Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.Variant.Zusy.394472.15672.20727

Overview

General Information

Sample Name:	SecuriteInfo.com.Variant.Zusy.394472.15672.20727 (renamed file extension from 20727 to exe)
Analysis ID:	452434
MD5:	89cfb542cda6a428cc5c02feaf3c55f8
SHA1:	9a0606c633ffe5ae4b6dcb7dcfba57b7e22cb05d
SHA256:	b663fea76aadbf574e5bb9f704ad689ec10f0d720b0b9641e70b27494fe4cc17
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Variant.Zusy.394472.15672.exe (PID: 6496 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe' MD5: 89CFB542CDA6A428CC5C02FEAF3C55F8)

SecuriteInfo.com.Variant.Zusy.394472.15672.exe (PID: 6568 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe' MD5: 89CFB542CDA6A428CC5C02FEAF3C55F8)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.yjhlgg.com/grve/"], "decoy": ["jrvinganimalexterminator.com", "smallsyalls.com", "po1c3.com", "mencg.com", "aussieenjoyment.today", "espace22.com", "aanmelding-desk.info", "gallopshoes.com", "nftsexy.com", "ricosdulcesmexicanos.com", "riseswift.com", "thechicthirty.com", "matdcg.com", "alternet.today", "creativehuesdesigns.com", "rjkcrafts.com", "lowdosemortgage.com", "adoptahamster.com", "wellness-sense.com", "jacardcapital.com", "pastiindonesia.com", "lindsaynathan2021.com", "brisbanemagicians.com", "tvglanz.com", "388384.com", "mitgrim.com", "endonelatrading.com", "political.singles", "ganjegirls.com", "democratscancelled.com", "ytzhubao.com", "roiskylands.com", "zamlgroup.com", "winstonsalemathleticclub.com", "62qtz2.com", "caddyys.com", "ecorarte.com", "coonier.com", "cbgmanhattan-hub.com", "givanon.com", "tioniis11.com", "variceselite.com", "tasaciona.com", "hiphopeconomicdevelopment.com", "citrixfile.com", "piebuilder.com", "drmetalpublishing.com", "themesthatyoulike.com", "vinhomes-phamhung.info", "ardecentro.com", "gameshowsatwork.com", "go-rillathebrand.com", "virtualppo.com", "nogodbeforeme.net", "fabrezeairpurifiers.com", "roorisor.com", "elaraberentcar.com", "rugpat.com", "renewalbyheather.com", "innocox.com", "ztsj10086.com", "channelarmor.info", "thecarbonbox.store", "edicionesvita.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000001.644193470.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000001.644193470.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000001.644193470.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.644964411.0000000000600000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.644964411.0000000000600000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.644964411.0000000000600000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.646633088.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.646633088.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.646633088.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x175f9:$sqlite3step: 68 34 1C 7B E1 0x1770c:$sqlite3step: 68 34 1C 7B E1 0x17628:$sqlite3text: 68 38 2A 90 C5 0x1774d:$sqlite3text: 68 38 2A 90 C5 0x1763b:$sqlite3blob: 68 53 D8 7F 8C 0x17763:$sqlite3blob: 68 53 D8 7F 8C
3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x175f9:$sqlite3step: 68 34 1C 7B E1 0x1770c:$sqlite3step: 68 34 1C 7B E1 0x17628:$sqlite3text: 68 38 2A 90 C5 0x1774d:$sqlite3text: 68 38 2A 90 C5 0x1763b:$sqlite3blob: 68 53 D8 7F 8C 0x17763:$sqlite3blob: 68 53 D8 7F 8C
3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x175f9:$sqlite3step: 68 34 1C 7B E1 0x1770c:$sqlite3step: 68 34 1C 7B E1 0x17628:$sqlite3text: 68 38 2A 90 C5 0x1774d:$sqlite3text: 68 38 2A 90 C5 0x1763b:$sqlite3blob: 68 53 D8 7F 8C 0x17763:$sqlite3blob: 68 53 D8 7F 8C
3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: www.yjhlgg.com/grve/

