Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Variant.Bulz.349164.25568.5993

Overview

General Information

Sample Name:	SecuriteInfo.com.Variant.Bulz.349164.25568.5993 (renamed file extension from 5993 to exe)
Analysis ID:	433042
MD5:	c66fe399ec0cb598b2167a348c17f6a2
SHA1:	fcc9984283b3596fb575523fb90eb80ce702abe2
SHA256:	57f599e4ae63304de5795909f694122665f7c492df8078f7c5abb084d09baa2d
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains method to dynamically call methods (often used by packers)

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Variant.Bulz.349164.25568.exe (PID: 6776 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe' MD5: C66FE399EC0CB598B2167A348C17F6A2)

SecuriteInfo.com.Variant.Bulz.349164.25568.exe (PID: 6968 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe MD5: C66FE399EC0CB598B2167A348C17F6A2)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rep.place/pba2/"], "decoy": ["marshabenjamin.com", "ipx-tv.com", "1826bet.net", "free-story-civilizatiom.com", "projecteightstudio.com", "blaxies3.com", "knowyourpharmacy.com", "daviddelavariservices.space", "hawaiidreamevents.com", "chickdeal.net", "toko363.com", "flextech.design", "americanprimativeguitar.com", "sourcesfloor.com", "project6212.com", "eggbeaterhub.xyz", "homefittness.com", "eigenguard.com", "bridgessd.com", "wordabbler.com", "432524.com", "blumlifestyle.com", "cn-liangyu.com", "earwaxsux.com", "n2keg.com", "kthetwobrothers.com", "freetoplaymedia.com", "ncunlimited.com", "mckinleygroupcommandforyou.com", "y-beautyplus.com", "plny.xyz", "luckyliars.com", "succozero.com", "zoorack.net", "myloveclubs.com", "cashstreamsonline.club", "23237a2371.info", "live-now20.xyz", "followtea.com", "xn--vhqqb70qmrhwmvnh0e.xyz", "thocudian.net", "trueradiencesolutions.net", "dictionarykick.com", "banbochfm.com", "privacyphonecover.com", "towandastorage.com", "livingthesustainablelife.com", "freeagencevoyage.com", "veritasfertilityandsurgery.com", "thehindufestival.com", "ollipsisparents.com", "caphesachnguyenchat.com", "xn--egegncel-95a.com", "americanpoolnbilliards.com", "wonderfulwanfield.com", "sheya360.com", "solterasalos40.com", "astarswimschools.net", "vcnse.com", "jinshifj.com", "washingtonreversemtgloans.com", "mutieudao.online", "fluatrec.com", "maggionsurvey.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xc41f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc4582:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2b0178:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2b0502:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd0295:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2bc215:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xcfd81:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2bbd01:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xd0397:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2bc317:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xd050f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2bc48f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xc4f9a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2b0f1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xceffc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x2baf7c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xc5d12:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2b1c92:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xd5387:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2c1307:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xd642a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xd22b9:$sqlite3step: 68 34 1C 7B E1 0xd23cc:$sqlite3step: 68 34 1C 7B E1 0x2be239:$sqlite3step: 68 34 1C 7B E1 0x2be34c:$sqlite3step: 68 34 1C 7B E1 0xd22e8:$sqlite3text: 68 38 2A 90 C5 0xd240d:$sqlite3text: 68 38 2A 90 C5 0x2be268:$sqlite3text: 68 38 2A 90 C5 0x2be38d:$sqlite3text: 68 38 2A 90 C5 0xd22fb:$sqlite3blob: 68 53 D8 7F 8C 0xd2423:$sqlite3blob: 68 53 D8 7F 8C 0x2be27b:$sqlite3blob: 68 53 D8 7F 8C 0x2be3a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: SecuriteInfo.com.Variant.Bulz.349164.25568.exe PID: 6776	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.rep.place/pba2/"], "decoy": ["marshabenjamin.com", "ipx-tv.com", "1826bet.net", "free-story-civilizatiom.com", "projecteightstudio.com", "blaxies3.com", "knowyourpharmacy.com", "daviddelavariservices.space", "hawaiidreamevents.com", "chickdeal.net", "toko363.com", "flextech.design", "americanprimativeguitar.com", "sourcesfloor.com", "project6212.com", "eggbeaterhub.xyz", "homefittness.com", "eigenguard.com", "bridgessd.com", "wordabbler.com", "432524.com", "blumlifestyle.com", "cn-liangyu.com", "earwaxsux.com", "n2keg.com", "kthetwobrothers.com", "freetoplaymedia.com", "ncunlimited.com", "mckinleygroupcommandforyou.com", "y-beautyplus.com", "plny.xyz", "luckyliars.com", "succozero.com", "zoorack.net", "myloveclubs.com", "cashstreamsonline.club", "23237a2371.info", "live-now20.xyz", "followtea.com", "xn--vhqqb70qmrhwmvnh0e.xyz", "thocudian.net", "trueradiencesolutions.net", "dictionarykick.com", "banbochfm.com", "privacyphonecover.com", "towandastorage.com", "livingthesustainablelife.com", "freeagencevoyage.com", "veritasfertilityandsurgery.com", "thehindufestival.com", "ollipsisparents.com", "caphesachnguyenchat.com", "xn--egegncel-95a.com", "americanpoolnbilliards.com", "wonderfulwanfield.com", "sheya360.com", "solterasalos40.com", "astarswimschools.net", "vcnse.com", "jinshifj.com", "washingtonreversemtgloans.com", "mutieudao.online", "fluatrec.com", "maggionsurvey.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Virustotal: Detection: 45%			Perma Link
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe	ReversingLabs: Detection: 34%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Joe Sandbox ML: detected

Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: IsolatedStorageSecurityOptions.pdbh2 source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Source:	Binary string: IsolatedStorageSecurityOptions.pdb source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04F22250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04F23570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04F23560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04F22240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 4x nop then pop esi	3_2_0041582C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 4x nop then pop ebx	3_2_00406A94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 4x nop then pop edi	3_2_0041566C

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.rep.place/pba2/

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664163112.0000000002EE1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_004181B0 NtCreateFile,	3_2_004181B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00418260 NtReadFile,	3_2_00418260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_004182E0 NtClose,	3_2_004182E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00418390 NtAllocateVirtualMemory,	3_2_00418390
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041825B NtReadFile,	3_2_0041825B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041838A NtAllocateVirtualMemory,	3_2_0041838A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01999860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019996E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_019996E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_01999660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019999A0 NtCreateSection,	3_2_019999A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019999D0 NtCreateProcessEx,	3_2_019999D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999910 NtAdjustPrivilegesToken,	3_2_01999910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999950 NtQueueApcThread,	3_2_01999950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019998A0 NtWriteVirtualMemory,	3_2_019998A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019998F0 NtReadVirtualMemory,	3_2_019998F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999820 NtEnumerateKey,	3_2_01999820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0199B040 NtSuspendThread,	3_2_0199B040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999840 NtDelayExecution,	3_2_01999840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0199A3B0 NtGetContextThread,	3_2_0199A3B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999B00 NtSetValueKey,	3_2_01999B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999A80 NtOpenDirectoryObject,	3_2_01999A80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999A10 NtQuerySection,	3_2_01999A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999A00 NtProtectVirtualMemory,	3_2_01999A00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999A20 NtResumeThread,	3_2_01999A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999A50 NtCreateFile,	3_2_01999A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019995D0 NtClose,	3_2_019995D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019995F0 NtQueryInformationFile,	3_2_019995F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0199AD30 NtSetContextThread,	3_2_0199AD30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999520 NtWaitForSingleObject,	3_2_01999520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999540 NtReadFile,	3_2_01999540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999560 NtWriteFile,	3_2_01999560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999780 NtMapViewOfSection,	3_2_01999780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019997A0 NtUnmapViewOfSection,	3_2_019997A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999FE0 NtCreateMutant,	3_2_01999FE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999710 NtQueryInformationToken,	3_2_01999710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0199A710 NtOpenProcessToken,	3_2_0199A710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999730 NtQueryVirtualMemory,	3_2_01999730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0199A770 NtOpenThread,	3_2_0199A770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999770 NtSetInformationFile,	3_2_01999770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999760 NtOpenProcess,	3_2_01999760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019996D0 NtCreateKey,	3_2_019996D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 0_2_04F22B08	0_2_04F22B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 0_2_04F20040	0_2_04F20040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 0_2_04F20034	0_2_04F20034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 0_2_04F202AE	0_2_04F202AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 0_2_04F20253	0_2_04F20253
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 0_2_04F2025F	0_2_04F2025F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041C194	3_2_0041C194
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041BA28	3_2_0041BA28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041BB84	3_2_0041BB84
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00408C4B	3_2_00408C4B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00408C50	3_2_00408C50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00408C0A	3_2_00408C0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041C5E4	3_2_0041C5E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00402D8B	3_2_00402D8B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041B642	3_2_0041B642
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041BF98	3_2_0041BF98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01972990	3_2_01972990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019799BF	3_2_019799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196C1C0	3_2_0196C1C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195F900	3_2_0195F900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01974120	3_2_01974120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196B090	3_2_0196B090
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A220A8	3_2_01A220A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019820A0	3_2_019820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A228EC	3_2_01A228EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198701D	3_2_0198701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A2E824	3_2_01A2E824
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01956800	3_2_01956800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A11002	3_2_01A11002
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A830	3_2_0197A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197EB9A	3_2_0197EB9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198138B	3_2_0198138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019FEB8A	3_2_019FEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198EBB0	3_2_0198EBB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198ABD8	3_2_0198ABD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A023E3	3_2_01A023E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019A8BE8	3_2_019A8BE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1DBD2	3_2_01A1DBD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A103DA	3_2_01A103DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A22B28	3_2_01A22B28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1231B	3_2_01A1231B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019FCB4F	3_2_019FCB4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197AB40	3_2_0197AB40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01973360	3_2_01973360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A232A9	3_2_01A232A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A222AE	3_2_01A222AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14AEF	3_2_01A14AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1E2C5	3_2_01A1E2C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A0FA2B	3_2_01A0FA2B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197B236	3_2_0197B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01982581	3_2_01982581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A12D82	3_2_01A12D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019865A0	3_2_019865A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196D5E0	3_2_0196D5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A225DD	3_2_01A225DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A22D07	3_2_01A22D07
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01950D20	3_2_01950D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01972D50	3_2_01972D50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A21D55	3_2_01A21D55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14496	3_2_01A14496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01984CD4	3_2_01984CD4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196841F	3_2_0196841F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01972430	3_2_01972430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1D466	3_2_01A1D466
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197B477	3_2_0197B477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A167E2	3_2_01A167E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A21FF1	3_2_01A21FF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A2DFCE	3_2_01A2DFCE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A01EB6	3_2_01A01EB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A22EF7	3_2_01A22EF7

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: String function: 019AD08C appears 39 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: String function: 019E5720 appears 74 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: String function: 0195B150 appears 153 times

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000000.654505180.0000000000B86000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIsolatedStorageSecurityOptions.exe< vs SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.669811504.0000000006080000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000003.00000002.667569220.0000000001BDF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000003.00000000.662192891.0000000000F76000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIsolatedStorageSecurityOptions.exe< vs SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Binary or memory string: OriginalFilenameIsolatedStorageSecurityOptions.exe< vs SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.ac0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.ac0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.ac0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.ac0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Variant.Bulz.349164.25568.exe.log

Jump to behavior

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Virustotal: Detection: 45%
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: IsolatedStorageSecurityOptions.pdbh2 source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Source:	Binary string: IsolatedStorageSecurityOptions.pdb source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.ac0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.ac0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041607F push ecx; retf	3_2_00416085
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_004152EE pushad ; retf	3_2_004152FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0040AB63 push 00000066h; retf	3_2_0040AB65
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041B3F2 push eax; ret	3_2_0041B3F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041B3FB push eax; ret	3_2_0041B462
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041B3A5 push eax; ret	3_2_0041B3F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041B45C push eax; ret	3_2_0041B462
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00414D10 pushfd ; ret	3_2_00414D21
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00414D22 pushfd ; ret	3_2_00414D21
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019AD0D1 push ecx; ret	3_2_019AD0E4

Source: initial sample

Static PE information: section name: .text entropy: 7.85673320535

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'A6FAOa', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.ac0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'A6FAOa', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.ac0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'A6FAOa', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'A6FAOa', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'A6FAOa', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'A6FAOa', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.Bulz.349164.25568.exe PID: 6776, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Code function: 3_2_004088A0 rdtsc

3_2_004088A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe TID: 6780	Thread sleep time: -99739s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe TID: 6828	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Thread delayed: delay time: 99739			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Code function: 3_2_004088A0 rdtsc

3_2_004088A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Code function: 3_2_01999860 NtQuerySystemInformation,LdrInitializeThunk,

