; iretd
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00401BAD push es; iretd
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_1_00405DDD push es; iretd
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_004030DC push esi; ret
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00402243 push cs; ret
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00402279 push cs; iretd
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00406473 push cs; ret
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_004064A9 push cs; iretd
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00401BAD push es; iretd
    Source: C:\Users\user\AppData\Roaming\Suezu\kyud.exeCode function: 5_1_00405DDD push es; iretd
    Source: C:\Windows\explorer.exeCode function: 8_2_06095BE1 pushfq ; retf
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F630DC push esi; ret
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F62279 push cs; iretd
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F62243 push cs; ret
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F664A9 push cs; iretd
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F66473 push cs; ret
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F61BAD push es; iretd
    Source: C:\Program Files\dgzPXdLkVXUzPCkeGkGFZYFOsFTHtRSrSfgLThDDHf\TuMYMYbmZdZpXjmSr.exeCode function: 9_2_00F65DDD push es; iretd
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeFile created: C:\Users\user\AppData\Roaming\Suezu\kyud.exeJump to dropped file

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Drops batch files with force delete cmd (self deletion)Show sources
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeFile created: C:\Users\user\AppData\Local\Temp\tmp758a7bb0.batJump to dropped file
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeCode function: 3_2_004FCDF7 GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\uncategorized_3.0.0.0b.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Use