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000003.00000001.644193470.0000000000400000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.yjhlgg.com/grve/"], "decoy": ["jrvinganimalexterminator.com", "smallsyalls.com", "po1c3.com", "mencg.com", "aussieenjoyment.today", "espace22.com", "aanmelding-desk.info", "gallopshoes.com", "nftsexy.com", "ricosdulcesmexicanos.com", "riseswift.com", "thechicthirty.com", "matdcg.com", "alternet.today", "creativehuesdesigns.com", "rjkcrafts.com", "lowdosemortgage.com", "adoptahamster.com", "wellness-sense.com", "jacardcapital.com", "pastiindonesia.com", "lindsaynathan2021.com", "brisbanemagicians.com", "tvglanz.com", "388384.com", "mitgrim.com", "endonelatrading.com", "political.singles", "ganjegirls.com", "democratscancelled.com", "ytzhubao.com", "roiskylands.com", "zamlgroup.com", "winstonsalemathleticclub.com", "62qtz2.com", "caddyys.com", "ecorarte.com", "coonier.com", "cbgmanhattan-hub.com", "givanon.com", "tioniis11.com", "variceselite.com", "tasaciona.com", "hiphopeconomicdevelopment.com", "citrixfile.com", "piebuilder.com", "drmetalpublishing.com", "themesthatyoulike.com", "vinhomes-phamhung.info", "ardecentro.com", "gameshowsatwork.com", "go-rillathebrand.com", "virtualppo.com", "nogodbeforeme.net", "fabrezeairpurifiers.com", "roorisor.com", "elaraberentcar.com", "rugpat.com", "renewalbyheather.com", "innocox.com", "ztsj10086.com", "channelarmor.info", "thecarbonbox.store", "edicionesvita.com"]}

Multi AV Scanner detection for domain / URL

Show sources

Source: www.yjhlgg.com/grve/

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Virustotal: Detection: 51%	Perma Link
Source: SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Metadefender: Detection: 22%	Perma Link
Source: SecuriteInfo.com.Variant.Zusy.394472.15672.exe	ReversingLabs: Detection: 60%

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000001.644193470.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.644964411.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.646633088.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Variant.Zusy.394472.15672.exe

Joe Sandbox ML: detected

Source: 1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.5c0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: SecuriteInfo.com.Variant.Zusy.394472.15672.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Variant.Zusy.394472.15672.exe, 00000001.00000003.639462821.00000000023F0000.00000004.00000001.sdmp, SecuriteInfo.com.Variant.Zusy.394472.15672.exe, 00000003.00000002.647334486.00000000009C0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Variant.Zusy.394472.15672.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 4x nop then pop edi
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 4x nop then pop edi
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 4x nop then pop edi

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.yjhlgg.com/grve/

Source: SecuriteInfo.com.Variant.Zusy.394472.15672.exe, 00000001.00000002.644990740.000000000063A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000001.644193470.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.644964411.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.646633088.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000001.644193470.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000001.644193470.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.644964411.0000000000600000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.644964411.0000000000600000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.646633088.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.646633088.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00419D50 NtCreateFile,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00419E00 NtReadFile,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00419E80 NtClose,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00419F30 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00419DFB NtReadFile,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00419E7A NtClose,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00419F2A NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A296E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A2B040 NtSuspendThread,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A2A3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A295F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A295D0 NtClose,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29560 NtWriteFile,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29540 NtReadFile,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A296D0 NtCreateKey,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29650 NtQueryValueKey,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A297A0 NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29780 NtMapViewOfSection,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29710 NtQueryInformationToken,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A2A710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29760 NtOpenProcess,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A2A770 NtOpenThread,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29770 NtSetInformationFile,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A298A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A298F0 NtReadVirtualMemory,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29820 NtEnumerateKey,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29840 NtDelayExecution,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A299A0 NtCreateSection,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A299D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29910 NtAdjustPrivilegesToken,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29950 NtQueueApcThread,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29A20 NtResumeThread,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29A00 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29A10 NtQuerySection,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29A50 NtCreateFile,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29B00 NtSetValueKey,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A2AD30 NtSetContextThread,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A29FE0 NtCreateMutant,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00401030
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_0041D18D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_0041E20E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00402D87
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00402D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00409E2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00409E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_0041DFA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00402FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A120A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB20A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009FB090
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA60F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA1002
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009FC1C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A04120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB32A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB22AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AAE2C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009C225E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009C3382
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A923E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA03DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA231B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A03360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009C337D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009C94B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA4496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F841F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A02430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AAD466
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A165A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A12581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB25DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009FD5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A106C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AAD616
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E9660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA67E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB28EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E88E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00ABE824
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E6800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A099BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A02990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009EF900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA4AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A9FA2B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA5A4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1EBB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A8EB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0EB9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A38BE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AADBD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1ABD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB2B28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0AB40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A8CB4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A14CD4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AACC77
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA2D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB2D07
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E0D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A02D50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB1D55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A91EB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB2EF7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A06E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A6AE60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB1FF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00ABDFCE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: String function: 00A75720 appears 85 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: String function: 009EB150 appears 177 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: String function: 00A3D08C appears 50 times