3_2_01999860

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A149A4 mov eax, dword ptr fs:[00000030h]	3_2_01A149A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A149A4 mov eax, dword ptr fs:[00000030h]	3_2_01A149A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A149A4 mov eax, dword ptr fs:[00000030h]	3_2_01A149A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A149A4 mov eax, dword ptr fs:[00000030h]	3_2_01A149A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01982990 mov eax, dword ptr fs:[00000030h]	3_2_01982990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01984190 mov eax, dword ptr fs:[00000030h]	3_2_01984190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195519E mov eax, dword ptr fs:[00000030h]	3_2_0195519E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195519E mov ecx, dword ptr fs:[00000030h]	3_2_0195519E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197C182 mov eax, dword ptr fs:[00000030h]	3_2_0197C182
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A2F1B5 mov eax, dword ptr fs:[00000030h]	3_2_01A2F1B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A2F1B5 mov eax, dword ptr fs:[00000030h]	3_2_01A2F1B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198A185 mov eax, dword ptr fs:[00000030h]	3_2_0198A185
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D51BE mov eax, dword ptr fs:[00000030h]	3_2_019D51BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D51BE mov eax, dword ptr fs:[00000030h]	3_2_019D51BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D51BE mov eax, dword ptr fs:[00000030h]	3_2_019D51BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D51BE mov eax, dword ptr fs:[00000030h]	3_2_019D51BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198C9BF mov eax, dword ptr fs:[00000030h]	3_2_0198C9BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198C9BF mov eax, dword ptr fs:[00000030h]	3_2_0198C9BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]	3_2_019799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]	3_2_019799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019799BF mov eax, dword ptr fs:[00000030h]	3_2_019799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]	3_2_019799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]	3_2_019799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019799BF mov eax, dword ptr fs:[00000030h]	3_2_019799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]	3_2_019799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]	3_2_019799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019799BF mov eax, dword ptr fs:[00000030h]	3_2_019799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]	3_2_019799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]	3_2_019799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019799BF mov eax, dword ptr fs:[00000030h]	3_2_019799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1A189 mov eax, dword ptr fs:[00000030h]	3_2_01A1A189
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1A189 mov ecx, dword ptr fs:[00000030h]	3_2_01A1A189
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019661A7 mov eax, dword ptr fs:[00000030h]	3_2_019661A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019661A7 mov eax, dword ptr fs:[00000030h]	3_2_019661A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019661A7 mov eax, dword ptr fs:[00000030h]	3_2_019661A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019661A7 mov eax, dword ptr fs:[00000030h]	3_2_019661A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019861A0 mov eax, dword ptr fs:[00000030h]	3_2_019861A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019861A0 mov eax, dword ptr fs:[00000030h]	3_2_019861A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D69A6 mov eax, dword ptr fs:[00000030h]	3_2_019D69A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A289E7 mov eax, dword ptr fs:[00000030h]	3_2_01A289E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019699C7 mov eax, dword ptr fs:[00000030h]	3_2_019699C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019699C7 mov eax, dword ptr fs:[00000030h]	3_2_019699C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019699C7 mov eax, dword ptr fs:[00000030h]	3_2_019699C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019699C7 mov eax, dword ptr fs:[00000030h]	3_2_019699C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196C1C0 mov eax, dword ptr fs:[00000030h]	3_2_0196C1C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195B1E1 mov eax, dword ptr fs:[00000030h]	3_2_0195B1E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195B1E1 mov eax, dword ptr fs:[00000030h]	3_2_0195B1E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195B1E1 mov eax, dword ptr fs:[00000030h]	3_2_0195B1E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019531E0 mov eax, dword ptr fs:[00000030h]	3_2_019531E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019E41E8 mov eax, dword ptr fs:[00000030h]	3_2_019E41E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A119D8 mov eax, dword ptr fs:[00000030h]	3_2_01A119D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01959100 mov eax, dword ptr fs:[00000030h]	3_2_01959100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01959100 mov eax, dword ptr fs:[00000030h]	3_2_01959100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01959100 mov eax, dword ptr fs:[00000030h]	3_2_01959100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01960100 mov eax, dword ptr fs:[00000030h]	3_2_01960100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01960100 mov eax, dword ptr fs:[00000030h]	3_2_01960100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01960100 mov eax, dword ptr fs:[00000030h]	3_2_01960100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198513A mov eax, dword ptr fs:[00000030h]	3_2_0198513A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198513A mov eax, dword ptr fs:[00000030h]	3_2_0198513A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01953138 mov ecx, dword ptr fs:[00000030h]	3_2_01953138
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01974120 mov eax, dword ptr fs:[00000030h]	3_2_01974120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01974120 mov eax, dword ptr fs:[00000030h]	3_2_01974120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01974120 mov eax, dword ptr fs:[00000030h]	3_2_01974120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01974120 mov eax, dword ptr fs:[00000030h]	3_2_01974120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01974120 mov ecx, dword ptr fs:[00000030h]	3_2_01974120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1E962 mov eax, dword ptr fs:[00000030h]	3_2_01A1E962
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A28966 mov eax, dword ptr fs:[00000030h]	3_2_01A28966
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195395E mov eax, dword ptr fs:[00000030h]	3_2_0195395E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195395E mov eax, dword ptr fs:[00000030h]	3_2_0195395E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197B944 mov eax, dword ptr fs:[00000030h]	3_2_0197B944
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197B944 mov eax, dword ptr fs:[00000030h]	3_2_0197B944
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195B171 mov eax, dword ptr fs:[00000030h]	3_2_0195B171
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195B171 mov eax, dword ptr fs:[00000030h]	3_2_0195B171
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A11951 mov eax, dword ptr fs:[00000030h]	3_2_01A11951
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195C962 mov eax, dword ptr fs:[00000030h]	3_2_0195C962
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01959080 mov eax, dword ptr fs:[00000030h]	3_2_01959080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01953880 mov eax, dword ptr fs:[00000030h]	3_2_01953880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01953880 mov eax, dword ptr fs:[00000030h]	3_2_01953880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D3884 mov eax, dword ptr fs:[00000030h]	3_2_019D3884
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D3884 mov eax, dword ptr fs:[00000030h]	3_2_019D3884
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198F0BF mov ecx, dword ptr fs:[00000030h]	3_2_0198F0BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198F0BF mov eax, dword ptr fs:[00000030h]	3_2_0198F0BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198F0BF mov eax, dword ptr fs:[00000030h]	3_2_0198F0BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019990AF mov eax, dword ptr fs:[00000030h]	3_2_019990AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019820A0 mov eax, dword ptr fs:[00000030h]	3_2_019820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019820A0 mov eax, dword ptr fs:[00000030h]	3_2_019820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019820A0 mov eax, dword ptr fs:[00000030h]	3_2_019820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019820A0 mov eax, dword ptr fs:[00000030h]	3_2_019820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019820A0 mov eax, dword ptr fs:[00000030h]	3_2_019820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019820A0 mov eax, dword ptr fs:[00000030h]	3_2_019820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019628AE mov eax, dword ptr fs:[00000030h]	3_2_019628AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019628AE mov eax, dword ptr fs:[00000030h]	3_2_019628AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019628AE mov eax, dword ptr fs:[00000030h]	3_2_019628AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019628AE mov ecx, dword ptr fs:[00000030h]	3_2_019628AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019628AE mov eax, dword ptr fs:[00000030h]	3_2_019628AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019628AE mov eax, dword ptr fs:[00000030h]	3_2_019628AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019878A0 mov eax, dword ptr fs:[00000030h]	3_2_019878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019878A0 mov eax, dword ptr fs:[00000030h]	3_2_019878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019878A0 mov eax, dword ptr fs:[00000030h]	3_2_019878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019878A0 mov eax, dword ptr fs:[00000030h]	3_2_019878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019878A0 mov eax, dword ptr fs:[00000030h]	3_2_019878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019878A0 mov eax, dword ptr fs:[00000030h]	3_2_019878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019878A0 mov eax, dword ptr fs:[00000030h]	3_2_019878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019878A0 mov eax, dword ptr fs:[00000030h]	3_2_019878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019878A0 mov eax, dword ptr fs:[00000030h]	3_2_019878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019578D6 mov eax, dword ptr fs:[00000030h]	3_2_019578D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019578D6 mov eax, dword ptr fs:[00000030h]	3_2_019578D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019578D6 mov ecx, dword ptr fs:[00000030h]	3_2_019578D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019EB8D0 mov eax, dword ptr fs:[00000030h]	3_2_019EB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019EB8D0 mov ecx, dword ptr fs:[00000030h]	3_2_019EB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019EB8D0 mov eax, dword ptr fs:[00000030h]	3_2_019EB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019EB8D0 mov eax, dword ptr fs:[00000030h]	3_2_019EB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019EB8D0 mov eax, dword ptr fs:[00000030h]	3_2_019EB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019EB8D0 mov eax, dword ptr fs:[00000030h]	3_2_019EB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019570C0 mov eax, dword ptr fs:[00000030h]	3_2_019570C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019570C0 mov eax, dword ptr fs:[00000030h]	3_2_019570C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A118CA mov eax, dword ptr fs:[00000030h]	3_2_01A118CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019628FD mov eax, dword ptr fs:[00000030h]	3_2_019628FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019628FD mov eax, dword ptr fs:[00000030h]	3_2_019628FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019628FD mov eax, dword ptr fs:[00000030h]	3_2_019628FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197B8E4 mov eax, dword ptr fs:[00000030h]	3_2_0197B8E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197B8E4 mov eax, dword ptr fs:[00000030h]	3_2_0197B8E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019540E1 mov eax, dword ptr fs:[00000030h]	3_2_019540E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019540E1 mov eax, dword ptr fs:[00000030h]	3_2_019540E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019540E1 mov eax, dword ptr fs:[00000030h]	3_2_019540E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019558EC mov eax, dword ptr fs:[00000030h]	3_2_019558EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198701D mov eax, dword ptr fs:[00000030h]	3_2_0198701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198701D mov eax, dword ptr fs:[00000030h]	3_2_0198701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198701D mov eax, dword ptr fs:[00000030h]	3_2_0198701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198701D mov eax, dword ptr fs:[00000030h]	3_2_0198701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198701D mov eax, dword ptr fs:[00000030h]	3_2_0198701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198701D mov eax, dword ptr fs:[00000030h]	3_2_0198701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D7016 mov eax, dword ptr fs:[00000030h]	3_2_019D7016
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D7016 mov eax, dword ptr fs:[00000030h]	3_2_019D7016
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D7016 mov eax, dword ptr fs:[00000030h]	3_2_019D7016
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01956800 mov eax, dword ptr fs:[00000030h]	3_2_01956800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01956800 mov eax, dword ptr fs:[00000030h]	3_2_01956800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01956800 mov eax, dword ptr fs:[00000030h]	3_2_01956800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A830 mov eax, dword ptr fs:[00000030h]	3_2_0197A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A830 mov eax, dword ptr fs:[00000030h]	3_2_0197A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A830 mov eax, dword ptr fs:[00000030h]	3_2_0197A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A830 mov eax, dword ptr fs:[00000030h]	3_2_0197A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198002D mov eax, dword ptr fs:[00000030h]	3_2_0198002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198002D mov eax, dword ptr fs:[00000030h]	3_2_0198002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198002D mov eax, dword ptr fs:[00000030h]	3_2_0198002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198002D mov eax, dword ptr fs:[00000030h]	3_2_0198002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198002D mov eax, dword ptr fs:[00000030h]	3_2_0198002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A24015 mov eax, dword ptr fs:[00000030h]	3_2_01A24015
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A24015 mov eax, dword ptr fs:[00000030h]	3_2_01A24015
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01984020 mov edi, dword ptr fs:[00000030h]	3_2_01984020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196B02A mov eax, dword ptr fs:[00000030h]	3_2_0196B02A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196B02A mov eax, dword ptr fs:[00000030h]	3_2_0196B02A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196B02A mov eax, dword ptr fs:[00000030h]	3_2_0196B02A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196B02A mov eax, dword ptr fs:[00000030h]	3_2_0196B02A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01957057 mov eax, dword ptr fs:[00000030h]	3_2_01957057
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01955050 mov eax, dword ptr fs:[00000030h]	3_2_01955050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01955050 mov eax, dword ptr fs:[00000030h]	3_2_01955050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01955050 mov eax, dword ptr fs:[00000030h]	3_2_01955050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01970050 mov eax, dword ptr fs:[00000030h]	3_2_01970050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01970050 mov eax, dword ptr fs:[00000030h]	3_2_01970050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A12073 mov eax, dword ptr fs:[00000030h]	3_2_01A12073
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A21074 mov eax, dword ptr fs:[00000030h]	3_2_01A21074
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A11843 mov eax, dword ptr fs:[00000030h]	3_2_01A11843
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197F86D mov eax, dword ptr fs:[00000030h]	3_2_0197F86D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01954B94 mov edi, dword ptr fs:[00000030h]	3_2_01954B94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A25BA5 mov eax, dword ptr fs:[00000030h]	3_2_01A25BA5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198B390 mov eax, dword ptr fs:[00000030h]	3_2_0198B390
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A11BA8 mov eax, dword ptr fs:[00000030h]	3_2_01A11BA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197EB9A mov eax, dword ptr fs:[00000030h]	3_2_0197EB9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197EB9A mov eax, dword ptr fs:[00000030h]	3_2_0197EB9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01982397 mov eax, dword ptr fs:[00000030h]	3_2_01982397
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198138B mov eax, dword ptr fs:[00000030h]	3_2_0198138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198138B mov eax, dword ptr fs:[00000030h]	3_2_0198138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198138B mov eax, dword ptr fs:[00000030h]	3_2_0198138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A28BB6 mov eax, dword ptr fs:[00000030h]	3_2_01A28BB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019FEB8A mov ecx, dword ptr fs:[00000030h]	3_2_019FEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019FEB8A mov eax, dword ptr fs:[00000030h]	3_2_019FEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019FEB8A mov eax, dword ptr fs:[00000030h]	3_2_019FEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019FEB8A mov eax, dword ptr fs:[00000030h]	3_2_019FEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01961B8F mov eax, dword ptr fs:[00000030h]	3_2_01961B8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01961B8F mov eax, dword ptr fs:[00000030h]	3_2_01961B8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A29BBE mov eax, dword ptr fs:[00000030h]	3_2_01A29BBE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A0D380 mov ecx, dword ptr fs:[00000030h]	3_2_01A0D380
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1138A mov eax, dword ptr fs:[00000030h]	3_2_01A1138A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01984BAD mov eax, dword ptr fs:[00000030h]	3_2_01984BAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01984BAD mov eax, dword ptr fs:[00000030h]	3_2_01984BAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01984BAD mov eax, dword ptr fs:[00000030h]	3_2_01984BAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A023E3 mov ecx, dword ptr fs:[00000030h]	3_2_01A023E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A023E3 mov ecx, dword ptr fs:[00000030h]	3_2_01A023E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A023E3 mov eax, dword ptr fs:[00000030h]	3_2_01A023E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D53CA mov eax, dword ptr fs:[00000030h]	3_2_019D53CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D53CA mov eax, dword ptr fs:[00000030h]	3_2_019D53CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019853C5 mov eax, dword ptr fs:[00000030h]	3_2_019853C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019803E2 mov eax, dword ptr fs:[00000030h]	3_2_019803E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019803E2 mov eax, dword ptr fs:[00000030h]	3_2_019803E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019803E2 mov eax, dword ptr fs:[00000030h]	3_2_019803E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019803E2 mov eax, dword ptr fs:[00000030h]	3_2_019803E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019803E2 mov eax, dword ptr fs:[00000030h]	3_2_019803E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019803E2 mov eax, dword ptr fs:[00000030h]	3_2_019803E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01951BE9 mov eax, dword ptr fs:[00000030h]	3_2_01951BE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197DBE9 mov eax, dword ptr fs:[00000030h]	3_2_0197DBE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1131B mov eax, dword ptr fs:[00000030h]	3_2_01A1131B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01983B5A mov eax, dword ptr fs:[00000030h]	3_2_01983B5A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01983B5A mov eax, dword ptr fs:[00000030h]	3_2_01983B5A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01983B5A mov eax, dword ptr fs:[00000030h]	3_2_01983B5A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01983B5A mov eax, dword ptr fs:[00000030h]	3_2_01983B5A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195F358 mov eax, dword ptr fs:[00000030h]	3_2_0195F358
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195DB40 mov eax, dword ptr fs:[00000030h]	3_2_0195DB40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01983B7A mov eax, dword ptr fs:[00000030h]	3_2_01983B7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01983B7A mov eax, dword ptr fs:[00000030h]	3_2_01983B7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196F370 mov eax, dword ptr fs:[00000030h]	3_2_0196F370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196F370 mov eax, dword ptr fs:[00000030h]	3_2_0196F370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196F370 mov eax, dword ptr fs:[00000030h]	3_2_0196F370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195DB60 mov ecx, dword ptr fs:[00000030h]	3_2_0195DB60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A28B58 mov eax, dword ptr fs:[00000030h]	3_2_01A28B58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019E6365 mov eax, dword ptr fs:[00000030h]	3_2_019E6365
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019E6365 mov eax, dword ptr fs:[00000030h]	3_2_019E6365
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019E6365 mov eax, dword ptr fs:[00000030h]	3_2_019E6365
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198D294 mov eax, dword ptr fs:[00000030h]	3_2_0198D294
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198D294 mov eax, dword ptr fs:[00000030h]	3_2_0198D294
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198DA88 mov eax, dword ptr fs:[00000030h]	3_2_0198DA88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198DA88 mov eax, dword ptr fs:[00000030h]	3_2_0198DA88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019812BD mov esi, dword ptr fs:[00000030h]	3_2_019812BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019812BD mov eax, dword ptr fs:[00000030h]	3_2_019812BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019812BD mov eax, dword ptr fs:[00000030h]	3_2_019812BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196AAB0 mov eax, dword ptr fs:[00000030h]	3_2_0196AAB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196AAB0 mov eax, dword ptr fs:[00000030h]	3_2_0196AAB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198FAB0 mov eax, dword ptr fs:[00000030h]	3_2_0198FAB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019552A5 mov eax, dword ptr fs:[00000030h]	3_2_019552A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019552A5 mov eax, dword ptr fs:[00000030h]	3_2_019552A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019552A5 mov eax, dword ptr fs:[00000030h]	3_2_019552A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019552A5 mov eax, dword ptr fs:[00000030h]	3_2_019552A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019552A5 mov eax, dword ptr fs:[00000030h]	3_2_019552A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01951AA0 mov eax, dword ptr fs:[00000030h]	3_2_01951AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019662A0 mov eax, dword ptr fs:[00000030h]	3_2_019662A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019662A0 mov eax, dword ptr fs:[00000030h]	3_2_019662A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019662A0 mov eax, dword ptr fs:[00000030h]	3_2_019662A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019662A0 mov eax, dword ptr fs:[00000030h]	3_2_019662A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01985AA0 mov eax, dword ptr fs:[00000030h]	3_2_01985AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01985AA0 mov eax, dword ptr fs:[00000030h]	3_2_01985AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1129A mov eax, dword ptr fs:[00000030h]	3_2_01A1129A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019512D4 mov eax, dword ptr fs:[00000030h]	3_2_019512D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14AEF mov eax, dword ptr fs:[00000030h]	3_2_01A14AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14AEF mov eax, dword ptr fs:[00000030h]	3_2_01A14AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14AEF mov eax, dword ptr fs:[00000030h]	3_2_01A14AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14AEF mov eax, dword ptr fs:[00000030h]	3_2_01A14AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14AEF mov eax, dword ptr fs:[00000030h]	3_2_01A14AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14AEF mov eax, dword ptr fs:[00000030h]	3_2_01A14AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14AEF mov eax, dword ptr fs:[00000030h]	3_2_01A14AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14AEF mov eax, dword ptr fs:[00000030h]	3_2_01A14AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14AEF mov eax, dword ptr fs:[00000030h]	3_2_01A14AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14AEF mov eax, dword ptr fs:[00000030h]	3_2_01A14AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14AEF mov eax, dword ptr fs:[00000030h]	3_2_01A14AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14AEF mov eax, dword ptr fs:[00000030h]	3_2_01A14AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14AEF mov eax, dword ptr fs:[00000030h]	3_2_01A14AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14AEF mov eax, dword ptr fs:[00000030h]	3_2_01A14AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01982ACB mov eax, dword ptr fs:[00000030h]	3_2_01982ACB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01955AC0 mov eax, dword ptr fs:[00000030h]	3_2_01955AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01955AC0 mov eax, dword ptr fs:[00000030h]	3_2_01955AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01955AC0 mov eax, dword ptr fs:[00000030h]	3_2_01955AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01953ACA mov eax, dword ptr fs:[00000030h]	3_2_01953ACA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01982AE4 mov eax, dword ptr fs:[00000030h]	3_2_01982AE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A28ADD mov eax, dword ptr fs:[00000030h]	3_2_01A28ADD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195AA16 mov eax, dword ptr fs:[00000030h]	3_2_0195AA16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195AA16 mov eax, dword ptr fs:[00000030h]	3_2_0195AA16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01955210 mov eax, dword ptr fs:[00000030h]	3_2_01955210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01955210 mov ecx, dword ptr fs:[00000030h]	3_2_01955210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01955210 mov eax, dword ptr fs:[00000030h]	3_2_01955210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01955210 mov eax, dword ptr fs:[00000030h]	3_2_01955210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A11229 mov eax, dword ptr fs:[00000030h]	3_2_01A11229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01973A1C mov eax, dword ptr fs:[00000030h]	3_2_01973A1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196BA00 mov eax, dword ptr fs:[00000030h]	3_2_0196BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196BA00 mov eax, dword ptr fs:[00000030h]	3_2_0196BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196BA00 mov eax, dword ptr fs:[00000030h]	3_2_0196BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196BA00 mov ecx, dword ptr fs:[00000030h]	3_2_0196BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196BA00 mov eax, dword ptr fs:[00000030h]	3_2_0196BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196BA00 mov eax, dword ptr fs:[00000030h]	3_2_0196BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196BA00 mov eax, dword ptr fs:[00000030h]	3_2_0196BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196BA00 mov eax, dword ptr fs:[00000030h]	3_2_0196BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196BA00 mov eax, dword ptr fs:[00000030h]	3_2_0196BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196BA00 mov eax, dword ptr fs:[00000030h]	3_2_0196BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196BA00 mov eax, dword ptr fs:[00000030h]	3_2_0196BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196BA00 mov eax, dword ptr fs:[00000030h]	3_2_0196BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196BA00 mov eax, dword ptr fs:[00000030h]	3_2_0196BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196BA00 mov eax, dword ptr fs:[00000030h]	3_2_0196BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01968A0A mov eax, dword ptr fs:[00000030h]	3_2_01968A0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197B236 mov eax, dword ptr fs:[00000030h]	3_2_0197B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197B236 mov eax, dword ptr fs:[00000030h]	3_2_0197B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197B236 mov eax, dword ptr fs:[00000030h]	3_2_0197B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197B236 mov eax, dword ptr fs:[00000030h]	3_2_0197B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197B236 mov eax, dword ptr fs:[00000030h]	3_2_0197B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197B236 mov eax, dword ptr fs:[00000030h]	3_2_0197B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01958239 mov eax, dword ptr fs:[00000030h]	3_2_01958239
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01958239 mov eax, dword ptr fs:[00000030h]	3_2_01958239
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01958239 mov eax, dword ptr fs:[00000030h]	3_2_01958239
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01994A2C mov eax, dword ptr fs:[00000030h]	3_2_01994A2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01994A2C mov eax, dword ptr fs:[00000030h]	3_2_01994A2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01954A20 mov eax, dword ptr fs:[00000030h]	3_2_01954A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01954A20 mov eax, dword ptr fs:[00000030h]	3_2_01954A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1AA16 mov eax, dword ptr fs:[00000030h]	3_2_01A1AA16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1AA16 mov eax, dword ptr fs:[00000030h]	3_2_01A1AA16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]	3_2_0197A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]	3_2_0197A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]	3_2_0197A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]	3_2_0197A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]	3_2_0197A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]	3_2_0197A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]	3_2_0197A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]	3_2_0197A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]	3_2_0197A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A0B260 mov eax, dword ptr fs:[00000030h]	3_2_01A0B260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A0B260 mov eax, dword ptr fs:[00000030h]	3_2_01A0B260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A28A62 mov eax, dword ptr fs:[00000030h]	3_2_01A28A62
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019E4257 mov eax, dword ptr fs:[00000030h]	3_2_019E4257
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01959240 mov eax, dword ptr fs:[00000030h]	3_2_01959240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01959240 mov eax, dword ptr fs:[00000030h]	3_2_01959240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01959240 mov eax, dword ptr fs:[00000030h]	3_2_01959240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01959240 mov eax, dword ptr fs:[00000030h]	3_2_01959240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0199927A mov eax, dword ptr fs:[00000030h]	3_2_0199927A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01995A69 mov eax, dword ptr fs:[00000030h]	3_2_01995A69
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01995A69 mov eax, dword ptr fs:[00000030h]	3_2_01995A69
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01995A69 mov eax, dword ptr fs:[00000030h]	3_2_01995A69
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1EA55 mov eax, dword ptr fs:[00000030h]	3_2_01A1EA55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A11A5F mov eax, dword ptr fs:[00000030h]	3_2_01A11A5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198FD9B mov eax, dword ptr fs:[00000030h]	3_2_0198FD9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198FD9B mov eax, dword ptr fs:[00000030h]	3_2_0198FD9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01953591 mov eax, dword ptr fs:[00000030h]	3_2_01953591
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A205AC mov eax, dword ptr fs:[00000030h]	3_2_01A205AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A205AC mov eax, dword ptr fs:[00000030h]	3_2_01A205AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01982581 mov eax, dword ptr fs:[00000030h]	3_2_01982581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01982581 mov eax, dword ptr fs:[00000030h]	3_2_01982581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01982581 mov eax, dword ptr fs:[00000030h]	3_2_01982581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01982581 mov eax, dword ptr fs:[00000030h]	3_2_01982581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01952D8A mov eax, dword ptr fs:[00000030h]	3_2_01952D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01952D8A mov eax, dword ptr fs:[00000030h]	3_2_01952D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01952D8A mov eax, dword ptr fs:[00000030h]	3_2_01952D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01952D8A mov eax, dword ptr fs:[00000030h]	3_2_01952D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01952D8A mov eax, dword ptr fs:[00000030h]	3_2_01952D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1B581 mov eax, dword ptr fs:[00000030h]	3_2_01A1B581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1B581 mov eax, dword ptr fs:[00000030h]	3_2_01A1B581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1B581 mov eax, dword ptr fs:[00000030h]	3_2_01A1B581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1B581 mov eax, dword ptr fs:[00000030h]	3_2_01A1B581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A12D82 mov eax, dword ptr fs:[00000030h]	3_2_01A12D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A12D82 mov eax, dword ptr fs:[00000030h]	3_2_01A12D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A12D82 mov eax, dword ptr fs:[00000030h]	3_2_01A12D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A12D82 mov eax, dword ptr fs:[00000030h]	3_2_01A12D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A12D82 mov eax, dword ptr fs:[00000030h]	3_2_01A12D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A12D82 mov eax, dword ptr fs:[00000030h]	3_2_01A12D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A12D82 mov eax, dword ptr fs:[00000030h]	3_2_01A12D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01981DB5 mov eax, dword ptr fs:[00000030h]	3_2_01981DB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01981DB5 mov eax, dword ptr fs:[00000030h]	3_2_01981DB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01981DB5 mov eax, dword ptr fs:[00000030h]	3_2_01981DB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019865A0 mov eax, dword ptr fs:[00000030h]	3_2_019865A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019865A0 mov eax, dword ptr fs:[00000030h]	3_2_019865A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019865A0 mov eax, dword ptr fs:[00000030h]	3_2_019865A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019835A1 mov eax, dword ptr fs:[00000030h]	3_2_019835A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1FDE2 mov eax, dword ptr fs:[00000030h]	3_2_01A1FDE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1FDE2 mov eax, dword ptr fs:[00000030h]	3_2_01A1FDE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1FDE2 mov eax, dword ptr fs:[00000030h]	3_2_01A1FDE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1FDE2 mov eax, dword ptr fs:[00000030h]	3_2_01A1FDE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A08DF1 mov eax, dword ptr fs:[00000030h]	3_2_01A08DF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D6DC9 mov eax, dword ptr fs:[00000030h]	3_2_019D6DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D6DC9 mov eax, dword ptr fs:[00000030h]	3_2_019D6DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D6DC9 mov eax, dword ptr fs:[00000030h]	3_2_019D6DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D6DC9 mov ecx, dword ptr fs:[00000030h]	3_2_019D6DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D6DC9 mov eax, dword ptr fs:[00000030h]	3_2_019D6DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D6DC9 mov eax, dword ptr fs:[00000030h]	3_2_019D6DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019515C1 mov eax, dword ptr fs:[00000030h]	3_2_019515C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019595F0 mov eax, dword ptr fs:[00000030h]	3_2_019595F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019595F0 mov ecx, dword ptr fs:[00000030h]	3_2_019595F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A0FDD3 mov eax, dword ptr fs:[00000030h]	3_2_01A0FDD3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019895EC mov eax, dword ptr fs:[00000030h]	3_2_019895EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196D5E0 mov eax, dword ptr fs:[00000030h]	3_2_0196D5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196D5E0 mov eax, dword ptr fs:[00000030h]	3_2_0196D5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195751A mov eax, dword ptr fs:[00000030h]	3_2_0195751A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195751A mov eax, dword ptr fs:[00000030h]	3_2_0195751A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195751A mov eax, dword ptr fs:[00000030h]	3_2_0195751A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195751A mov eax, dword ptr fs:[00000030h]	3_2_0195751A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A28D34 mov eax, dword ptr fs:[00000030h]	3_2_01A28D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1E539 mov eax, dword ptr fs:[00000030h]	3_2_01A1E539
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019FCD04 mov eax, dword ptr fs:[00000030h]	3_2_019FCD04
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]	3_2_01963D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]	3_2_01963D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]	3_2_01963D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]	3_2_01963D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]	3_2_01963D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]	3_2_01963D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]	3_2_01963D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]	3_2_01963D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]	3_2_01963D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]	3_2_01963D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]	3_2_01963D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]	3_2_01963D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]	3_2_01963D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01984D3B mov eax, dword ptr fs:[00000030h]	3_2_01984D3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01984D3B mov eax, dword ptr fs:[00000030h]	3_2_01984D3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01984D3B mov eax, dword ptr fs:[00000030h]	3_2_01984D3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195AD30 mov eax, dword ptr fs:[00000030h]	3_2_0195AD30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019DA537 mov eax, dword ptr fs:[00000030h]	3_2_019DA537
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A13518 mov eax, dword ptr fs:[00000030h]	3_2_01A13518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A13518 mov eax, dword ptr fs:[00000030h]	3_2_01A13518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A13518 mov eax, dword ptr fs:[00000030h]	3_2_01A13518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198F527 mov eax, dword ptr fs:[00000030h]	3_2_0198F527
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198F527 mov eax, dword ptr fs:[00000030h]	3_2_0198F527
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198F527 mov eax, dword ptr fs:[00000030h]	3_2_0198F527
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01977D50 mov eax, dword ptr fs:[00000030h]	3_2_01977D50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01994D51 mov eax, dword ptr fs:[00000030h]	3_2_01994D51
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01994D51 mov eax, dword ptr fs:[00000030h]	3_2_01994D51
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195354C mov eax, dword ptr fs:[00000030h]	3_2_0195354C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195354C mov eax, dword ptr fs:[00000030h]	3_2_0195354C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01993D43 mov eax, dword ptr fs:[00000030h]	3_2_01993D43
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D3540 mov eax, dword ptr fs:[00000030h]	3_2_019D3540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197C577 mov eax, dword ptr fs:[00000030h]	3_2_0197C577
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197C577 mov eax, dword ptr fs:[00000030h]	3_2_0197C577
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A03D40 mov eax, dword ptr fs:[00000030h]	3_2_01A03D40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01978D76 mov eax, dword ptr fs:[00000030h]	3_2_01978D76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01978D76 mov eax, dword ptr fs:[00000030h]	3_2_01978D76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01978D76 mov eax, dword ptr fs:[00000030h]	3_2_01978D76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01978D76 mov eax, dword ptr fs:[00000030h]	3_2_01978D76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01978D76 mov eax, dword ptr fs:[00000030h]	3_2_01978D76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A08D47 mov eax, dword ptr fs:[00000030h]	3_2_01A08D47
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196849B mov eax, dword ptr fs:[00000030h]	3_2_0196849B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195649B mov eax, dword ptr fs:[00000030h]	3_2_0195649B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195649B mov eax, dword ptr fs:[00000030h]	3_2_0195649B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A29CB3 mov eax, dword ptr fs:[00000030h]	3_2_01A29CB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01951480 mov eax, dword ptr fs:[00000030h]	3_2_01951480
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01954CB0 mov eax, dword ptr fs:[00000030h]	3_2_01954CB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198D4B0 mov eax, dword ptr fs:[00000030h]	3_2_0198D4B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019E64B5 mov eax, dword ptr fs:[00000030h]	3_2_019E64B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019E64B5 mov eax, dword ptr fs:[00000030h]	3_2_019E64B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14496 mov eax, dword ptr fs:[00000030h]	3_2_01A14496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14496 mov eax, dword ptr fs:[00000030h]	3_2_01A14496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14496 mov eax, dword ptr fs:[00000030h]	3_2_01A14496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14496 mov eax, dword ptr fs:[00000030h]	3_2_01A14496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14496 mov eax, dword ptr fs:[00000030h]	3_2_01A14496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14496 mov eax, dword ptr fs:[00000030h]	3_2_01A14496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14496 mov eax, dword ptr fs:[00000030h]	3_2_01A14496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14496 mov eax, dword ptr fs:[00000030h]	3_2_01A14496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14496 mov eax, dword ptr fs:[00000030h]	3_2_01A14496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14496 mov eax, dword ptr fs:[00000030h]	3_2_01A14496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14496 mov eax, dword ptr fs:[00000030h]	3_2_01A14496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14496 mov eax, dword ptr fs:[00000030h]	3_2_01A14496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14496 mov eax, dword ptr fs:[00000030h]	3_2_01A14496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01952CDB mov eax, dword ptr fs:[00000030h]	3_2_01952CDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198CCC0 mov eax, dword ptr fs:[00000030h]	3_2_0198CCC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198CCC0 mov eax, dword ptr fs:[00000030h]	3_2_0198CCC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198CCC0 mov eax, dword ptr fs:[00000030h]	3_2_0198CCC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198CCC0 mov eax, dword ptr fs:[00000030h]	3_2_0198CCC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A114FB mov eax, dword ptr fs:[00000030h]	3_2_01A114FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D6CF0 mov eax, dword ptr fs:[00000030h]	3_2_019D6CF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D6CF0 mov eax, dword ptr fs:[00000030h]	3_2_019D6CF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D6CF0 mov eax, dword ptr fs:[00000030h]	3_2_019D6CF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A28CD6 mov eax, dword ptr fs:[00000030h]	3_2_01A28CD6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019884E0 mov eax, dword ptr fs:[00000030h]	3_2_019884E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019884E0 mov eax, dword ptr fs:[00000030h]	3_2_019884E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019884E0 mov eax, dword ptr fs:[00000030h]	3_2_019884E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019884E0 mov eax, dword ptr fs:[00000030h]	3_2_019884E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019884E0 mov eax, dword ptr fs:[00000030h]	3_2_019884E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019884E0 mov eax, dword ptr fs:[00000030h]	3_2_019884E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D6C0A mov eax, dword ptr fs:[00000030h]	3_2_019D6C0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D6C0A mov eax, dword ptr fs:[00000030h]	3_2_019D6C0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D6C0A mov eax, dword ptr fs:[00000030h]	3_2_019D6C0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019D6C0A mov eax, dword ptr fs:[00000030h]	3_2_019D6C0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196B433 mov eax, dword ptr fs:[00000030h]	3_2_0196B433
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196B433 mov eax, dword ptr fs:[00000030h]	3_2_0196B433
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196B433 mov eax, dword ptr fs:[00000030h]	3_2_0196B433
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01983C3E mov eax, dword ptr fs:[00000030h]	3_2_01983C3E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01983C3E mov eax, dword ptr fs:[00000030h]	3_2_01983C3E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01983C3E mov eax, dword ptr fs:[00000030h]	3_2_01983C3E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]	3_2_01A11C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]	3_2_01A11C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]	3_2_01A11C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]	3_2_01A11C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]	3_2_01A11C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]	3_2_01A11C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]	3_2_01A11C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]	3_2_01A11C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]	3_2_01A11C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]	3_2_01A11C06

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Masquerading1	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection11	NTDS	System Information Discovery112	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information11	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Bulz.349164.25568.exe	46%	Virustotal		Browse
SecuriteInfo.com.Variant.Bulz.349164.25568.exe	35%	ReversingLabs	Win32.Trojan.Wacatac
SecuriteInfo.com.Variant.Bulz.349164.25568.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
www.rep.place/pba2/	2%	Virustotal		Browse
www.rep.place/pba2/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.rep.place/pba2/	true	2%, Virustotal, Browse Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664163112.0000000002EE1000.00000004.00000001.sdmp	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433042
Start date:	11.06.2021
Start time:	08:06:38
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Variant.Bulz.349164.25568.5993 (renamed file extension from 5993 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 6.6% (good quality ratio 6.1%) Quality average: 74.4% Quality standard deviation: 30.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 20 Number of non-executed functions: 229
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe

Simulations

Behavior and APIs

Time	Type	Description
08:07:32	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Variant.Bulz.349164.25568.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Variant.Bulz.349164.25568.exe.log Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.40623038199471
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	SecuriteInfo.com.Variant.Bulz.349164.25568.exe
File size:	1011200
MD5:	c66fe399ec0cb598b2167a348c17f6a2
SHA1:	fcc9984283b3596fb575523fb90eb80ce702abe2
SHA256:	57f599e4ae63304de5795909f694122665f7c492df8078f7c5abb084d09baa2d
SHA512:	59993980767c12bb6e536a0ba4ab60b5ea54987a3893fd4044b1078d4f7014304e6e2c147488a138f57342eaba1bca5ec8842753b5bd3ab48360d8b9458598d8
SSDEEP:	24576:6tN220KdM+lT+hwWVAQSW3+0NeBUdtX1q:yDRl0V9N3JwBUE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..`.....................V.......2... ...@....@.. ....................................@................................

File Icon


Icon Hash:	c4c4c4c8ccd4d0c4

Static PE Info

General
Entrypoint:	0x4c328e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60C2AA7A [Fri Jun 11 00:12:42 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc3240	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc6000	0x35134	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc31e1	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc1294	0xc1400	False	0.897193109234	data	7.85673320535	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.sdata	0xc4000	0x1e8	0x200	False	0.861328125	data	6.62325644136	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xc6000	0x35134	0x35200	False	0.210225183824	data	4.44239053634	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfc000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xc6490	0x668	data
RT_ICON	0xc6af8	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4294965391, next used block 7403512
RT_ICON	0xc6de0	0x1e8	data
RT_ICON	0xc6fc8	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0xc70f0	0x35e0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xca6d0	0xea8	data
RT_ICON	0xcb578	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
RT_ICON	0xcbe20	0x6c8	data
RT_ICON	0xcc4e8	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0xcca50	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0xdd278	0x94a8	data
RT_ICON	0xe6720	0x67e8	data
RT_ICON	0xecf08	0x5488	data
RT_ICON	0xf2390	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 2130706432
RT_ICON	0xf65b8	0x25a8	data
RT_ICON	0xf8b60	0x10a8	data
RT_ICON	0xf9c08	0x988	data
RT_ICON	0xfa590	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xfa9f8	0x102	data
RT_GROUP_ICON	0xfaafc	0x84	data
RT_VERSION	0xfab80	0x3c8	data
RT_MANIFEST	0xfaf48	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Paul Harris 2016
Assembly Version	251.2.0.0
InternalName	IsolatedStorageSecurityOptions.exe
FileVersion	251.2.0.0
CompanyName	Paul Harris
LegalTrademarks
Comments	1992 Alpine A 610
ProductName	ReloadManager
ProductVersion	251.2.0.0
FileDescription	ReloadManager
OriginalFilename	IsolatedStorageSecurityOptions.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Variant.Bulz.349164.25568.exe PID: 6776 Parent PID: 6108

General

Start time:	08:07:30
Start date:	11/06/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe'
Imagebase:	0xac0000
File size:	1011200 bytes
MD5 hash:	C66FE399EC0CB598B2167A348C17F6A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: SecuriteInfo.com.Variant.Bulz.349164.25568.exe PID: 6968 Parent PID: 6776

General

Start time:	08:07:34
Start date:	11/06/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Imagebase:	0xeb0000
File size:	1011200 bytes
MD5 hash:	C66FE399EC0CB598B2167A348C17F6A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.Variant.Bulz.349164.25568.exe PID: 6776 Parent PID: 6108 SecuriteInfo.com.Variant.Bulz.349164.25568.exeCOMMON

Executed Functions

Function 04F22B08, Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.666730858.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58391067676300591c0a76f6c9d22faf35665a5a1aa5803b7622469b71913f03
Instruction ID: 8575e56c668545726ff85bb2fca6d84872ddb9026ecdd7237a208b42bba20f47
Opcode Fuzzy Hash: 58391067676300591c0a76f6c9d22faf35665a5a1aa5803b7622469b71913f03
Instruction Fuzzy Hash: DEC1BC31B016158FEB2ADB75C560BAEB3E6AF88308F1544AED145DB3A0DF74E902CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04F22250, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.666730858.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9728919418784344cae9f6b95939a888548aff18b3c03bdc6b5a25f9dee66f5a
Instruction ID: 0dc547ce81fd033b1fa005542e0e1b34ed6c942ec7063545868fcc54f52ae53a
Opcode Fuzzy Hash: 9728919418784344cae9f6b95939a888548aff18b3c03bdc6b5a25f9dee66f5a
Instruction Fuzzy Hash: 5F314770D05228CFEB04CFA4D6487EEBAB0EF0A301F1258AAE401B3280D7756A46DF65

Uniqueness

Uniqueness Score: -1.00%

Function 04F22240, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.666730858.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 047c0806ad99b938ba960cb5c84151feb876f039a1657f4392bd9620b9d68efb
Instruction ID: 6150826cb751b58cf43955a114308a701b293d275c80fa30b13c40cfce89d756
Opcode Fuzzy Hash: 047c0806ad99b938ba960cb5c84151feb876f039a1657f4392bd9620b9d68efb
Instruction Fuzzy Hash: 74315670D05228DBEB008FA4D6487EEBBB0EF0A301F1258A9E405B3280CB756A46DF65

Uniqueness

Uniqueness Score: -1.00%

Function 04F238A0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04F238F8

Memory Dump Source

Source File: 00000000.00000002.666730858.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 22c43656390235173a0034509b5b20ebc32296a1351b30aa144cc79d7bd65366
Instruction ID: 37f35d77cba392be818410785c56c816bab28fa6f3ee4aab3f2ea894d89ccaed
Opcode Fuzzy Hash: 22c43656390235173a0034509b5b20ebc32296a1351b30aa144cc79d7bd65366
Instruction Fuzzy Hash: F11133B18002198FDB10CFAAC585BDEBBF4EB48320F10842AD928A7340C778A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F23899, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04F238F8

Memory Dump Source

Source File: 00000000.00000002.666730858.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b32d4cb377924cdacbd118350b7ede0e33d8544dd3109230f7aea20968b1e087
Instruction ID: 8b409cbc275e8c0feb605cacd218edc7b882bad479d406b7195468da70b1fe6f
Opcode Fuzzy Hash: b32d4cb377924cdacbd118350b7ede0e33d8544dd3109230f7aea20968b1e087
Instruction Fuzzy Hash: 231145B6D00219CFDB10CFA9C585BDEBBF4EB48320F14842AD928A7340C338A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F21D58, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04F21DBD

Memory Dump Source

Source File: 00000000.00000002.666730858.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1d194e9582d953d042a2aa4e5c75a57aeab00aac655361b42a76ec677f72ec72
Instruction ID: 6dbbde4667bf54dd53b804c19a180d7c0aa12da710151f5b12b01e72eb393e75
Opcode Fuzzy Hash: 1d194e9582d953d042a2aa4e5c75a57aeab00aac655361b42a76ec677f72ec72
Instruction Fuzzy Hash: 2911F5B5800349DFDB10CF9AD989BDFBBF8EB48324F148419D864A7200C374A544CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 04F21D91, Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04F21DBD

Memory Dump Source

Source File: 00000000.00000002.666730858.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fce59139eb15268618291ebff1a051a949e59e0aafff694205d71537debaa6fb
Instruction ID: f7f0ea388725c567e80557c38d525ba1d9e1244543db32b570845dcc0ca6f1fa
Opcode Fuzzy Hash: fce59139eb15268618291ebff1a051a949e59e0aafff694205d71537debaa6fb
Instruction Fuzzy Hash: 46F0E2B6900309DFDB20CF89D988BDEBBF4FB48324F10841AE559A7610C379A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04F20040, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.666730858.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccb9a06c8e3bb53bafb7616381ab8333ec03805c0915750c47bc26907b8e9c02
Instruction ID: 42310449f8af8764a4aee9291b8a8b80f3e553de444a255e9fed681d61823e28
Opcode Fuzzy Hash: ccb9a06c8e3bb53bafb7616381ab8333ec03805c0915750c47bc26907b8e9c02
Instruction Fuzzy Hash: F2714B72E04669CBDB64CF66C9407AEB7B6FBC9300F10D5AA950DB6214EB305A829F44

Uniqueness

Uniqueness Score: -1.00%

Function 04F20034, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.666730858.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3ff26a1cafd04e2f902aaa3097eda30a6309e2f732765cfeb0011db27ee5a3
Instruction ID: 54ab337976fb4194c8f95dd214c01adfc3c4a5d1c4047bc4a68410521af82cee
Opcode Fuzzy Hash: 3d3ff26a1cafd04e2f902aaa3097eda30a6309e2f732765cfeb0011db27ee5a3
Instruction Fuzzy Hash: E9613872E04669CBDB68CF66C94479DFBB2FBC8300F10C5AAD509A7214EB305A869F44

Uniqueness

Uniqueness Score: -1.00%

Function 04F2025F, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.666730858.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bcb87e641798550bb49c8ca853dcf47afd7c920186d15dfbeec420f1f28e904
Instruction ID: 3d809ca22028e71da4aa04b31970ea5ffcf1eed92e907aff114503b63861f3a2
Opcode Fuzzy Hash: 0bcb87e641798550bb49c8ca853dcf47afd7c920186d15dfbeec420f1f28e904
Instruction Fuzzy Hash: 52513C71E0426ACFDB64CF65C9407ADF7B2FB89300F1085EAD509B7210E7306A869F55

Uniqueness

Uniqueness Score: -1.00%

Function 04F202AE, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.666730858.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2656192b7021506658f518c53626ce4cd07791f937e738e44dbe2956561a6deb
Instruction ID: 7e871eaa1616f31a31287a6fe1ecc847d5b977eb3cd33253a58d04a69f216ff0
Opcode Fuzzy Hash: 2656192b7021506658f518c53626ce4cd07791f937e738e44dbe2956561a6deb
Instruction Fuzzy Hash: 0E516C71E0426ACFDB64CF65C94079DF7B2FB88300F1085EAD509B7210EB306A869F44

Uniqueness

Uniqueness Score: -1.00%

Function 04F20253, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.666730858.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b280400f56145076c0bc85bcebb28ab251e820b680862da732ef6e8d5f06f8
Instruction ID: 59f6545beeefbb5cd02d4d1c4b90e1c865fac3c2abbf825dd547a680aa11c16a
Opcode Fuzzy Hash: 45b280400f56145076c0bc85bcebb28ab251e820b680862da732ef6e8d5f06f8
Instruction Fuzzy Hash: B5516C72E0026ACFDB64CF65C9407ADF7B2FB89300F1085EAD109B7214EB306A869F44

Uniqueness

Uniqueness Score: -1.00%

Function 04F23570, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.666730858.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b32a6c98a6e0518101239a26aa993589220f950cfde73db5b24be97a32e1c52
Instruction ID: fe60157c5df9c0899124ea89722e8e093a09b88ed4204d59a98298434b3039d8
Opcode Fuzzy Hash: 9b32a6c98a6e0518101239a26aa993589220f950cfde73db5b24be97a32e1c52
Instruction Fuzzy Hash: 7F3158B0D05229DBDB10CFB5D658BEDBAF9AB0A304F108429E805B7350D778AA46CB54