Source: SecuriteInfo.com.Variant.Zusy.394472.15672.exe, 00000001.00000003.644541453.000000000250F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Variant.Zusy.394472.15672.exe
Source: SecuriteInfo.com.Variant.Zusy.394472.15672.exe, 00000001.00000002.644776222.0000000000420000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsvfw32.dll.muij% vs SecuriteInfo.com.Variant.Zusy.394472.15672.exe
Source: SecuriteInfo.com.Variant.Zusy.394472.15672.exe, 00000003.00000002.647485358.0000000000ADF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Variant.Zusy.394472.15672.exe

Source: SecuriteInfo.com.Variant.Zusy.394472.15672.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: 1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000001.644193470.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000001.644193470.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.644964411.0000000000600000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.644964411.0000000000600000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.646633088.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.646633088.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@0/0

Source: SecuriteInfo.com.Variant.Zusy.394472.15672.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Virustotal: Detection: 51%
Source: SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Metadefender: Detection: 22%
Source: SecuriteInfo.com.Variant.Zusy.394472.15672.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe'

Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Variant.Zusy.394472.15672.exe, 00000001.00000003.639462821.00000000023F0000.00000004.00000001.sdmp, SecuriteInfo.com.Variant.Zusy.394472.15672.exe, 00000003.00000002.647334486.00000000009C0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Variant.Zusy.394472.15672.exe

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe

Unpacked PE file: 3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack .text:ER;.rdata:R; vs .text:ER;

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_0041684E push edi; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00417AF6 push eax; retf
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00417B5D push ebp; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_0041CEF2 push eax; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_0041CEFB push eax; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_0041CEA5 push eax; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_0041CF5C push eax; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A3D0D1 push ecx; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009C4288 pushad ; retf
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009C322C push eax; retf
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009C225E push eax; retf
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009C427E pushad ; retf 000Dh
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009C9271 push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009CA7C0 push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009C3F9F pushad ; ret