Uniqueness

Uniqueness Score: -1.00%

Function 04F23560, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.666730858.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0baa15aaad5cbc3872d6ef270f7f2c844a080d976aecb760ecbb81a7fc1ab18
Instruction ID: 276411a0f0bd2ad15fb969ed6fa9473e9bd6d27eabb04772b7463ca9cf4078f0
Opcode Fuzzy Hash: a0baa15aaad5cbc3872d6ef270f7f2c844a080d976aecb760ecbb81a7fc1ab18
Instruction Fuzzy Hash: 1E218BB0D06229DBDB10CFB0D659BEDBEF9AB0A301F50502AE805B3341D778AA46DB54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.Variant.Bulz.349164.25568.exe PID: 6968 Parent PID: 6776 SecuriteInfo.com.Variant.Bulz.349164.25568.exeCOMMON

Executed Functions

Function 0041825B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041825B(intOrPtr* __edi, void* __esi, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				intOrPtr* _t29;
				void* _t31;

				cs =  *__edi;
				_t13 = _a4;
				_t29 = _a4 + 0xc48;
				E00418DB0(__edi, _a4, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t29))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, __esi, _t31); // executed
				return _t18;
			}

0x0041825b
0x00418263
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 0041829D, 004182A4
B=A, xrefs: 00418282, 00418290

Memory Dump Source

Source File: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: 9ed0118dbea067c7bc7debf391f841dd19442a8ec44f6e8416d7df2d63800be4
Instruction ID: 61a515deaccbf1d5b1a0dfaafddea0228dfd8bd896104ceabaadc41731c59592
Opcode Fuzzy Hash: 9ed0118dbea067c7bc7debf391f841dd19442a8ec44f6e8416d7df2d63800be4
Instruction Fuzzy Hash: 8BF0E7B6200104ABCB14CF89DC90EEB77A9EF8C314F118649FA4D97240CA30E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DB0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00418263
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 0041829D, 004182A4
B=A, xrefs: 00418282, 00418290

Memory Dump Source

Source File: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181B0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DB0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181bf
0x004181c7
0x004181fd
0x00418201

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041838A, Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041838A(void* _a4, PVOID* _a8, long _a12, long* _a16, long _a20, long _a24) {
				intOrPtr _v0;
				long _t14;
				void* _t22;

				asm("loopne 0x4");
				asm("invalid");
				_t10 = _v0;
				_push(_t23);
				_t3 = _t10 + 0xc60; // 0xca0
				E00418DB0(_t22, _v0, _t3,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				return _t14;
			}

0x0041838d
0x0041838f
0x00418393
0x00418399
0x0041839f
0x004183a7
0x004183c9
0x004183cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 3d7c557bfc4e8905460adeb9d0b6000f91f336e2071948dc9ad10f6d28085d89
Instruction ID: 9a144cba2bc674130d6f2d4554e463ae4b6eb60bbea652f9a64cea7dc597ee09
Opcode Fuzzy Hash: 3d7c557bfc4e8905460adeb9d0b6000f91f336e2071948dc9ad10f6d28085d89
Instruction Fuzzy Hash: A7F0F8B5200218ABCB14DF89DC81EEB77ADAF88754F158549FE19A7241C634E910CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418390(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DB0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041839f
0x004183a7
0x004183c9
0x004183cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004182E0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409733
				E00418DB0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182e3
0x004182e6
0x004182ef
0x004182f7
0x00418305
0x00418309

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4

Uniqueness

Uniqueness Score: -1.00%

Function 01999860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0199986A

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d00d9d68adcd620324ddbee2ebb4d6fd8a59ce00ecc81f187ce18a6c23b6f9e3
Instruction ID: 59d5c1e6039382d3cafc06334fa9545f16c273e9c02e43a8d977e68e81023970
Opcode Fuzzy Hash: d00d9d68adcd620324ddbee2ebb4d6fd8a59ce00ecc81f187ce18a6c23b6f9e3
Instruction Fuzzy Hash: 8D90027160110423D111619945047074099A7D0285FD1C412A0454598DDA968956B1A1

Uniqueness

Uniqueness Score: -1.00%

Function 019996E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019996EA

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d3d3f8635f61a11a5c69434bf89ce03df3eb28c90c1b18323213dfa7f44694b
Instruction ID: 296d7441fc52b84d399a8ea8ded4211985a89714cab1c1a4fd7b2fd325e6600e
Opcode Fuzzy Hash: 4d3d3f8635f61a11a5c69434bf89ce03df3eb28c90c1b18323213dfa7f44694b
Instruction Fuzzy Hash: 8990027160118812D1106199840474A4095A7D0345FD5C411A4454698DCAD5889571A1

Uniqueness

Uniqueness Score: -1.00%

Function 01999660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0199966A

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 659df851a589f31a104e69e50ff901da85349300fdfe18a97256e1e6cfeeeaa4
Instruction ID: 8b314920335aec63b5ad1be2c2dce66182eeddbfc95289853701ea142d140646
Opcode Fuzzy Hash: 659df851a589f31a104e69e50ff901da85349300fdfe18a97256e1e6cfeeeaa4
Instruction Fuzzy Hash: DB90027160110812D1807199440464A4095A7D1345FD1C015A0055694DCE558A5D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 004088A0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184C0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DB0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184cf
0x004184d7
0x004184ed
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418480(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418497
0x004184ad
0x004184b1

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Memory Dump Source

Source File: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 0199967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01999694

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3eff44def22108ec5dbbe3f68b1dcafc877c67398bb2adce5e5a735e0d3679b8
Instruction ID: c7701838e11ab0b4b1231229e905ea5f0cbe43b3a03b19830d0cd5296e4b5a0f
Opcode Fuzzy Hash: 3eff44def22108ec5dbbe3f68b1dcafc877c67398bb2adce5e5a735e0d3679b8
Instruction Fuzzy Hash: 04B02B71C010C0C5EB01D3A80608717794077C0309F52C011D1060280B4738C080F1F1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01A0B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** enter .cxr %p for the context, xrefs: 01A0B50D
*** enter .exr %p for the exception record, xrefs: 01A0B4F1
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01A0B305
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 01A0B39B
The resource is owned exclusively by thread %p, xrefs: 01A0B374
a NULL pointer, xrefs: 01A0B4E0
*** Resource timeout (%p) in %ws:%s, xrefs: 01A0B352
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01A0B323
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01A0B53F
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01A0B2DC
read from, xrefs: 01A0B4AD, 01A0B4B2
*** A stack buffer overrun occurred in %ws:%s, xrefs: 01A0B2F3
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01A0B484
The resource is owned shared by %d threads, xrefs: 01A0B37E
an invalid address, %p, xrefs: 01A0B4CF
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01A0B476
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01A0B38F
The instruction at %p referenced memory at %p., xrefs: 01A0B432
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01A0B47D
*** An Access Violation occurred in %ws:%s, xrefs: 01A0B48F
<unknown>, xrefs: 01A0B27E, 01A0B2D1, 01A0B350, 01A0B399, 01A0B417, 01A0B48E
Go determine why that thread has not released the critical section., xrefs: 01A0B3C5
*** then kb to get the faulting stack, xrefs: 01A0B51C
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01A0B3D6
The instruction at %p tried to %s , xrefs: 01A0B4B6
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01A0B314
*** Inpage error in %ws:%s, xrefs: 01A0B418
This failed because of error %Ix., xrefs: 01A0B446
write to, xrefs: 01A0B4A6
The critical section is owned by thread %p., xrefs: 01A0B3B9

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 962e02bf77884dcfb28e30ae9bfa5147565c3cc496418e5620fa52156ad5af10
Instruction ID: 8097b69b673b14b79b4039c0a7b617a8b29891aa5115c0aa032f853c7be79901
Opcode Fuzzy Hash: 962e02bf77884dcfb28e30ae9bfa5147565c3cc496418e5620fa52156ad5af10
Instruction Fuzzy Hash: B481367DA80200FFEB235B4AED49D6B3BB5EFAAB55F460088F50C1B192D3628511C672

Uniqueness

Uniqueness Score: -1.00%

Function 01A11C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01A11C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x19348a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0195B150();
				} else {
					E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x1a4589c);
				E0195B150("Heap error detected at %p (heap handle %p)\n",  *0x1a458a0);
				_t27 =  *0x1a45898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01A11E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0195B150();
				} else {
					E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0195B150("Error code: %d - %s\n",  *0x1a45898);
				_t113 =  *0x1a458a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0195B150();
					} else {
						E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0195B150("Parameter1: %p\n",  *0x1a458a4);
				}
				_t115 =  *0x1a458a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0195B150();
					} else {
						E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0195B150("Parameter2: %p\n",  *0x1a458a8);
				}
				_t117 =  *0x1a458ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0195B150();
					} else {
						E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0195B150("Parameter3: %p\n",  *0x1a458ac);
				}
				_t119 =  *0x1a458b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0195B150();
					} else {
						E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x1a458b4);
					E0195B150("Last known valid blocks: before - %p, after - %p\n",  *0x1a458b0);
				} else {
					_t120 =  *0x1a458b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0195B150();
				} else {
					E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0195B150("Stack trace available at %p\n", 0x1a458c0);
			}

0x01a11c10
0x01a11c16
0x01a11c1e
0x01a11c3d
0x01a11c3e
0x01a11c20
0x01a11c35
0x01a11c3a
0x01a11c44
0x01a11c55
0x01a11c5a
0x01a11c65
0x01a11c67
0x00000000
0x01a11c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01a11c67
0x01a11cdc
0x01a11ce5
0x01a11d04
0x01a11d05
0x01a11ce7
0x01a11cfc
0x01a11d01
0x01a11d0b
0x01a11d17
0x01a11d1f
0x01a11d25
0x01a11d30
0x01a11d4f
0x01a11d50
0x01a11d32
0x01a11d47
0x01a11d4c
0x01a11d61
0x01a11d67
0x01a11d68
0x01a11d6e
0x01a11d79
0x01a11d98
0x01a11d99
0x01a11d7b
0x01a11d90
0x01a11d95
0x01a11daa
0x01a11db0
0x01a11db1
0x01a11db7
0x01a11dc2
0x01a11de1
0x01a11de2
0x01a11dc4
0x01a11dd9
0x01a11dde
0x01a11df3
0x01a11df9
0x01a11dfa
0x01a11e00
0x01a11e0a
0x01a11e13
0x01a11e32
0x01a11e33
0x01a11e15
0x01a11e2a
0x01a11e2f
0x01a11e39
0x01a11e4a
0x01a11e02
0x01a11e02
0x01a11e08
0x00000000
0x00000000
0x01a11e08
0x01a11e5b
0x01a11e7a
0x01a11e7b
0x01a11e5d
0x01a11e72
0x01a11e77
0x01a11e95

Strings

heap_failure_entry_corruption, xrefs: 01A11C83
Parameter1: %p, xrefs: 01A11D5C
heap_failure_generic, xrefs: 01A11C7C
Error code: %d - %s, xrefs: 01A11D12
heap_failure_internal, xrefs: 01A11C6E
heap_failure_freelists_corruption, xrefs: 01A11CC9
heap_failure_usage_after_free, xrefs: 01A11CBB
heap_failure_cross_heap_operation, xrefs: 01A11CC2
heap_failure_buffer_underrun, xrefs: 01A11C9F
heap_failure_listentry_corruption, xrefs: 01A11CD0
Heap error detected at %p (heap handle %p), xrefs: 01A11C50
HEAP[%wZ]: , xrefs: 01A11C30, 01A11CF7, 01A11D42, 01A11D8B, 01A11DD4, 01A11E25, 01A11E6D
heap_failure_multiple_entries_corruption, xrefs: 01A11C8A
Stack trace available at %p, xrefs: 01A11E86
heap_failure_invalid_argument, xrefs: 01A11CAD
heap_failure_block_not_busy, xrefs: 01A11CA6
heap_failure_unknown, xrefs: 01A11C75
heap_failure_lfh_bitmap_mismatch, xrefs: 01A11CD7
HEAP: , xrefs: 01A11C16, 01A11C3D, 01A11D04, 01A11D4F, 01A11D98, 01A11DE1, 01A11E32, 01A11E7A
heap_failure_buffer_overrun, xrefs: 01A11C98
Parameter3: %p, xrefs: 01A11DEE
heap_failure_invalid_allocation_type, xrefs: 01A11CB4
Last known valid blocks: before - %p, after - %p, xrefs: 01A11E45
heap_failure_virtual_block_corruption, xrefs: 01A11C91
Parameter2: %p, xrefs: 01A11DA5

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 727ba0940d3afea9113c1b46cd62a02a86d3fb87c59ea1b56344e17ed74f0271
Instruction ID: e2a1efdf3ac6de9d54240d501b6c811be63eab7a40886112d9f3e849bf1e6a2d
Opcode Fuzzy Hash: 727ba0940d3afea9113c1b46cd62a02a86d3fb87c59ea1b56344e17ed74f0271
Instruction Fuzzy Hash: FA61E53A911245DFD792EBB9D484D30B3F5FB84930B0D806EFA0E6B745D6689C418F4A

Uniqueness

Uniqueness Score: -1.00%

Function 0198C9BF, Relevance: 14.2, Strings: 11, Instructions: 412COMMON

Download Yara Rule

Strings

SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 019CABF3
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 019CAC2C
RtlpResolveAssemblyStorageMapEntry, xrefs: 019CAC27
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 019CAB0E
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 019CAA1A
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 019CAA11
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 019CAC0A
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 019CAAA0
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 019CA8EC
@, xrefs: 019CABA3
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 019CAAC8

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: b7c412a1fda47ae1f33d7deeaa0f21b77539d63f6a7f76a42ba9f7a4a73cb296
Instruction ID: 49ef3b28617427bd019e9b24911c091c7d57e35cc262c65f4173fef20f2ee0b6
Opcode Fuzzy Hash: b7c412a1fda47ae1f33d7deeaa0f21b77539d63f6a7f76a42ba9f7a4a73cb296
Instruction Fuzzy Hash: FD026FF1D002299BDB31DB18CD80FDAB7B8AB54705F4045EAE64DA7241E731AE84CF69

Uniqueness

Uniqueness Score: -1.00%

Function 01A14AEF, Relevance: 11.8, Strings: 9, Instructions: 529COMMON

Download Yara Rule

Strings

Heap block at %p is not last block in segment (%p), xrefs: 01A14FD6
HEAP: , xrefs: 01A14F1A, 01A14F6A, 01A14FC7, 01A1502A, 01A1506E, 01A150B6, 01A15107
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 01A150C6
Free Heap block %p modified at %p after it was freed, xrefs: 01A14F2F
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 01A1508C
HEAP[%wZ]: , xrefs: 01A14EE1, 01A14F0D, 01A14F5D, 01A14FBA, 01A1501D, 01A15061, 01A150FA
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 01A14F81
Heap block at %p has incorrect segment offset (%x), xrefs: 01A1503B
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 01A15119

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: e5f4b05f12654d167f1d0f684803bc3984f0ca8fed8f0e0ab8311e728e3afa9b
Instruction ID: de9a7f71bc5a6d0f1c656cfd86116aa8587d20aaad64aeee1f8671bf4a06f59c
Opcode Fuzzy Hash: e5f4b05f12654d167f1d0f684803bc3984f0ca8fed8f0e0ab8311e728e3afa9b
Instruction Fuzzy Hash: 0A12D270604642DFDB25CF6DC485BBABBF1FF89710F188459E88A8B685D734E881CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A14496, Relevance: 10.4, Strings: 8, Instructions: 417COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01A1465F, 01A146C0, 01A147D3, 01A1485E, 01A14924, 01A14978
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 01A147E2
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 01A1486F
HEAP[%wZ]: , xrefs: 01A14652, 01A146B3, 01A147C6, 01A14851, 01A14917, 01A1496B
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 01A1493D
dedicated (%04Ix) free list element %p is marked busy, xrefs: 01A146CF
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 01A14992
Non-Dedicated free list element %p is out of order, xrefs: 01A1466B

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: 9b270a5728ef6d58331f73fb3c9397308ae751798c1e72368add7cf51cbc02ce
Instruction ID: 2d841ce730e3bf8d7a0a9c1fbcb604caee0139551602fdbf78215aad15f73061
Opcode Fuzzy Hash: 9b270a5728ef6d58331f73fb3c9397308ae751798c1e72368add7cf51cbc02ce
Instruction Fuzzy Hash: 2FF14531600646EFDB25CF6DC440BAABBF6FF8D314F188429E54A9B685C734A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019878A0, Relevance: 8.5, Strings: 6, Instructions: 989COMMON

Download Yara Rule

Strings

R, xrefs: 01987956
{, xrefs: 019C8CEE
LdrpResSearchResourceInsideDirectory Enter, xrefs: 0198794C
T, xrefs: 01987942
LdrpResSearchResourceInsideDirectory Exit, xrefs: 01987960
MUI, xrefs: 01987BCA

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$MUI$R$T${
API String ID: 0-2515562510
Opcode ID: 15547da17e304adff6d4d215fd9c190ebf47bad9900120637b880a48c7265dcd
Instruction ID: 4e0d6e8bb999a1cfa484df929675eae8714f266dc632c307d0d61c0b63d0d4b3
Opcode Fuzzy Hash: 15547da17e304adff6d4d215fd9c190ebf47bad9900120637b880a48c7265dcd
Instruction Fuzzy Hash: 20926870E04229CFDB28DF98C880BAEBBB9BF45704F248659D95DAB341D734A981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0197A309, Relevance: 8.2, Strings: 6, Instructions: 687COMMON

Download Yara Rule

Strings

(LONG)FreeEntry->Size > 1, xrefs: 019C213C
((LONG)FreeEntry->Size > 1), xrefs: 019C1F89
HEAP: , xrefs: 019C1E95, 019C1F7E, 019C2131, 019C2269
(UCRBlock != NULL), xrefs: 019C1EA0
HEAP[%wZ]: , xrefs: 019C1E88, 019C1F71, 019C2124, 019C225C
(!TrailingUCR), xrefs: 019C2274

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 2401aef315819036b67485b5931cbe61c9438d97fd6849729e47e274d2735cb4
Instruction ID: 08b4af9c4f85cc9c22a52dde218ffa1c954fe8b36f85de5b046194c6663d54b7
Opcode Fuzzy Hash: 2401aef315819036b67485b5931cbe61c9438d97fd6849729e47e274d2735cb4
Instruction Fuzzy Hash: 7742CF316083829FD715DF28C884B2EBBE9FF98A04F18496DE58A8B352D734D941CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01A12D82, Relevance: 7.7, Strings: 6, Instructions: 228COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01A12F4B, 01A12FF8, 01A1304F
RtlAllocateHeap, xrefs: 01A12DCA
Just allocated block at %p for %Ix bytes, xrefs: 01A12F5F
HEAP[%wZ]: , xrefs: 01A12F3E, 01A12FEB, 01A13042
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 01A1305E
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 01A13015

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: 580ad79c49613326152e3a1f5ad1b9e704b0e918da68e7153933c685b883b4e2
Instruction ID: e31622f828cca27e42c76307e8b55b041018c99676c18780ea2c4d4f081317d5
Opcode Fuzzy Hash: 580ad79c49613326152e3a1f5ad1b9e704b0e918da68e7153933c685b883b4e2
Instruction Fuzzy Hash: D6910435600681DFDB26DF68C444BADBBF2FF89720F28801DE54AAB695C7329942CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0198CCC0, Relevance: 7.7, Strings: 6, Instructions: 218COMMON

Download Yara Rule

Strings

SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 019CAD78
.Local\, xrefs: 0198CD61
SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 019CAD9C
SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 019CAD06
\WinSxS\, xrefs: 0198CDF3
@, xrefs: 0198CE1D

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: .Local\$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx$\WinSxS\
API String ID: 0-3926108909
Opcode ID: 871728418f9621b7c6d682f17f666b24fe1548e9ad6c0670a9ff87aab53e7f8a
Instruction ID: 4345d0f2b6c750544126428b10262c887a18733c3f382f7052fa2275e15a44af
Opcode Fuzzy Hash: 871728418f9621b7c6d682f17f666b24fe1548e9ad6c0670a9ff87aab53e7f8a
Instruction Fuzzy Hash: 1381EF715043029FDB11EF29C880A6BBBE8FFD5B05F04895DF8899B291E374D944CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01963D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-Disallowed, xrefs: 01963E97
Kernel-MUI-Language-Allowed, xrefs: 01963DC0
Kernel-MUI-Language-SKU, xrefs: 01963F70
Kernel-MUI-Number-Allowed, xrefs: 01963D8C
WindowsExcludedProcs, xrefs: 01963D6F

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 17b5ebae708d6c42bb9fd3af2d4715db4083b1d78bcd3c0e37f78f57a129f334
Instruction ID: 494cd4f32512355e50e909a9234162a35d5b37d8189b56fddc528bba03a3806a
Opcode Fuzzy Hash: 17b5ebae708d6c42bb9fd3af2d4715db4083b1d78bcd3c0e37f78f57a129f334
Instruction Fuzzy Hash: 78F12A72D00619EBDB15DFD8C980EEEBBBDFF98650F15046AE509A7250E7349E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019E64B5, Relevance: 6.4, Strings: 5, Instructions: 116COMMON

Download Yara Rule

Strings

Type:, xrefs: 019E64CE
Name:, xrefs: 019E64E7
Language:, xrefs: 019E64F6
SR - , xrefs: 019E652D
Item:, xrefs: 019E6505

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: Item:$ Language:$ Name:$SR - $Type:
API String ID: 0-3082644519
Opcode ID: 828b84fb6f8f660e798e3b1bfcb606896851b438509a15fbb47d8c9da9c9ab08
Instruction ID: f7445ad42b25419fd244c0986a156040fa8e40658d0f2933fb0949ee7b1e31fb
Opcode Fuzzy Hash: 828b84fb6f8f660e798e3b1bfcb606896851b438509a15fbb47d8c9da9c9ab08
Instruction Fuzzy Hash: F741AF72A002296BDB25DB69CC5CBAABBFCEF95310F0401D5A54DA7240EE349E84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 019540E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019B044C
RtlAllocateHeap, xrefs: 019B0468
, passed to %s, xrefs: 019B0469
Invalid heap signature for heap at %p, xrefs: 019B0458
HEAP[%wZ]: , xrefs: 019B043F

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 0c4da8617c1a9933e613530ddd8404b4c4d3a08ce3d6df0140676c4d79786c13
Instruction ID: 3eb7d8c8686a966d0d2a0eb63d19f1f187a5ad1d3f8052a9168f7f1ea1b0c2b7
Opcode Fuzzy Hash: 0c4da8617c1a9933e613530ddd8404b4c4d3a08ce3d6df0140676c4d79786c13
Instruction Fuzzy Hash: A1012836114281AED3A9DB79A54DF9777BAEBC1F31F18802DF40D5B6819AA89480CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0198701D, Relevance: 5.6, Strings: 4, Instructions: 569COMMON

Download Yara Rule

Strings

LdrpResSearchResourceMappedFile Exit, xrefs: 019870D4
#, xrefs: 019C86BA
MUI, xrefs: 019875E1
LdrpResSearchResourceMappedFile Enter, xrefs: 019870B9

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: #$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
API String ID: 0-3266796247
Opcode ID: 26c825c01f5d725ace9ae33e4f03d2089207996fa5a28475b9e2c6ac49f62dc4
Instruction ID: 055afeb171e1399948345a8a03ad30519ee53e00f6338981bcc5aa08a9073e0e
Opcode Fuzzy Hash: 26c825c01f5d725ace9ae33e4f03d2089207996fa5a28475b9e2c6ac49f62dc4
Instruction Fuzzy Hash: D332BE31A002698BDF2ADF58C884BEDBBB9AF45741F2444EAE84DA7251D7309E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0197A830, Relevance: 5.4, Strings: 4, Instructions: 350COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019C22E6, 019C23F6
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 019C2403
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 019C22F3
HEAP[%wZ]: , xrefs: 019C22D7, 019C23E7

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 3c895d81db0a388666cec8f20a809f99b3ea3e1da306504802d4515409b7ce6a
Instruction ID: c6c2df0a21b0ae2e1be1ba4cd0f58acdfe7e99a9abe2a0db5d4771f5e1b6254e
Opcode Fuzzy Hash: 3c895d81db0a388666cec8f20a809f99b3ea3e1da306504802d4515409b7ce6a
Instruction Fuzzy Hash: ACD1DF34A002469FDB19CF68C490BBEB7F6FF88700F188569D98E9B346E330A941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0197A229, Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019C1DE4
`, xrefs: 019C1C8D
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 019C1DF9
HEAP[%wZ]: , xrefs: 019C1DD7

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 49f0715d43111c81fd6b335ae9516e63e15033c7d2be4856c9c1961cfdc85d00
Instruction ID: 5185ebcbbb43a77233d0a6a8a52e8b434dd436bd23d704b2ac224f290b98e520
Opcode Fuzzy Hash: 49f0715d43111c81fd6b335ae9516e63e15033c7d2be4856c9c1961cfdc85d00
Instruction Fuzzy Hash: A55106322056819FD712DB68C848F6B7BE9FF80B50F090868F999CB292D734D900CB66

Uniqueness

Uniqueness Score: -1.00%

Function 01A149A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01A14A4A, 01A14A5D, 01A14A5F, 01A14AC4
HEAP[%wZ]: , xrefs: 01A14A3D, 01A14AB7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01A14A61
This is located in the %s field of the heap header., xrefs: 01A14AD6

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 2a3d86a2d33f6f3f792fb23ccf2bdf3a7da1cb30060a4f25389600131f1e19a1
Instruction ID: f5311b31c8d20ad4e3f0af0b6315932aacd2fddb39ba05d07d99ad1bb417e656
Opcode Fuzzy Hash: 2a3d86a2d33f6f3f792fb23ccf2bdf3a7da1cb30060a4f25389600131f1e19a1
Instruction Fuzzy Hash: D731F236200101EFD760DBADC885F6677A9EB88760F1A4069F90AEB295D770A940CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0195751A, Relevance: 5.1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019B2804, 019B2841
VirtualProtect Failed 0x%p %x, xrefs: 019B2811
VirtualQuery Failed 0x%p %x, xrefs: 019B284E
HEAP[%wZ]: , xrefs: 019B27F7, 019B2834

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 78b4dbbd63331397efe8b8be3d7f439b32fbcc1fcb74c4811faf311375378dcb
Instruction ID: 3f7b2372510b9f2ae478253517f1f8cba8f29f0afc7bce56cee86c4bef94014d
Opcode Fuzzy Hash: 78b4dbbd63331397efe8b8be3d7f439b32fbcc1fcb74c4811faf311375378dcb
Instruction Fuzzy Hash: C431F632900145AFDB51DB99CC84FAABBB9FF84720F144065F91DB7291D770EA41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01A13518, Relevance: 5.1, Strings: 4, Instructions: 55COMMON

Download Yara Rule

Strings

RtlDestroyHeap, xrefs: 01A13571
HEAP: , xrefs: 01A13555
HEAP[%wZ]: , xrefs: 01A13548
May not destroy the process heap at %p, xrefs: 01A13561

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $May not destroy the process heap at %p$RtlDestroyHeap
API String ID: 0-4256168463
Opcode ID: 225a17ca72dbfc26b201d1928c47ffbde35f624bac2760b23774e6d028930c9f
Instruction ID: 972b706bcae1d493a8a081e214577afb803c9c6e6eeaf80a976a53eda1ade845
Opcode Fuzzy Hash: 225a17ca72dbfc26b201d1928c47ffbde35f624bac2760b23774e6d028930c9f
Instruction Fuzzy Hash: 9601D232110201AFCF61EF7D8844FA677E9FF85A30F048459E80EAB685DA71E985CB54

Uniqueness

Uniqueness Score: -1.00%

Function 019799BF, Relevance: 4.3, Strings: 3, Instructions: 572COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019C155D, 019C1624, 019C17C9, 019C1912
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 019C1572, 019C1639, 019C17DE, 019C1927
HEAP[%wZ]: , xrefs: 019C1550, 019C1617, 019C17BC, 019C1905

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: f123d8e2b24beb820bacad22e361d427237279cda05e3b9712cf4f5c9f336ef5
Instruction ID: 15fb45f29c2a16b0990c543a96a75294f78315dbeeede3f23be38d67ea772788
Opcode Fuzzy Hash: f123d8e2b24beb820bacad22e361d427237279cda05e3b9712cf4f5c9f336ef5
Instruction Fuzzy Hash: 9722C270600242DFEB15DF2DC454B7ABBB9EF85B05F18856DE48E8B282D731D885CB51

Uniqueness

Uniqueness Score: -1.00%

Function 019662A0, Relevance: 4.0, Strings: 3, Instructions: 291COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 019662E2
MUI, xrefs: 019662B8, 019663B7
LdrResGetRCConfig Exit, xrefs: 019662F4

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: 8946a38142176e6f1d64f641243f5f9b4c6e13141c1424400b539618324a06b1
Instruction ID: 84474ce971fd253ff5a0ed691d1ea740418c99e30efabc9a1b2dd80513787f71
Opcode Fuzzy Hash: 8946a38142176e6f1d64f641243f5f9b4c6e13141c1424400b539618324a06b1
Instruction Fuzzy Hash: 8EB1E471A006569FDF15CF69C981BACBBBDBF44318F18452AE919EB394D730E850CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01958239, Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 019B2F2C
\??\, xrefs: 019B2E2A
UseFilter, xrefs: 01958263

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: e21b5784ef24895cea22781cf865b2712876a079e02fdf45d859348f716a0002
Instruction ID: 5eacdb13f14d469499b6ec3ce59034ac7d9fcd7e109ebab8cf1afb06d03bf8e9
Opcode Fuzzy Hash: e21b5784ef24895cea22781cf865b2712876a079e02fdf45d859348f716a0002
Instruction Fuzzy Hash: B3A14A719116299BDB31DF68CD88BEAB7B8EF44711F1001EAE90CA7250D735AE84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01A023E3, Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01A0255C
Heap block at %p modified at %p past requested size of %Ix, xrefs: 01A0256F
HEAP[%wZ]: , xrefs: 01A0254F

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: b07f8c8b0a017207a2a1ac3f942132900a3f0078b927b5e25c74ca03958a5f05
Instruction ID: 84ee5114df632382edd7cc74926ceca9689c3ccccdb049e60e283bfa0047b9ab
Opcode Fuzzy Hash: b07f8c8b0a017207a2a1ac3f942132900a3f0078b927b5e25c74ca03958a5f05
Instruction Fuzzy Hash: 1C51E5341003508AE776CF2EE85C7717BF1EB84744F5A485BE9C68B2C6D22BE446DB20

Uniqueness

Uniqueness Score: -1.00%

Function 0197EB9A, Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019C42AF
HEAP[%wZ]: , xrefs: 019C42A2
RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 019C42BA

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
API String ID: 0-1596344177
Opcode ID: 4cbf18a92bdf18aded3b7327b6d3ca33ef5ebe94e297d11e09f74aef4ec7015b
Instruction ID: e4e6f28ec411d4bc84c049ef7dc57a3398f9f2ac246d5d4cdf09fe9960c309d8
Opcode Fuzzy Hash: 4cbf18a92bdf18aded3b7327b6d3ca33ef5ebe94e297d11e09f74aef4ec7015b
Instruction Fuzzy Hash: E951FE34A00515EFDB14DF69C884B7ABBB6FF84310F2981E8D80A9B342D730AD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0197B8E4, Relevance: 3.8, Strings: 3, Instructions: 69COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019C2C7F
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 019C2C8A
HEAP[%wZ]: , xrefs: 019C2C72

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 82e9a39697bbac18169d96ba1dca5d29b0ea765ecc6c88c2edf7720e6c67eede
Instruction ID: 15207c51e42b0f3a998f7e24d2d10dd56a15fe55392dcee89967d10d88603313
Opcode Fuzzy Hash: 82e9a39697bbac18169d96ba1dca5d29b0ea765ecc6c88c2edf7720e6c67eede
Instruction Fuzzy Hash: 5911D0317041029FE769DB29C494F7AB7AAEF80A25F28856DE55FCB241D630D841CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0196BA00, Relevance: 3.1, Strings: 2, Instructions: 614COMMON

Download Yara Rule

Strings

$, xrefs: 0196BA68
.mui, xrefs: 0196BC37

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: $$.mui
API String ID: 0-2138749814
Opcode ID: ffa1522e43509923f9f1b49234a432e81cdafb8d369ab2d66a342d41ba0a500a
Instruction ID: 0a5aa2abfbe9bd369c41f51a1d513a39bb64ee9d3bc886d89711e5df0f33337c
Opcode Fuzzy Hash: ffa1522e43509923f9f1b49234a432e81cdafb8d369ab2d66a342d41ba0a500a
Instruction Fuzzy Hash: 7E424F71A026699FEB21DF59CD80BEAB7B8AF85210F0045DAD50DE7252EB309E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 019699C7, Relevance: 2.8, Strings: 2, Instructions: 294COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 019699F2
LdrResFallbackLangList Exit, xrefs: 01969A04

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-1720564570
Opcode ID: 90ab5c3d1795f1cbf2c6f5a2aefc06eefbc3f7262c07a90922cc33b5f9480d0d
Instruction ID: ea526ccd28dfa477fed82a1d2db89bc79d08f51953c439d1fbea2c2e22e129b1
Opcode Fuzzy Hash: 90ab5c3d1795f1cbf2c6f5a2aefc06eefbc3f7262c07a90922cc33b5f9480d0d
Instruction Fuzzy Hash: A6B1BF72608386CFDB15CF28C580BAAB7E8FF85748F044969F98D9B291E734D944C762

Uniqueness

Uniqueness Score: -1.00%

Function 01A1E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

`, xrefs: 01A1E670
`, xrefs: 01A1E5D7

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 5c6c4012e0159a4569f4bf166bd37a12ea1f641bbec66d7eee02cf6d3c67588d
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 9A9182316043429FE726CF29C941B1BBBE6BF84714F18892DFA99CB284E774E904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 019D51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

Legacy, xrefs: 019D5226
UEFI, xrefs: 019D521D

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 22ee1a4ae5863486910d2e4cf27875de7f092ecf4af7a7095b7b8dceff2914c8
Instruction ID: 8d42bc068912cfae7f3a4120e22230110d265204ff6b4699db3b2f386ec1adae
Opcode Fuzzy Hash: 22ee1a4ae5863486910d2e4cf27875de7f092ecf4af7a7095b7b8dceff2914c8
Instruction Fuzzy Hash: 14515D71A00609DFEB25DFA9C940AAEBBF8FF98740F15842DE64DEB251DA71D900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019884E0, Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

LdrpResGetMappingSize Enter, xrefs: 019884FA
LdrpResGetMappingSize Exit, xrefs: 0198850C

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: LdrpResGetMappingSize Enter$LdrpResGetMappingSize Exit
API String ID: 0-1497657909
Opcode ID: faf98dd0b4b6a4b27d651dc343eaef51c89791ee51746908b553f79d0f37629e
Instruction ID: bf8fb597096417fff4db5d342d80517b3b8cd37f113ab3d8fa1b9480516427d1
Opcode Fuzzy Hash: faf98dd0b4b6a4b27d651dc343eaef51c89791ee51746908b553f79d0f37629e
Instruction Fuzzy Hash: 1B51E471A00249DFEB12EFA8C840BAEBBB9BF54744F440469E909EB291E774D940CB35

Uniqueness

Uniqueness Score: -1.00%

Function 019661A7, Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 019661DD
RtlpResUltimateFallbackInfo Enter, xrefs: 019661CE

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 6d473b3868488209edfbb46b41643d7d12e88f1f7974a5461826c97bf0e4e18c
Instruction ID: 7bbc205c5dc83f418154984d15dcd06c152bdf455c698a88b561c926cce9d03d
Opcode Fuzzy Hash: 6d473b3868488209edfbb46b41643d7d12e88f1f7974a5461826c97bf0e4e18c
Instruction Fuzzy Hash: DD41E171A00205DBEB25CFAAC984FAA7BBDFF85305F144469EA0CDB291E735D940CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0198D4B0, Relevance: 2.6, Strings: 2, Instructions: 67COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 019CB0B7
RtlpInitializeAssemblyStorageMap, xrefs: 019CB0B2

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: 71d3533eda0f124d523f3b8686a078c11a21ee1d724c08c3b001f02df789a38f
Instruction ID: b38e475c2564c7e56c16aa20f076761d80c89d8cb9c6b5b860f87ac479a23f04
Opcode Fuzzy Hash: 71d3533eda0f124d523f3b8686a078c11a21ee1d724c08c3b001f02df789a38f
Instruction Fuzzy Hash: 90110672B00204BBF724EA9D8D41FAB76ED9BD4F55F14802DBA0CDB2C4E671DD0082A5

Uniqueness

Uniqueness Score: -1.00%

Function 0196C1C0, Relevance: 2.1, Strings: 1, Instructions: 876COMMON

Download Yara Rule

Strings

MUI, xrefs: 0196C2EE, 0196CB6D, 0196CE47

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 2de37bca7ccee8f2a4ce1910c5f40805f28182eb4621452a44a373a5770b5478
Instruction ID: 96da7214054193c95429c591d4f9032c777ebcdae74dc1663cf65eec7a9b0903
Opcode Fuzzy Hash: 2de37bca7ccee8f2a4ce1910c5f40805f28182eb4621452a44a373a5770b5478
Instruction Fuzzy Hash: C7728275E00219CFDB21CF69C980BADBBB9BF48310F14856AE99DAB241D734AD45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 019FEB8A, Relevance: 1.8, Strings: 1, Instructions: 599COMMON

Download Yara Rule

Strings

@, xrefs: 019FF10A

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 520b0c692fe20b05fb126356d1a14eecc779838f2943e8109af76dc1f938c973
Instruction ID: 191ad8bb8ed71da305086ae019113e1af70ad2a4b1023305d452bd64dcb54cb9
Opcode Fuzzy Hash: 520b0c692fe20b05fb126356d1a14eecc779838f2943e8109af76dc1f938c973
Instruction Fuzzy Hash: 7B320475604651ABEB25CF2DC080772BBE5BF45301F09889EEB8E8F296D335E456CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0197B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0197B9A5

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 1888ad2d68e75ec5d8ce3623cad668edb4242bb7b6a0ea59deffa58c02a3e178
Instruction ID: 997f24e16c8787524e9fdad5ea2b54bf7b346c690b84ff0fb3996e060c2e994b
Opcode Fuzzy Hash: 1888ad2d68e75ec5d8ce3623cad668edb4242bb7b6a0ea59deffa58c02a3e178
Instruction Fuzzy Hash: AA514871A08301CFC724EF6DC08092ABBE9BF88615F14496EF99A87355D731E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01982581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

PATH, xrefs: 01982642, 01982691

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 2707e5d8f008515bb98a2d0a6cbc6a193cc4bc52fde081b63f0fbfdae6b03b6d
Instruction ID: 87c474c206330f2fafb281553c69dee40713403e731e63706854dbc4e44bfdc8
Opcode Fuzzy Hash: 2707e5d8f008515bb98a2d0a6cbc6a193cc4bc52fde081b63f0fbfdae6b03b6d
Instruction Fuzzy Hash: 20C1C1B5E00209EFDB25EF99D880BBDBBB5FF88740F444429E909EB250D735A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0198FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 019CBE0F

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: d45d180d746bd4617093ab46998ae2f202ead796010f6dae9f51b6692b5beaec
Instruction ID: 1a8ea70f284a6acb9c6b7e885c6cff6b3046d5eadec83b2b4f4de08fbb98cb64
Opcode Fuzzy Hash: d45d180d746bd4617093ab46998ae2f202ead796010f6dae9f51b6692b5beaec
Instruction Fuzzy Hash: 30A11671F00606CBEB25EF68C450B7AB7A8AF84B51F04496DDA4ECB680DB30D941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01952D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 019AFA4A

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: d74d03b2f9721a8ea8be4fc594538508b212e1761a2a35db735afa0591568c50
Instruction ID: 93bc4929f90539dbda4ff4328c64e0bf99903f415249ac4a8243cf1618fbbdeb
Opcode Fuzzy Hash: d74d03b2f9721a8ea8be4fc594538508b212e1761a2a35db735afa0591568c50
Instruction Fuzzy Hash: E6613331A00645EFEB32DF6CC894BBE7BE8EB84314F540669D91DA72C1D734A94987C1