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe

Code function: 3_2_00409A80 rdtsc

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe

Process queried: DebugPort

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe

Code function: 3_2_00409A80 rdtsc

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe

Code function: 3_2_00A296E0 NtFreeVirtualMemory,LdrInitializeThunk,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A120A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A120A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A120A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A120A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A120A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A120A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A290AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E70C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E70C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA60F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA60F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA60F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA60F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AAB0C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AAB0C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A14020 mov edi, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A67016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A67016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A67016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009FB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009FB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009FB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009FB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1701D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1701D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1701D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1701D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1701D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1701D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A73019 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E7057 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E5050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E5050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E5050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB1074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A00050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A00050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E519E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E519E mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A161A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A161A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E8190 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A651BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A651BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A651BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A651BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00ABF1B5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00ABF1B5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AAA189 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AAA189 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A14190 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F61A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F61A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F61A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F61A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A741E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0D1EF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009FC1C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA31DC mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA31DC mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E31E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009EB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009EB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009EB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A04120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A04120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A04120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A04120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A04120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F0100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F0100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F0100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E3138 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009EB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009EB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A112BD mov esi, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A112BD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A112BD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA129A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F62A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F62A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F62A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F62A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AAB2E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AAB2E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AAB2E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AAB2E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E12D4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA1229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E8239 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E8239 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E8239 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A9B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A9B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A2927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A74257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A9D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1138B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1138B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1138B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A12397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A103E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A103E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A103E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A103E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A103E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A103E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A923E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A923E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A923E3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A153C5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A653CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A653CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A76365 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A76365 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A76365 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009EF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009FF370 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009FF370 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009FF370 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E649B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E649B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A734A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A734A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A734A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1D4B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A764B5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A764B5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E1480 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F34B1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F34B1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F14A9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F14A9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A184E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A184E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A184E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A184E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A184E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A184E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E8410 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A02430 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A02430 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E4439 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009FB433 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009FB433 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009FB433 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E9450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A7C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A7C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E8466 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E8466 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB8450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A135A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A165A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A165A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A165A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E3591 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A12581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A12581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A12581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A12581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AAB581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AAB581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AAB581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AAB581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A195EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E15C1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E95F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E95F0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009FD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009FD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E751A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E751A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E751A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E751A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1F527 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1F527 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1F527 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E9515 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A6A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AAE539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA3518 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA3518 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA3518 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E354C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E354C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A63540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A646A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA56B6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA56B6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E86A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A116E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A106C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A106C0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A106C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A106C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A106C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A106C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A106C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A106C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A106C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A106C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A106C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A106C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A106C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A136CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A17620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A17620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A17620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A17620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A17620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A17620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A65623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A65623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A65623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A65623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A65623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A65623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A65623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A65623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A65623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E1618 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1C63D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009EC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009EC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009EC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A05600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009EA63B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009EA63B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009FB62E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009FB62E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009EE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A04670 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A04670 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A04670 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A04670 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A76652 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A67794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A67794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A67794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A137EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A137EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A137EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A137EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A137EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A137EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A137EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A237F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB87CF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1D7CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1D7CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA17D2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B73D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B73D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1C707 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1C707 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1C707 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E6730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E6730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E6730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A14710 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1D715 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1D715 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0E760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0E760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009EA745 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA1751 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E8760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E8760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E8760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E8760 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E8760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E8760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E8760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E8760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E8760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E8760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A178A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A178A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A178A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A178A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A178A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A178A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A178A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A178A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A178A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E3880 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E3880 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A63884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A63884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F28AE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F28AE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F28AE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F28AE mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F28AE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F28AE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E78D6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E78D6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E78D6 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AB98FE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA18CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F28FD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F28FD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009F28FD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A7B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A7B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A7B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A7B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A7B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A7B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E88E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E88E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E88E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E88E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E88E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E88E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E88E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E6800 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E6800 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_009E6800 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A0F86D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA1843 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A669A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00AA49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A199BC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1C9BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A1C9BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A099BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A099BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A099BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A099BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A099BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A099BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A099BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A099BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A099BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe	Code function: 3_2_00A099BF mov ecx, dword ptr fs:[00000030h]

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe

Section loaded: unknown target: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe protection: execute and read and write

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe'

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000001.644193470.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.644964411.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.646633088.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000001.644193470.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.644964411.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.646633088.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection111	Virtualization/Sandbox Evasion1	Input Capture1	Security Software Discovery12	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing11	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection111	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	System Information Discovery12	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Zusy.394472.15672.exe	51%	Virustotal		Browse
SecuriteInfo.com.Variant.Zusy.394472.15672.exe	23%	Metadefender		Browse
SecuriteInfo.com.Variant.Zusy.394472.15672.exe	61%	ReversingLabs	Win32.Trojan.VirRansom
SecuriteInfo.com.Variant.Zusy.394472.15672.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.600000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.5c0000.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.2.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.1.SecuriteInfo.com.Variant.Zusy.394472.15672.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
www.yjhlgg.com/grve/	9%	Virustotal		Browse
www.yjhlgg.com/grve/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.yjhlgg.com/grve/	true	9%, Virustotal, Browse Avira URL Cloud: malware	low

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	452434
Start date:	22.07.2021
Start time:	10:48:07
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 4s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SecuriteInfo.com.Variant.Zusy.394472.15672.20727 (renamed file extension from 20727 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 37.8% (good quality ratio 34.8%) Quality average: 67.9% Quality standard deviation: 32%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.972672862174758
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Zusy.394472.15672.exe
File size:	198124
MD5:	89cfb542cda6a428cc5c02feaf3c55f8
SHA1:	9a0606c633ffe5ae4b6dcb7dcfba57b7e22cb05d
SHA256:	b663fea76aadbf574e5bb9f704ad689ec10f0d720b0b9641e70b27494fe4cc17
SHA512:	22fd691c761ec2ac5be4b3a9b682daf53abb3de05787d07474bc0e41a8c7bf001a10783f3eea6d7d70528dae1da13506e4370b16f3c02b7d92db9e6ffb2ac79b
SSDEEP:	3072:p5y2zSw5QFZ5h8gOgXN15tm4Inoll4wegWYXzb+f3iIvwDrqvHDlkNBKrD9CafOn:Dy2OVbFvLKzTwePi+nQrU8+fLBcMQ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........WuIl9&Il9&Il9&@..&Bl9&Il8&Ul9&@..&Hl9&@..&Hl9&RichIl9&........PE..L......`.....................................0....@........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x401000
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60F8A6D1 [Wed Jul 21 22:59:29 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	ad7593902351b94d30c5d42690419916