Uniqueness

Uniqueness Score: -1.00%

Function 0198F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 0198F124

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 39c2ea29ddcba59b5336b8ef257df0eb57cea8616afd873b8891221f57c48940
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 6B518F716047119FC320DF19C841A6BBBF8FF98750F00892DF99987690E774E904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019D3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 019D358F

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 2552289a6049dcdf093e6788c6c94f995c8d7b08bde516f6e96ec6c05a3f5aaa
Instruction ID: 7f34a50df87966fac4fc197c23c0c0336215aa96f81c66bb2b30c014a0285bdf
Opcode Fuzzy Hash: 2552289a6049dcdf093e6788c6c94f995c8d7b08bde516f6e96ec6c05a3f5aaa
Instruction Fuzzy Hash: 564161F2D0052DABDF21DA54CC85FAEB77CAB54715F4085A5AA0CAB240DB309F88CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01A205AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 01A20633

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: bbfa4d861bd8056ba9fa7ab963bf88fd2a5d5fdcede2156ef28d412c440dec98
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 2D31C2326043566BE720DF28CE45F9B7BE9ABC4754F144229FA589B280E7B0E904C791

Uniqueness

Uniqueness Score: -1.00%

Function 01984020, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 019840E8

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
API String ID: 0-996340685
Opcode ID: 27454e2180118a7849386ebf997463e9d059b99dada918b39570eba4ff077b70
Instruction ID: 4ea5461395e3b558f2893f90e65fd221e35a00ee7f488b6ca182753772a8a6f2
Opcode Fuzzy Hash: 27454e2180118a7849386ebf997463e9d059b99dada918b39570eba4ff077b70
Instruction Fuzzy Hash: FA414F75A0074A9AD725EFA8C4417E7F7E8BF69701F00492ED69EC7240E334A545CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019D3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 019D38B4

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: ce08fc621945658c45da95d8a2c4b17aa4233172434e16b03ef0c55856812486
Instruction ID: b115eb170c861b61970cec6c10ac19979e2794055c6af57bdfd4721d09d03ecc
Opcode Fuzzy Hash: ce08fc621945658c45da95d8a2c4b17aa4233172434e16b03ef0c55856812486
Instruction Fuzzy Hash: D031D1B290151AEFEB15DB58C945E6FBB78FB80B61F018169A91CA7290D6309F00C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0198D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 0198D303

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4621203e80d5e59f0ec3d52b868d7021ea700369ee9ada603678f5ed9426afef
Instruction ID: a0fe392ef685bd38d15f3521050ce2e5acbac73c9867d2d281a19686a943a583
Opcode Fuzzy Hash: 4621203e80d5e59f0ec3d52b868d7021ea700369ee9ada603678f5ed9426afef
Instruction Fuzzy Hash: DA3191B55483059FC721EF68C980E6BBBE8EFD5658F00092EF99993290D634DD05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01961B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 01961BC5

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 6887633a6aff46c7fa4998bd79dc033c75e5e5a3b7d82fefdafd9363bb646647
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: F921DA76901519ABDB229A9DC980F9FBB6DEFC1651F054536FE0C9B204D634DD00D7B0

Uniqueness

Uniqueness Score: -1.00%

Function 01A08DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 01A08E21

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: ad08431768338463a406ecdaf9d93b2a52fc25bed5e59f59ec3f022dbe9f3bbe
Instruction ID: 94431a90587fecead8414b42adc4e64fd315be4601bb4213305ba2270d5d037d
Opcode Fuzzy Hash: ad08431768338463a406ecdaf9d93b2a52fc25bed5e59f59ec3f022dbe9f3bbe
Instruction Fuzzy Hash: FE1179B5D40348DBDB26CFA8990579DBBF0BB54714F24421DE128AB282C3344A05CF18

Uniqueness

Uniqueness Score: -1.00%

Function 01A25BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff02dc2a3b041b388447bb903552001592cfcb5d1bd1c98b2a02276c10b6c1d
Instruction ID: 6c1da0057fe850037c1217b85ba5e1ec0cf4228fa94a09c6bfdae6a726bb1d0c
Opcode Fuzzy Hash: dff02dc2a3b041b388447bb903552001592cfcb5d1bd1c98b2a02276c10b6c1d
Instruction Fuzzy Hash: 8B422775D012298FDB24CF6CC880BA9BBB1FF49314F1481AAD94DAB242E775A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01974120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f341312f377394c6ae65841c37a06aa09c542d36575b23eb15e6a6a2f4b7a0cb
Instruction ID: 2cd6ebc4330ea0a2b6b8fd6415f6ed2a114b7012ef50311385fa60777b5f6d03
Opcode Fuzzy Hash: f341312f377394c6ae65841c37a06aa09c542d36575b23eb15e6a6a2f4b7a0cb
Instruction Fuzzy Hash: A1F19E706082118FC725CF18C580ABAB7E9FF98715F15492EF98ECB252E734D891CB52

Uniqueness

Uniqueness Score: -1.00%

Function 019820A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a2e0ecd00600bc249a0f02feac247fec11813ef3a862f70e68f9a0ce0d54fe
Instruction ID: b386acd337f3c1eb354c9edbbd9368984ecb59d7626cf1733d493542329ad319
Opcode Fuzzy Hash: a5a2e0ecd00600bc249a0f02feac247fec11813ef3a862f70e68f9a0ce0d54fe
Instruction Fuzzy Hash: 6BF115356083019FEB26DF2CC440B6A7BE9BFC5725F15891DE99D9B281D734E841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 01956800, Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653446e123036dcbc0c96b325d38a211fd23b1c991c3feaa6bb517a710d2496c
Instruction ID: ddab348bdbe5219f2e38eef3388af81e206f0af833b22067fc001e1f383efebd
Opcode Fuzzy Hash: 653446e123036dcbc0c96b325d38a211fd23b1c991c3feaa6bb517a710d2496c
Instruction Fuzzy Hash: 6DD1D371A002169BDB54DF68C9A0AFAB7B4FF54314F44462DED1EE7280E734D945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019865A0, Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c49ee1fa231eabb08f662a1b12b17fe0c64bbd533af16e8875f9ed7fc1c418
Instruction ID: cd92b7f17a3d4140b71c65bfd628d7227a6b086acb9dca5d05b56af62a6f5217
Opcode Fuzzy Hash: 84c49ee1fa231eabb08f662a1b12b17fe0c64bbd533af16e8875f9ed7fc1c418
Instruction Fuzzy Hash: F0E19275A00205CFDB18CF59C480AA9BBF5FF88311F14816DE959EB395D734E941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0196D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73fb1f98d97ceb975b00704f95e64dcadec15f3212625dadc0a72263a0c3d865
Instruction ID: c01c047cd55c7e63eac6e7e7337367880c93a32d921e256ddb858c51d71ac154
Opcode Fuzzy Hash: 73fb1f98d97ceb975b00704f95e64dcadec15f3212625dadc0a72263a0c3d865
Instruction Fuzzy Hash: 8CE1F374B01359CFEB24CF58C984BA9B7FABF81304F040199D95E97291D7389D81CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01953ACA, Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d677c5ded7129f1a8dd43268686e42931332b52d199c1cecd344affe5b57dc7e
Instruction ID: 56cc2cb928c7b6def0bd2548ac09bec5aa652b00cb5f3ed95e21bfc0518190fc
Opcode Fuzzy Hash: d677c5ded7129f1a8dd43268686e42931332b52d199c1cecd344affe5b57dc7e
Instruction Fuzzy Hash: DEE10071D00608DFCB65CFA9C984AADFBF5BF88341F14452AE94AB7661D731AA41CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0197B236, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction ID: b1d88394c1e8aeca4d15e6d80b68c4511b31940d8f265e68bb88a1fe95aebd67
Opcode Fuzzy Hash: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction Fuzzy Hash: 32B1D331B0160A9FDB25DBA9C890B7EBBF9EF84B00F144569E64AD7381D730E941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0196849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f0d6e92cd58212bc149e3adcc1859a424fbac344960667b0bb96fb27b02bb9
Instruction ID: 6f461174a29bcbd22dc804b9ca1983d5b288b2bfa341e501b4c6340fd6bc03a9
Opcode Fuzzy Hash: 70f0d6e92cd58212bc149e3adcc1859a424fbac344960667b0bb96fb27b02bb9
Instruction Fuzzy Hash: A4B16FB4E00359DFDB15DFE9C984AADBBB9FF88304F104529E509AB245D770AD42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0198513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eadd7d803f22eb073a820828bcbe982aec66f609ad2ac08916f67e3889e6de02
Instruction ID: bb2bffc8834f7fb8f7fddc64c3d287df08a2584ee0885ce1bf9691e80b3367cb
Opcode Fuzzy Hash: eadd7d803f22eb073a820828bcbe982aec66f609ad2ac08916f67e3889e6de02
Instruction Fuzzy Hash: 29C111755083818FE354CF28C580A6AFBE1BF88704F184A6EF9998B352D771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 019803E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8333b891058085fd3555cfff4f16aa8c2282b0a5027c62b62e868a42184b8ea7
Instruction ID: c6257aba80004eb4c366b1a232c9a5a1afb2b4f178a5113c6548beb638979c88
Opcode Fuzzy Hash: 8333b891058085fd3555cfff4f16aa8c2282b0a5027c62b62e868a42184b8ea7
Instruction Fuzzy Hash: CA918D31F402159FEB31EB7CC854BAD7BA8AF41B25F090269F958AB2D1E7349C04C792

Uniqueness

Uniqueness Score: -1.00%

Function 0198DA88, Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94ebc13695a1273a501cb8b30b5dd2872541c8fa20a9745de1b59f0cba6f596
Instruction ID: bef8872ca0e51f5020665d4fd3543ebf8d7f1946415dce5d19acfd5625472303
Opcode Fuzzy Hash: b94ebc13695a1273a501cb8b30b5dd2872541c8fa20a9745de1b59f0cba6f596
Instruction Fuzzy Hash: 01A19B78A00205CFDF25EFA8C480BA9BBF4BF89355F24455ED8599B2D2D771D882CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01955AC0, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92a10f3997fd31ec8913196621a6d694afdc3f5e223ba6f725828ca563dbdf22
Instruction ID: 76a9f18984b30c94aa9ec2f5e250bedea09e7d8a5b5c030ce3e73c10713f5f1e
Opcode Fuzzy Hash: 92a10f3997fd31ec8913196621a6d694afdc3f5e223ba6f725828ca563dbdf22
Instruction Fuzzy Hash: 0B81E8B1A0011D8BEB25CA18DE90BEA77B8EF44314F0545B9DA1DE3281D774DEC1CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0198138B, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction ID: b1ef5b2d349fd317d2b49a4cbd990a6d0c5c8d4905b10c1946d0215850393415
Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction Fuzzy Hash: 7E81AB75A003469FDB25DF68C540AAABBF9EF58700F14856EE98AC7751D330EA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019EB8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a22324c1eac55a4cd86e188e806724a04fe7b51e906b5388b8c988ffc4170f92
Instruction ID: e1c9bfc35f3d1edf1c459b618f0a051ce6155434bad9d7699fe8e4c59d00ce60
Opcode Fuzzy Hash: a22324c1eac55a4cd86e188e806724a04fe7b51e906b5388b8c988ffc4170f92
Instruction Fuzzy Hash: B871D032200706EFEB33DF19C848F56BBE9EB80725F144928E65E976A0DB71E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019D6DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 69a4d1140d03ad83534ec4f71124a37fae6d186ee245ece70ea1a50a354d7333
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: D7716F71A00619EFDB14DFA9C984EEEBBB9FF88714F104469E509E7250DB34EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0196F370, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d9f4206f00a83247b2be6cf948edb699d366c2dfc07c7d01468a531e3bd0706
Instruction ID: 2876f510aa74f9d175248b3205ef1b804300b75250b4b230d5b2c8fa635ce944
Opcode Fuzzy Hash: 7d9f4206f00a83247b2be6cf948edb699d366c2dfc07c7d01468a531e3bd0706
Instruction Fuzzy Hash: 1C612236A011158FCB26CF5CD4947BABBB9EF85700B1884A9E85EDB785DB34C942C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0195395E, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7efcc0dd68378221e1921ef855f4f3ed3ef56bd37ba6c3be2659c2efcf16ddb6
Instruction ID: 0b47c8b799746a60d26db941909420f438f6fa789007f0b0da782ef434e641b4
Opcode Fuzzy Hash: 7efcc0dd68378221e1921ef855f4f3ed3ef56bd37ba6c3be2659c2efcf16ddb6
Instruction Fuzzy Hash: 0651BD71A00742DFDB25EF99C884E6BB7B9FF9430AF00482DE50A97612DB74E944CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0195B171, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5e8d579b571c7485a3aa3e3f2413e7bf3266306bbc8db7812338683efa2be9
Instruction ID: 7585f868bd0c07e4dc0cc3c4eaf078640802fd65a945478af64b7462fcb71474
Opcode Fuzzy Hash: 6b5e8d579b571c7485a3aa3e3f2413e7bf3266306bbc8db7812338683efa2be9
Instruction Fuzzy Hash: C451D171D002698EDF25CF68CA84BEEBBB5BF40710F1041A9D85EAB282D7704945DB92

Uniqueness

Uniqueness Score: -1.00%

Function 019895EC, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16394d2c865797f8fe728120dd7f6e4b85183d066bc0979ce73c818af7dc2a24
Instruction ID: 73cffab7ee1850594b8d1364b6df21a1bc1e21a1a1674875c927ad921ed5f5fb
Opcode Fuzzy Hash: 16394d2c865797f8fe728120dd7f6e4b85183d066bc0979ce73c818af7dc2a24
Instruction Fuzzy Hash: 1A51E230A0060AEFDF16EF68C944BBEBBB8BF9471DF00452DE51A97690DB749911CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01A1B581, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b00053a584e2f49640b5e37e8f3803208162a14c3bed2a13f7d9b1b77875775
Instruction ID: 9f7237ba3ffd6d9136ad93ef9799c3a8fe618855aefa74efc99ae1c9699b8b10
Opcode Fuzzy Hash: 8b00053a584e2f49640b5e37e8f3803208162a14c3bed2a13f7d9b1b77875775
Instruction Fuzzy Hash: 6C5115316057428FE315DF68C694B66BBF1FFA4314F08086DE9568B294EB34E805CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 019552A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89fb1efda29d3aa40c10b71a17345a8aad482878965b373a772be29c7c20c2f4
Instruction ID: 01d24ff5a341b2f80043606be2787ec9f0ce20ae950c45154065a5eb33a517fc
Opcode Fuzzy Hash: 89fb1efda29d3aa40c10b71a17345a8aad482878965b373a772be29c7c20c2f4
Instruction Fuzzy Hash: 3D51BC75205382AFD721EF68C941B27BBA8FF90710F14491EF89997652E774E804CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01982AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858b5ceca6fb5caba0d197a4b417a040287676f32463cc0a78a242f47f32ba8b
Instruction ID: 99dae6036a6347689ced8a1da72fd842352e424d61f5ff32fc90c21c49a79b6a
Opcode Fuzzy Hash: 858b5ceca6fb5caba0d197a4b417a040287676f32463cc0a78a242f47f32ba8b
Instruction Fuzzy Hash: 8D51C27AB01115CFCB15EF5CC8809BDB7F1FB89700715845AE89ADB315E734AA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01983C3E, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd265f4bc84b7a64e5e9fba933175e9a49e5030b209f1f6be1ab8ede10a7fa82
Instruction ID: e15389c527dd497fa49294ac34db7781d5eb8494ab65424bc4dad23265aea446
Opcode Fuzzy Hash: cd265f4bc84b7a64e5e9fba933175e9a49e5030b209f1f6be1ab8ede10a7fa82
Instruction Fuzzy Hash: 67517F71608342AFD700EF69D844A6ABBE9FFC4614F14492DF99DC7281D770EA05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0197DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c2a7a0aadea83507fe3d0b0c8868fb66ed9e762b6c33869eb1e178637283e0
Instruction ID: 5dcf2ddc490b6f5f74891642c47366df4f84005b71ad30f3ba978ca53019a6f1
Opcode Fuzzy Hash: f7c2a7a0aadea83507fe3d0b0c8868fb66ed9e762b6c33869eb1e178637283e0
Instruction Fuzzy Hash: 3251AE75E00606CFCB15CFACC480AAEFBF5BF88310F24855AD959A7344DB31A944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01994D51, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c987ef142df1584dd8d639fa8fc84791a5094b44c6db83ae1c023477dd8020
Instruction ID: 76c193ecdf9de63ef36809c569452d19dca64cb1194248b15f4ead98d40353bd
Opcode Fuzzy Hash: 57c987ef142df1584dd8d639fa8fc84791a5094b44c6db83ae1c023477dd8020
Instruction Fuzzy Hash: 8F516835A00215CFCB16CF8CC580AA9F7BAFF88710F2445A9D859AB350D730AE42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01982990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f49cadc93b32b97bcfbd37a564f6e8b32814bebfa10d2ecf77ee562fe78f483
Instruction ID: fafad3af01aa28d1f8ce002f481d85115a9b7583f198bcafcdaffa695c35f533
Opcode Fuzzy Hash: 0f49cadc93b32b97bcfbd37a564f6e8b32814bebfa10d2ecf77ee562fe78f483
Instruction Fuzzy Hash: 3C518C71A0020ADFDF25EF98C940ADEBBB9BF58710F118165E908AB260C335DD52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01955050, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc33dcd9e113c9e542e8805d41b390ff9245812615d035fbda03db97b7423644
Instruction ID: d78457ac9ebc47b2dcea9d7d0e7a95be3532d121f0913189676a3ae3dd7d16a1
Opcode Fuzzy Hash: dc33dcd9e113c9e542e8805d41b390ff9245812615d035fbda03db97b7423644
Instruction Fuzzy Hash: 5F41D036604312ABD320EF28C980B6BBBA8BF94710F154D29BD9D97252E770DC42C795

Uniqueness

Uniqueness Score: -1.00%

Function 01984BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530a52519c27317b54f307ede66d15e31dfc0fb912a09381af0b41f0d80cb6e1
Instruction ID: 988431e5e99b62c049e4731477e4705518a87752f86301e99468e421a2fbbc3e
Opcode Fuzzy Hash: 530a52519c27317b54f307ede66d15e31dfc0fb912a09381af0b41f0d80cb6e1
Instruction Fuzzy Hash: 31418435E402299BDB21EF68C940FEA77B8EF45B10F0104A9E94CAB341D774DE85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01984D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6cf0df4b1aaf1f73bf341c72b43eb5eba6b8f219a46b689c93c230b631d4741
Instruction ID: da1075fbb7dcea3fd329e49a5a3b5b46088ccf1e4d6695aba2393eff956dbeb8
Opcode Fuzzy Hash: a6cf0df4b1aaf1f73bf341c72b43eb5eba6b8f219a46b689c93c230b631d4741
Instruction Fuzzy Hash: 6A41D675A40319AFEB32EF18CC80F6AB7A9EF94711F004499E94D9B282D774ED44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0197F86D, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef089af04adafb059d612348d5211cbc50a4dca381e3e86ccefb0e1bc5f82bd
Instruction ID: c680698f3b4540c89329c08453c37f36f44e8ee35fe65bc374413b1ad216c0a5
Opcode Fuzzy Hash: 1ef089af04adafb059d612348d5211cbc50a4dca381e3e86ccefb0e1bc5f82bd
Instruction Fuzzy Hash: 2C41C171A00216EFEB22EFACC880BEEB6B9BF98B15F140419E56DF7251D774D8408751

Uniqueness

Uniqueness Score: -1.00%

Function 019E6365, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3b4a51cfa3edcff81842d127ee4f292402115a8f3185dbd1a32f25bb9fad36
Instruction ID: dbe091e89818ad129d3cd71dbb17bf03e19360a0adc5d759d18c50a7c62e3508
Opcode Fuzzy Hash: be3b4a51cfa3edcff81842d127ee4f292402115a8f3185dbd1a32f25bb9fad36
Instruction Fuzzy Hash: 0441E436600105EBDB16DF6CCC55BAF7BB9EFA4B51F194068EA0A9B241E730DD01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01951AA0, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a7370b56a08231ee134f13a4b803da5b209042f7814c29e042afade973f4ff
Instruction ID: 1b17383649639093188922ca9b3d60f78a9afb91fe9e02b4ac5f3ccb06c296b1
Opcode Fuzzy Hash: e1a7370b56a08231ee134f13a4b803da5b209042f7814c29e042afade973f4ff
Instruction Fuzzy Hash: A6411B71A00605EFDB65CF99C980EAABBF9FF08300B10497DE95AE7650E330EA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0195649B, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9afe5f20b10f0ca53d87704614c9bd4ec5fde70ead9eb326f1b5ffbb1161a66
Instruction ID: 4455106aef04df451e1ac75ac23e9627e8f448884453a7b0441ad68c5e67506d
Opcode Fuzzy Hash: e9afe5f20b10f0ca53d87704614c9bd4ec5fde70ead9eb326f1b5ffbb1161a66
Instruction Fuzzy Hash: F1414F325483469ED311DF64E940A6BB7E9EF84A54F40092EF988D7250E730DE15CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 01960100, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62252f605c3d07855f07ecaaa700e0de453010c1a02c0dc82c6a4eaee74e7a3b
Instruction ID: 6712c71782e7caaaef558f7124ecc6da3772e32a26ba6bb77bbe9708c3ff5666
Opcode Fuzzy Hash: 62252f605c3d07855f07ecaaa700e0de453010c1a02c0dc82c6a4eaee74e7a3b
Instruction Fuzzy Hash: D4412135940205DFCF21DF68C9C0BEE7BB8FF95355F090519E819AB282C3719985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01968A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 487ca257c41c757bdc14ddfb6f6d33f32c03adb12802d5d9f5c9e7d540367a68
Instruction ID: c9d11902f57af6afb583a7d8cb7cda27749d965f073a2df7706861e36503a70a
Opcode Fuzzy Hash: 487ca257c41c757bdc14ddfb6f6d33f32c03adb12802d5d9f5c9e7d540367a68
Instruction Fuzzy Hash: 314145B5A4032D9BDB24DF69C888AA9B7FCFB94301F1045E9D91D97252E7709E80CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01A1AA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 6b37ad2c1fa7487dfdf39e1b01f3b8abe86f0d1e7a7c99c5951c86b7e10456e5
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 83312536F061C96BEB158BA9CD44BBFFBBBEF80210F098469E905A7245DA74DD00C750

Uniqueness

Uniqueness Score: -1.00%

Function 01A1FDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 26da55a3c9a5b78a395b6a56a6923d2f9a2e6004aa33171fa6bdf6ffde6bcc3b
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 83315776300A806FD7228B7CC944F6ABBEAEFC5650F084158E9468B38ADA74DC05C760

Uniqueness

Uniqueness Score: -1.00%

Function 01A1EA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 2aed43101713566eb65af7e9f92509b6ee3f653bf49c20064352aa9af4df925b
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 7631B4726047069BC71ADF28C980A6BB7AAFFC4310F04892DF95687685DE30E805C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0196B433, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce7baec8dd61d033a2283f6c29e1c0cbcb02c42f85a1c7a17e92119e31cdb3b
Instruction ID: b3fe9dfc05b9440808b9760204642302ccb1e783c35e8266518fc9490e1ee909
Opcode Fuzzy Hash: 9ce7baec8dd61d033a2283f6c29e1c0cbcb02c42f85a1c7a17e92119e31cdb3b
Instruction Fuzzy Hash: 00412432A04245AFDB12CBA8CC80FDABBACAF50740F0485A6E45ED7252D674A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019D69A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5e233538fa798ae1bc0a110a4b0869f6ca6f0416eab7bf5cbfd4a2270ce539
Instruction ID: 3493057c8780d00ecaf61c594c35b321063cd5352f8db50347973de18ae29534
Opcode Fuzzy Hash: 4f5e233538fa798ae1bc0a110a4b0869f6ca6f0416eab7bf5cbfd4a2270ce539
Instruction Fuzzy Hash: BE4183B5D00209AFDB14DFA9D940BFEBBF8FF88714F14812AE958A7240DB749905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01955210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a96eec4d76b66cfabf81c90f9858414eadfee57c0a099754e5c6f5efd13616d
Instruction ID: 1574c8ef38e318ded7a32af4f77a7c12c0e922c733d8e35127041d08d5a6cd2d
Opcode Fuzzy Hash: 2a96eec4d76b66cfabf81c90f9858414eadfee57c0a099754e5c6f5efd13616d
Instruction Fuzzy Hash: 2B312631651701EBDB62DB28C980FAB77B9FF907A1F154A19F81D5B5E1E760E800C790

Uniqueness

Uniqueness Score: -1.00%

Function 01993D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc635758fef2bfbf1725342074f478040b6d9a13acb050d49862d539ef28caa
Instruction ID: cefdd6f71673715da5a9aa08372a2348abd0fc1acf7a354f46d88cf78aab2178
Opcode Fuzzy Hash: fbc635758fef2bfbf1725342074f478040b6d9a13acb050d49862d539ef28caa
Instruction Fuzzy Hash: 5531DE31600615DBDB298F7DC851A6BBBE9FF85B01B05846EE94ECB350E730DA40C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0197C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 5be1d91647e7f530615e078d96d9d7fa34794c6033271682c4be5f805ab9bd61
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 3C313872B01547BED705EBB8D490BE9FB98BFA2204F04416AD41C57301DB78AA49CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 019D7016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b2ba75dfbf920ede2ca1011e52462be64e363c9f403ccc0e1a6292ac9f993b
Instruction ID: f3979a1e1bb1a60627f6cf324dbe5b9145c8a9c06de306d93d64fde51fe5e7a7
Opcode Fuzzy Hash: b0b2ba75dfbf920ede2ca1011e52462be64e363c9f403ccc0e1a6292ac9f993b
Instruction Fuzzy Hash: 3B31C4766087519BC324DFACC940A6AB7E9FFC8704F048A29F99987690E730E904C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 019853C5, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90df66bb44980bbd12f90b2706873f365d23a79b8e361739b99e05f9e937bb9d
Instruction ID: becaca7e8d54e5e19501c7d848b085962b96f546e4e03fb4cd820b1a9de7526b
Opcode Fuzzy Hash: 90df66bb44980bbd12f90b2706873f365d23a79b8e361739b99e05f9e937bb9d
Instruction Fuzzy Hash: AC41E434A047458FEB25DFB884107AFBAF6BF51704F14052EC08EA7741DB755909CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 01A03D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b92a72649e7d3012cad219f238d0b6fa9c58159c17c745cd55a8a542ab740052
Instruction ID: 0147b92a54d05126d23ec75c0b593523d6c9729ef74e917f3f21df319d9c6857
Opcode Fuzzy Hash: b92a72649e7d3012cad219f238d0b6fa9c58159c17c745cd55a8a542ab740052
Instruction Fuzzy Hash: BF3179B1A09302DFCB15DF58E58091ABBE1FFC5710F054A6EE4889B291D734ED05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01953880, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 757279ac2b9ee8dd43bd29d23c3c2dcd9a208da549dd7fdf9af96c0409624052
Instruction ID: 0838ef7b18d06b2f326271c7555d5e6473c2e07bc77df0bb0127be1613d9bbb9
Opcode Fuzzy Hash: 757279ac2b9ee8dd43bd29d23c3c2dcd9a208da549dd7fdf9af96c0409624052
Instruction Fuzzy Hash: 88319E72E0121AEFDB61DEA9C840AAEBBFCFF48790F014565E919E7250D6709A008BD0

Uniqueness

Uniqueness Score: -1.00%

Function 01A1A189, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698e8aa3205206c6c712d60e243949e1a12be0336bfdd73cc72731d16ac896d5
Instruction ID: 5a22a98cb26e52b13008a2b634c7f310e3d844786cea35ce251444378772d351
Opcode Fuzzy Hash: 698e8aa3205206c6c712d60e243949e1a12be0336bfdd73cc72731d16ac896d5
Instruction Fuzzy Hash: 82314571B01356EBCB229F98D850BAEBBF9EF85710F100069E509EB354EAB1DD018B90

Uniqueness

Uniqueness Score: -1.00%

Function 019861A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e456933327d6eaf55cc4df358bcf6cf3bffe9ccaff72bf39975dbd8a9f0e381e
Instruction ID: 6fd01a50f57cb5e30a8ed8409994a65c4c8d4dc7a16aa6f2981892ff1f49d21b
Opcode Fuzzy Hash: e456933327d6eaf55cc4df358bcf6cf3bffe9ccaff72bf39975dbd8a9f0e381e
Instruction Fuzzy Hash: 70318D726057018FE364DF5DC900B26BBE8FB88B00F05496DE998DB352E7B0E904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0195AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2023d3124a5f74d954cecb54f8bdcda2a140d4c556f468c60b3f261a316cc014
Instruction ID: 6e4188d68feb6db07883ecfb9f7e42bc763ddbebbd4f0fb3ecce180e26f47ff1
Opcode Fuzzy Hash: 2023d3124a5f74d954cecb54f8bdcda2a140d4c556f468c60b3f261a316cc014
Instruction Fuzzy Hash: 7D31E571A0011AABCF11EFA8CD81ABFB7B9EF84700F014469F90AE7150E7789911D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01994A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae175caa088aa276940b608e5572b90c3d6a904ff50e699af06ef25d3f483a88
Instruction ID: 33f1cde860a655907939e85d77744af88d1fcd726c97d9506299c962b38a5d79
Opcode Fuzzy Hash: ae175caa088aa276940b608e5572b90c3d6a904ff50e699af06ef25d3f483a88
Instruction Fuzzy Hash: 5B3124322023119BDB22DF5CCA44B2AFBA9FFC1B11F40492DE85E07241C778E802CB96

Uniqueness

Uniqueness Score: -1.00%

Function 019578D6, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a6e3358202fe57e4d6c011c4744451192f56deb94866768f281c596d07d196
Instruction ID: c4e13b2e072c5febc277b906583f004a964825125873a86c48fa9f660967a1d7
Opcode Fuzzy Hash: e9a6e3358202fe57e4d6c011c4744451192f56deb94866768f281c596d07d196
Instruction Fuzzy Hash: E731F2B2600604AFD711DF59CD80F5ABBB9EF99750F184099A94CDB342D635EE41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01959100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d5964e1dae6b89b961eb8796f187de9efe3026f8f503e4d719c5366bae7e3b
Instruction ID: 518b9e158ed00cb7c18c94692a36055b6da9dfad05a4c87542016f3a46198ed5
Opcode Fuzzy Hash: 03d5964e1dae6b89b961eb8796f187de9efe3026f8f503e4d719c5366bae7e3b
Instruction Fuzzy Hash: AC31D675A00255DFEBA6DBACC588B9CBBF5BB89359F18814DC80D77241C335A980CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01981DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: b582802792736cccfabc5ef49f8ef8e9cd1b020e88c65b8877319e92b4021514
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 8121AE72600119EFD721EF99CC84EABBBBDFF85641F114065EA09D7261D630BE02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0198F527, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction ID: ef244f13256b4ea480bfe6fce9a3a65aef4415f13dcc28a219885e61220968c6
Opcode Fuzzy Hash: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction Fuzzy Hash: D9319A31600648EFD721DF68C884F6AB7F8EF84350F1405A9E91A8B290E730EE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01978D76, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6106c8f20dc6514b4dc11bf727f17872bb4e59e44c1601802df5a49d62694d
Instruction ID: a7d0a2d3af581df10da7746eaf16b158679e15ae7d271daf5231e37becb364e5
Opcode Fuzzy Hash: 3d6106c8f20dc6514b4dc11bf727f17872bb4e59e44c1601802df5a49d62694d
Instruction Fuzzy Hash: 2321D639241681DFE326CB2DC098B7677E8FF51746F184896E98A87651D739D881C720

Uniqueness

Uniqueness Score: -1.00%

Function 01970050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7059cffbe2821b34e7a8948d40cda983cde9c8bb7e3bb38575bbac52fe5ad5f8
Instruction ID: baa207c3dd718e82506a2ea046882f7789b0669073d8ae56a74dda865201d6cc
Opcode Fuzzy Hash: 7059cffbe2821b34e7a8948d40cda983cde9c8bb7e3bb38575bbac52fe5ad5f8
Instruction Fuzzy Hash: 84318F31201B04CFDB22CF2CC940B96B7E5FF89725F18456DE59A87A90DB35B801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019FCD04, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfcc69c41eef905166694d4aaa5c0b4f1e3a6aa939d11ba97ca1443483b64e26
Instruction ID: 4c6b86d71a73293e229c4c7aaca83b5845b1d641f2e3c3eb8e9f84d34b96a0f7
Opcode Fuzzy Hash: bfcc69c41eef905166694d4aaa5c0b4f1e3a6aa939d11ba97ca1443483b64e26
Instruction Fuzzy Hash: 3431E674E1022DABCB15DFA8C844EECBBF5BF88650F198169EA09B3251D7709841CF60

Uniqueness

Uniqueness Score: -1.00%

Function 019D6C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e87d6475bbac6c9cde55176e46a83d97fbd43f73f015b7c46f735da626b30f0
Instruction ID: 984d34bfa0d42b4bee68f4d08d214bc36c8995c3a1ef435da73b991b3ecd6c4f
Opcode Fuzzy Hash: 8e87d6475bbac6c9cde55176e46a83d97fbd43f73f015b7c46f735da626b30f0
Instruction Fuzzy Hash: 1221ABB1A00645AFD715DBACD880F2AB7B8FF88740F044069FA08C7791E634ED11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A2F1B5, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2167c4c28fd33361d784559ffc36c095c0385b39be90368dee977dc99ac57cb4
Instruction ID: 26928d68220090cf3c5bb298e8c3ecc6020de1d3eadcd8c7c00431520ca577a0
Opcode Fuzzy Hash: 2167c4c28fd33361d784559ffc36c095c0385b39be90368dee977dc99ac57cb4
Instruction Fuzzy Hash: 4921CF7AA00625AFDB219F4DCC84F5ABBB4EF47750F054065EE049B210D330AD00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01954A20, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943a52b4d6c7f3d5cbfbdb05f88f35035d612eefa69a3b94d6d011dc7ff052ea
Instruction ID: 8ac45182424ebc57e5cb85627cdbad5db29cf6141868e6bb0254412f425a8b4f
Opcode Fuzzy Hash: 943a52b4d6c7f3d5cbfbdb05f88f35035d612eefa69a3b94d6d011dc7ff052ea
Instruction Fuzzy Hash: F421F731100601DFCFF2EA68D944B27B7B9FB90225F140B19E85E675E1F630A881CB96

Uniqueness

Uniqueness Score: -1.00%

Function 019990AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 5a76b3aa8c841dd6508156566b946ce8edb73ef6274c4fc22a2d05679097a1d8
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 9E214FB1A00205EFDB21DF59C845EAAFBF8FB54754F14886EE949A7251D330ED448B90

Uniqueness

Uniqueness Score: -1.00%

Function 01983B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1975d47391a765c5fd8fc9ed1ff2ccc03867cc765feeb6bc9f4a4c59817ce2
Instruction ID: 651f7cf44d98aa152af58b1d40f9ca058bdbb976f63cea5e6671abcb001704ef
Opcode Fuzzy Hash: 1a1975d47391a765c5fd8fc9ed1ff2ccc03867cc765feeb6bc9f4a4c59817ce2
Instruction Fuzzy Hash: F2219572A00105EFC715DF98DD81F5ABBBDFB84704F150068E9089B252D375ED01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01954B94, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be039c21412206f03258b38c48bd730f8b7be0bbe1998d3b1572028778da135b
Instruction ID: e40ec61db2d7f9fb97a363dc55c4648e0399f46c2d5b6756121b06c318be7757
Opcode Fuzzy Hash: be039c21412206f03258b38c48bd730f8b7be0bbe1998d3b1572028778da135b
Instruction Fuzzy Hash: 5231BD31D00625DFD7A8CF68C480AB9B7F8FF84212F148669CC6DA7660F770A980CB40

Uniqueness

Uniqueness Score: -1.00%

Function 019D6CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b70a6b7a8cca87c05b9cb0f0ea6bf1f51b6f0ebbd480cbf41527e6f400ff92
Instruction ID: feb46775090f19ef12c4f095945ee51f31c7e50fb220d72bebe7ee7065ac2a06
Opcode Fuzzy Hash: 98b70a6b7a8cca87c05b9cb0f0ea6bf1f51b6f0ebbd480cbf41527e6f400ff92
Instruction Fuzzy Hash: 22210E324003499BD321EF68DD48B6BBBECEFD5640F044966FA48C7260EB30C948C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 019628AE, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7a25a093bd71704d5305c384f05a72830df9202c0a44c127c3ca81dee1bd8d
Instruction ID: b2f13b1c25a9d868780d35bb7ee3aa2426843d89698b9c0c6435722c0826b9f3
Opcode Fuzzy Hash: 7d7a25a093bd71704d5305c384f05a72830df9202c0a44c127c3ca81dee1bd8d
Instruction Fuzzy Hash: B521CC31605781DBF72657ACCD48F243BDCAF81774F190761F92C9B6E2D76898408222

Uniqueness

Uniqueness Score: -1.00%

Function 0195519E, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f184a4728833133fd426a206540d2c362553aeaf7b72856c83abf927bd2510a
Instruction ID: 24392fa513053bdaf55ab7248e13dab5bd4818c06bfe86074c4d7b44dadbcd34
Opcode Fuzzy Hash: 1f184a4728833133fd426a206540d2c362553aeaf7b72856c83abf927bd2510a
Instruction Fuzzy Hash: E811E135901305ABDB60EB68C680AEABFF9FF55710F19056AF84EA7681E731D841C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 019512D4, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37527cf3eb25ade65d622f20ccdd91ad303ae4a54bb64dfc0495212d1a2f266d
Instruction ID: 6e12b14a7760beb7598a83f9dd65dc703fb753b92a9ec6c378f8fc72aa12bcf1
Opcode Fuzzy Hash: 37527cf3eb25ade65d622f20ccdd91ad303ae4a54bb64dfc0495212d1a2f266d
Instruction Fuzzy Hash: 6811B272600609EFEB22DE59D841FAABBACEB84751F10403AEE099F550E671EE44CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0198FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: c5ac3c77a5c4efd7ba65cf5e7993d6ad42f4c75d34f0b245753b775bbbf32bb2
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: A5217972600A41DBDB35DF4DC540E66FBE9EB94B12F2585AEEA8D87612D730AC00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019812BD, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4a2d5070825945860ebe307d9d145e2f7241a254b7201fa87e2c51967748eb
Instruction ID: 1406530756b5e5eee00e94175f1fb090c1de2a75ee49fbdc91abd0fe671015d5
Opcode Fuzzy Hash: ba4a2d5070825945860ebe307d9d145e2f7241a254b7201fa87e2c51967748eb
Instruction Fuzzy Hash: E1214A75600600EFD739EF68C881F6AB7E9FF84651F10883EE59EC7651DA30A841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01995A69, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1979692b652dc06499ba72ccbd053dd9956cdf35f7271177d5bbf297cb4299e0
Instruction ID: 7b4aadc5f1e873a6657cf9cd25b61e28443a2d3c915541853b9f2b9562eef811
Opcode Fuzzy Hash: 1979692b652dc06499ba72ccbd053dd9956cdf35f7271177d5bbf297cb4299e0
Instruction Fuzzy Hash: 901133392426418FE7268B2CD0E0B7273E9EF01705F09045BE98E87351E36DDC80C764

Uniqueness

Uniqueness Score: -1.00%

Function 0198B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3673564b7e94391507578384aa9748f9f57459a4a4e7ffbfe1c625e7c594a7fc
Instruction ID: af8ea6fc01ec834a95725da91d6dfa3256feec9aed2c69e6329bf1b8ebde1c83
Opcode Fuzzy Hash: 3673564b7e94391507578384aa9748f9f57459a4a4e7ffbfe1c625e7c594a7fc
Instruction Fuzzy Hash: 74116B333021109BCB19EA589D81A2BB25AEBC5771B2C012EDD1FC7380DA359C02C695

Uniqueness

Uniqueness Score: -1.00%

Function 01959240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e83d7571cb8b49973a287fe04a867497d9008c71ed6fa4faeaafef1c5f0976ab
Instruction ID: c1804b6c7ffd51f5fb4ef8f0b7a352fa348e707a178fa7eb0316a57ef7d4c394
Opcode Fuzzy Hash: e83d7571cb8b49973a287fe04a867497d9008c71ed6fa4faeaafef1c5f0976ab
Instruction Fuzzy Hash: A4215931051602DFC766EFA8CA00F1AB7F9FF68709F05456CE04D966A2CB35E942CB44