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000002B0h
mov byte ptr [ebp-000002A8h], FFFFFFE9h
mov byte ptr [ebp-000002A7h], FFFFFF90h
mov byte ptr [ebp-000002A6h], 00000000h
mov byte ptr [ebp-000002A5h], 00000000h
mov byte ptr [ebp-000002A4h], 00000000h
mov byte ptr [ebp-000002A3h], 00000055h
mov byte ptr [ebp-000002A2h], FFFFFF8Bh
mov byte ptr [ebp-000002A1h], FFFFFFECh
mov byte ptr [ebp-000002A0h], 00000056h
mov byte ptr [ebp-0000029Fh], FFFFFF8Bh
mov byte ptr [ebp-0000029Eh], 00000075h
mov byte ptr [ebp-0000029Dh], 00000008h
mov byte ptr [ebp-0000029Ch], FFFFFFBAh
mov byte ptr [ebp-0000029Bh], FFFFFF97h
mov byte ptr [ebp-0000029Ah], 00000008h
mov byte ptr [ebp-00000299h], 00000000h
mov byte ptr [ebp-00000298h], 00000000h
mov byte ptr [ebp-00000297h], 00000057h
mov byte ptr [ebp-00000296h], FFFFFFEBh
mov byte ptr [ebp-00000295h], 0000000Eh
mov byte ptr [ebp-00000294h], FFFFFF8Bh
mov byte ptr [ebp-00000293h], FFFFFFCAh
mov byte ptr [ebp-00000292h], FFFFFFD1h
mov byte ptr [ebp-00000291h], FFFFFFE8h
mov byte ptr [ebp-00000290h], FFFFFFC1h
mov byte ptr [ebp-0000028Fh], FFFFFFE1h
mov byte ptr [ebp-0000028Eh], 00000007h
mov byte ptr [ebp+00000000h], 00000000h

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3084	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0x84	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1248	0x1400	False	0.470703125	data	4.74743195609	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x3ae	0x400	False	0.53515625	data	4.4688660684	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL	Import
GDI32.dll	CreateCompatibleDC, SelectObject, SetBoundsRect, GetTextMetricsW, GdiArtificialDecrementDriver, AddFontResourceExA, GetWorldTransform
SHLWAPI.dll	PathCombineW, SHRegOpenUSKeyW, PathIsSystemFolderA, StrNCatW, StrCmpW, PathFindExtensionW, UrlUnescapeA, UrlEscapeW
WINSPOOL.DRV	DeviceCapabilitiesA, GetPrinterDataExW, ConfigurePortA, ConnectToPrinterDlg, DevQueryPrint, DeletePrinterDriverA
MSVFW32.dll	DrawDibBegin, ICClose, MCIWndCreate
AVIFIL32.dll	AVIStreamOpenFromFileA, AVIMakeStreamFromClipboard

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Variant.Zusy.394472.15672.exe PID: 6496 Parent PID: 5828

General

Start time:	10:48:51
Start date:	22/07/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe'
Imagebase:	0x400000
File size:	198124 bytes
MD5 hash:	89CFB542CDA6A428CC5C02FEAF3C55F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.644964411.0000000000600000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.644964411.0000000000600000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.644964411.0000000000600000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: SecuriteInfo.com.Variant.Zusy.394472.15672.exe PID: 6568 Parent PID: 6496

General

Start time:	10:48:51
Start date:	22/07/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.394472.15672.exe'
Imagebase:	0x400000
File size:	198124 bytes
MD5 hash:	89CFB542CDA6A428CC5C02FEAF3C55F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000001.644193470.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000001.644193470.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000001.644193470.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.646633088.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.646633088.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.646633088.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Zusy.394472.15672.20727

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Variant.Zusy.394472.15672.exe PID: 6496 Parent PID: 5828

General

Analysis Process: SecuriteInfo.com.Variant.Zusy.394472.15672.exe PID: 6568 Parent PID: 6496

General

Disassembly

Code Analysis