Uniqueness

Uniqueness Score: -1.00%

Function 01953138, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4aeeff4ef93e10868052b9739ddbb58bbde280f33870a99f1aaca30df05f52d
Instruction ID: 599cfbac9dd11f294ca50b5cf8b79da97912783b8706789c96efc68ab257dbb9
Opcode Fuzzy Hash: d4aeeff4ef93e10868052b9739ddbb58bbde280f33870a99f1aaca30df05f52d
Instruction Fuzzy Hash: B511E231A00304EFDB26CF64C904F6AB7B9FB85355F14859DE8099B241EB71AD06CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01A1E962, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7107f8a9a6e1912d5495caaf0dffdb465e6b2ac924055a9a8be1b481ae2b641
Instruction ID: e6f612c5bf4e282f88791892ed63f1a538a2ab77dedee30ea90f88bdd78aedb1
Opcode Fuzzy Hash: f7107f8a9a6e1912d5495caaf0dffdb465e6b2ac924055a9a8be1b481ae2b641
Instruction Fuzzy Hash: 6611C432A00519AFDB1ACF58CC05AADFBF6EF84310F088269EC45D7354EA31AD51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019E4257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90587e34082b881455ba07f6c3275f47d5ee56e8fe942efefc03d9035994ea6
Instruction ID: fe12cdaf28b3922e7d5f9f9e63b234c89c030f503944f41e7367122d5199b798
Opcode Fuzzy Hash: b90587e34082b881455ba07f6c3275f47d5ee56e8fe942efefc03d9035994ea6
Instruction Fuzzy Hash: E8219D78502601CFCB66DFA8E514A247BF4FBC5315B50826EC10DCB755D73AD452CB40

Uniqueness

Uniqueness Score: -1.00%

Function 019628FD, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e2c5c70405692deee89e746eb00abf203805ce99c7dc840bbdd69611ab77ef
Instruction ID: 93590f08d6613d8f850ff8eafb351c78867b93f8e2dfb156dd2ea819702c4925
Opcode Fuzzy Hash: 45e2c5c70405692deee89e746eb00abf203805ce99c7dc840bbdd69611ab77ef
Instruction Fuzzy Hash: F2112636744644ABF32A93ADCE88F623BDCEFD0B90F240065B90D9B2D1E9A4DC00C231

Uniqueness

Uniqueness Score: -1.00%

Function 01982397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70237f890b2e8904ad8aef39ea7d7be66aead5caf978614f8bd6489c0685589e
Instruction ID: b2d290d8910ce45a519c7465074cbe62593fc8ec9e0016f4e7660fa99835dd60
Opcode Fuzzy Hash: 70237f890b2e8904ad8aef39ea7d7be66aead5caf978614f8bd6489c0685589e
Instruction Fuzzy Hash: F211047674030167E734BB6EAC90F16F6DCBBE0A11F14442AFA0EAB291D6B5E801C764

Uniqueness

Uniqueness Score: -1.00%

Function 0195C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63d452c6f0892aaf625b4f861272527ea1829cb9fa203a484e2e6764d9211de
Instruction ID: eb3d4b2ea4895720ffe9e744bc11dfff65e4073c77fe8d041e3ab831cdc9df88
Opcode Fuzzy Hash: b63d452c6f0892aaf625b4f861272527ea1829cb9fa203a484e2e6764d9211de
Instruction Fuzzy Hash: E111E9357006479BC715AFBDDC8592777E9BBD4A10B00092CE98983751DB21EC11CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 01954CB0, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4758e67d44093b0b50d51159d0cc7e21a8147a7a644927cb6fcab2908dc88e98
Instruction ID: aefe6abc1556d9ca1139398f85db75b315e62290d5bf8d1662480abfe1f4fa5e
Opcode Fuzzy Hash: 4758e67d44093b0b50d51159d0cc7e21a8147a7a644927cb6fcab2908dc88e98
Instruction Fuzzy Hash: 2111A071600604EFE7A2CF59E841BA777E8EF44351F014469EA99DB211EB75FC408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0198002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 107b8da6c08ad70ef1109b67213b1c339c6ba49daf4117ff3ee3e12ef351b3ef
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 4D1108327016818FE7239B6CC568B3937D8AF40B55F0D00A4ED5C87692E728D842C261

Uniqueness

Uniqueness Score: -1.00%

Function 01959080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c9bf898adf65b064c5216b96d89dbe5ea127d6ad989fc21381a75f0c411da2
Instruction ID: 0e6bb8270690c26079f96ec12e13c6fd5eefb4447a73f4baa4a363458c3e52ed
Opcode Fuzzy Hash: 43c9bf898adf65b064c5216b96d89dbe5ea127d6ad989fc21381a75f0c411da2
Instruction Fuzzy Hash: DD01A476901604CFE3699F28D840B217BF9EF85725F254466E9099B691C375EC41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01983B5A, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34840d8095ca6196841ea0f940c7b16184db2040ce7a620d61d265c99d59d00
Instruction ID: 623fe55c814346802ec8e9ca30300248c8800d4727bcb7280f6056a9f1ac605d
Opcode Fuzzy Hash: e34840d8095ca6196841ea0f940c7b16184db2040ce7a620d61d265c99d59d00
Instruction Fuzzy Hash: D8112E7A501554DFCB29EF88CA40F6AB7BDFF48A01F16046CE549A7752C329EC01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01A11A5F, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4adbcf6bb8af3f3989340c3c5098704f6a6e371f079e56fa7f275779c1c09c
Instruction ID: 99c984bd7b992cdc161ef4ac41bc380139a1ee4d3130c8db32dd97e22108f1a9
Opcode Fuzzy Hash: 4c4adbcf6bb8af3f3989340c3c5098704f6a6e371f079e56fa7f275779c1c09c
Instruction Fuzzy Hash: AB118071A01209AFCB10DFA8D845EAFBBF8EF94710F04406AF905EB380D674EA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019531E0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd41840913fde36b44aca51169ed52aaca1c3c379bf37e85e3a76e03a02823ec
Instruction ID: 8c2d30a19b7f7047ff1ed17565fd8ad0dcfb5ead59228a3114bdde07fc7daf23
Opcode Fuzzy Hash: cd41840913fde36b44aca51169ed52aaca1c3c379bf37e85e3a76e03a02823ec
Instruction Fuzzy Hash: E301F532200B01AFEB62D6AAD900E6B77EDFFC1790F544819AA4E87541DA30F905C790

Uniqueness

Uniqueness Score: -1.00%

Function 01A24015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cf98838b17899674db390977023bcf02a3151ded9bd679bce8d67f64700fec
Instruction ID: 585b602085b1bfefb123fcf4386919e5b1f9fabefc66ab804a96be98da373cae
Opcode Fuzzy Hash: 63cf98838b17899674db390977023bcf02a3151ded9bd679bce8d67f64700fec
Instruction Fuzzy Hash: C3018F722019467FD255ABA9CE84E13FBACFFD9760B000229F50C83A11DB68EC51C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 01A119D8, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb90e6ad4823790b35dd4b3b827fc35bac92f6e1c9f21928c7f7dd32fcf734f3
Instruction ID: 38a6ed081bd593f7706a3a0c388054d1aed2e2878a62ebd8659cafa0ea02335c
Opcode Fuzzy Hash: bb90e6ad4823790b35dd4b3b827fc35bac92f6e1c9f21928c7f7dd32fcf734f3
Instruction Fuzzy Hash: 9C019271A01219ABCB14DFA9D845EAEBBB8EF94710F004056B904EB380E6749A01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01A11951, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecd4219f4c4f09b52d1ac52f6505d8e299e890625fcba60b916cfcea5014d61
Instruction ID: 3bf016155e1237be23b6ff4eb6226d77cf69a2324ac1bb973f6908492251b66a
Opcode Fuzzy Hash: 5ecd4219f4c4f09b52d1ac52f6505d8e299e890625fcba60b916cfcea5014d61
Instruction Fuzzy Hash: 5801B571A01209AFCB14DFA8D845EAFBBB8EF94710F004056F914EB380D674EA00C794

Uniqueness

Uniqueness Score: -1.00%

Function 019570C0, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d75836c9573aa0e55f1f59fba811012c8e74f5e68e5d7ca759bd447d74ee88
Instruction ID: 62ca44e6d818a33288398edd02695ee2d7c268ff8d9009fd3c6d4935aa6cd2ab
Opcode Fuzzy Hash: 06d75836c9573aa0e55f1f59fba811012c8e74f5e68e5d7ca759bd447d74ee88
Instruction Fuzzy Hash: 7E118B32410B02DFD7769F68C880B22B7E5FF50722F158868D98D5A562C778E881CB10

Uniqueness

Uniqueness Score: -1.00%

Function 01A118CA, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182eb86c0ec4c65df0499d13ab08cd55edbd1287ce9414e914a94925403e2d50
Instruction ID: 773b10387902a16369a5ec7527ae09d52f27782339bc43e5f7ba18b383676067
Opcode Fuzzy Hash: 182eb86c0ec4c65df0499d13ab08cd55edbd1287ce9414e914a94925403e2d50
Instruction Fuzzy Hash: 58017575A01219AFDB14DFA9D845EAFBBB8EF94710F004056F915EB380E678DA01C794

Uniqueness

Uniqueness Score: -1.00%

Function 01A11843, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125e00d5e322d1c6c8e00ff7c0a7d724bc4faa485aa447384e041f2fb6f3c1cb
Instruction ID: 89c79738269bc253d6ed31b1ff11cd18be60e57a88cbafa94e439604490546bf
Opcode Fuzzy Hash: 125e00d5e322d1c6c8e00ff7c0a7d724bc4faa485aa447384e041f2fb6f3c1cb
Instruction Fuzzy Hash: C7019271E01209ABCB14EFA8D845EAEBBB8EF94710F044056F904EB380E6749A00C790

Uniqueness

Uniqueness Score: -1.00%

Function 01A1138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6cb6dcded8b493aa5c03e6b809af4d8ec207f83fa80da42c70cbf047dfa93c8
Instruction ID: 7e48d97db0ef7bafbfb241a2a7241f90ca338fe31eab7ba684282ee8348de9dd
Opcode Fuzzy Hash: c6cb6dcded8b493aa5c03e6b809af4d8ec207f83fa80da42c70cbf047dfa93c8
Instruction Fuzzy Hash: EF017571A01219AFDB14DFA9D845FAEBBB8EF94710F004056F905EB380E674DA01C794

Uniqueness

Uniqueness Score: -1.00%

Function 01A114FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ce9023635d04fbca0109dc6202b6dd648571b644a89cd8014cb1f29c816728
Instruction ID: 023187e52228860f01af3849b4482ec207c2299a3e773a74675307c36f7da77d
Opcode Fuzzy Hash: c6ce9023635d04fbca0109dc6202b6dd648571b644a89cd8014cb1f29c816728
Instruction Fuzzy Hash: 9C01B571A01248AFCB14DFACD845EAEBBB8EF94710F044056F905EB380D675DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 019558EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b83b59be8b3b7bef34b2013e1a85042587176de427fbbf6e2940b99ae78f0b7
Instruction ID: 62b2ca8b51bfaf640c4182b26b9194a2a2b5109e799bfcb877fcbbd2a91bb016
Opcode Fuzzy Hash: 2b83b59be8b3b7bef34b2013e1a85042587176de427fbbf6e2940b99ae78f0b7
Instruction Fuzzy Hash: 0B018F31A002059BE718EB69D8209BEB7BCEBD5120F964069AE0DA7245DE25ED02C790

Uniqueness

Uniqueness Score: -1.00%

Function 019595F0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6948c75bfbf2bc5c778d5157e0ae55309ade48056c3ff4605d40d8be4a702b4
Instruction ID: e874669dc382fba03387f60696ffcac290a32ecfe144c84b5d04a01cf90736fa
Opcode Fuzzy Hash: d6948c75bfbf2bc5c778d5157e0ae55309ade48056c3ff4605d40d8be4a702b4
Instruction Fuzzy Hash: 2B017B32A02144EBEB11DB9CC944F6537ADEBD0B38F104115EE0DAB290DB34ED04C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A28966, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ff43e141a24de2297284eb4040efd258d3aa221b9300228ce2eaf9e2258320
Instruction ID: 843f5f42d0473f71a17c4505345eb596cb92df3be2ff988eb5693f1d89c3ccff
Opcode Fuzzy Hash: 97ff43e141a24de2297284eb4040efd258d3aa221b9300228ce2eaf9e2258320
Instruction Fuzzy Hash: 2D014CB5A0021DABCB00DFA9D8419AEB7F8FF58300F10445AF905E7340D774AA00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0196B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 6074f23795249f4671069b153f8f028f0c7fcacbd5344d46666cea82b8480d1c
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: F7018472300584DFE3268B5CCA88F767BDCEB85751F0944A1FA1ECB655E628DC40C620

Uniqueness

Uniqueness Score: -1.00%

Function 01A21074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00588208d9a073a93440c476e0b18db6b3cf3dcae5afab7dddd5e1f2a973ebd
Instruction ID: 6ad6123cbedca008eb31fbee0179e2727572a18d931eb8f6768c1b187e8b1f40
Opcode Fuzzy Hash: f00588208d9a073a93440c476e0b18db6b3cf3dcae5afab7dddd5e1f2a973ebd
Instruction Fuzzy Hash: 01014C726087429FC711DF6CD944F1A7BE5BBC4310F04C529F98583291EE34D941CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A1129A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa735156ca7e6f97b65dd1aebfab4295feb3b1a1a1a0250b65ff3c12c82c034e
Instruction ID: ae78753ba6391ce1bdbcd67d3eadf522051402531b1a3884b6523868e4b651bb
Opcode Fuzzy Hash: aa735156ca7e6f97b65dd1aebfab4295feb3b1a1a1a0250b65ff3c12c82c034e
Instruction Fuzzy Hash: 8C018471A01259ABDB14DFE9D805EAFBBB8EF94700F04406AF905EB280E674D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01A289E7, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d105ee1824b5d608d1bb7e4fb7163d7b4b6b81ea15cdbb372b93544a21e0ff
Instruction ID: 993b953129e2cf1b53fe5709c623579e0971ec1f4f9cac3960334ccf41cb71b5
Opcode Fuzzy Hash: f0d105ee1824b5d608d1bb7e4fb7163d7b4b6b81ea15cdbb372b93544a21e0ff
Instruction Fuzzy Hash: 33012175A0121D9FDB00DFADD9419AEBBF8EF58710F14405AF905E7340D634AA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A28ADD, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7509fd94cfc309a6b09f872d8060f335bc71dbd194ada6411a256ba2f6ec7a58
Instruction ID: b6e6e8ed1214bba055a0bce7d35ddcb7f02d5ae2a636a438a770b6c26ef34ffa
Opcode Fuzzy Hash: 7509fd94cfc309a6b09f872d8060f335bc71dbd194ada6411a256ba2f6ec7a58
Instruction Fuzzy Hash: 700121B5A0121D9FDB00DFA9D9419EEBBF8FF58710F10405AF905E7340D634AA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A28A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63e5b0b8021df7a5369791a12631fee629d62c653626565218a27339499b2c3
Instruction ID: 886b7ab5bb027143e81e1d31aab17290a07d2536db29cf373156974b3ed3a551
Opcode Fuzzy Hash: b63e5b0b8021df7a5369791a12631fee629d62c653626565218a27339499b2c3
Instruction Fuzzy Hash: F9012C75A0121DAFCB04DFADD9419AEBBF8EF98710F50405AF905E7341EA34A901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A29CB3, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2ba3627ce06b6a5eb89a7c0addec865d3c64e520ce642e25499032fcda4a8e
Instruction ID: 6d07b23ec9958d851927f5438e9f8803b40a84284fab35a798302eb3f413f1a4
Opcode Fuzzy Hash: 1d2ba3627ce06b6a5eb89a7c0addec865d3c64e520ce642e25499032fcda4a8e
Instruction Fuzzy Hash: 8D012CB5A0121DAFDB00DFA9D945AAEBBB8FF98714F10405AF905E7340D634A901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0195DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 4c7fd59c9fd45520e09ab2a82e15fce00a5f0c33e83f0280d1d1078f1fb28766
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 28F068332415239BE772DAD94884F67BAEB9FD1AA1F150435BA0DBB644C960880297D1

Uniqueness

Uniqueness Score: -1.00%

Function 0195B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: a34b0cb8b05d8c909e0dbd71aefeb999f61a4b009853214e6e0763d46ecb85cf
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 7101F9322005849BD326975DC948FA97FDDEF91754F084461FE1E9B6B2D674C800D325

Uniqueness

Uniqueness Score: -1.00%

Function 01957057, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb44c73c400d11be352794d6ea98e2e1e5d7400274e2a3ff08742568c11bf720
Instruction ID: 96f041eef80fa99d8a017ac68dc105eb2e85e26d9e0e042d8be8d01083e4286f
Opcode Fuzzy Hash: cb44c73c400d11be352794d6ea98e2e1e5d7400274e2a3ff08742568c11bf720
Instruction Fuzzy Hash: 3C01AD35200608ABD735DFA8DC05FABBBFDEF84610F10056DE90A93190CBA1BA04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A29BBE, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 120fbc5c80309ace522c82dafd532b0e4f78bf01ceefd6cb6212308c405cbc1d
Instruction ID: 7085dc9402af5d08d567ce579bb7d3e1353f5e28721416cd34fab30a6b4e61a0
Opcode Fuzzy Hash: 120fbc5c80309ace522c82dafd532b0e4f78bf01ceefd6cb6212308c405cbc1d
Instruction Fuzzy Hash: 02014F71A016199FDB14DFA9D845AAFBBF8FF58710F14405AF905AB380D734AA01CB98

Uniqueness

Uniqueness Score: -1.00%

Function 01A11229, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd735cb71ff65b2f9b35d81689884bf6b24c3e9bc50805b32b844a6fb1016cb
Instruction ID: dc97bb85b6d35df9a67cdfc6090a90eb43faed67e2084eb228f0ba37319cc734
Opcode Fuzzy Hash: 1cd735cb71ff65b2f9b35d81689884bf6b24c3e9bc50805b32b844a6fb1016cb
Instruction Fuzzy Hash: AA01A976A01218ABDB14DBF9D4059EFB7B8EF54710F00806AE515E7290EA7599018790

Uniqueness

Uniqueness Score: -1.00%

Function 01951480, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7d4663d62046aefbf398c2601a6ef7ccf85a2c444bb44e9c472d1d2916286d
Instruction ID: baabb1835f150f010b7f39e8c07749dbee6595a7eaac445f0bb250323c7ad85b
Opcode Fuzzy Hash: cf7d4663d62046aefbf398c2601a6ef7ccf85a2c444bb44e9c472d1d2916286d
Instruction Fuzzy Hash: 79F03C36B01108ABDB25DF59C940FBEBBADDF84A10F1441AAAD09F7640DA71AE428791

Uniqueness

Uniqueness Score: -1.00%

Function 01985AA0, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2029a114c36bb4c92c887f33788b343d8ca89f1f3266e36f8717b5269d555587
Instruction ID: d81b28eb46e93d065c6aeeb94e0398c44525c15ac2905bb9b55be5e89c240d66
Opcode Fuzzy Hash: 2029a114c36bb4c92c887f33788b343d8ca89f1f3266e36f8717b5269d555587
Instruction Fuzzy Hash: E601D6325406459FEB22AB5CC8C8F29B79CAB50720F018141FD188B691D7B4DD448B51

Uniqueness

Uniqueness Score: -1.00%

Function 01953591, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03d260d01ce357f0602aa94a8546785f0ff55cdf9f4f89ff7566860e2396e50
Instruction ID: 127874fd14d698d2927cc5cb0fee324e889aef6d44774cce74b43f32f39daa33
Opcode Fuzzy Hash: d03d260d01ce357f0602aa94a8546785f0ff55cdf9f4f89ff7566860e2396e50
Instruction Fuzzy Hash: 67F04C31A012089BEB51DB6C8410FAA7BECFF90754F048195EE0DE7200DA31DA42A390

Uniqueness

Uniqueness Score: -1.00%

Function 01A0FDD3, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a10a0d34ca33220ef9ae4f255574fb38001a62b1365fd248941514cc9453f2a
Instruction ID: cede07347ce7d5e0e26cb6802be1f8c8292fa34ea5e7e96911c9214be964bb7b
Opcode Fuzzy Hash: 9a10a0d34ca33220ef9ae4f255574fb38001a62b1365fd248941514cc9453f2a
Instruction Fuzzy Hash: 67F0A971B00248ABDF14EBE9E805E7EB3B8EF94B00F040069A901EB690EA35AD01C785

Uniqueness

Uniqueness Score: -1.00%

Function 01951BE9, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b619a71a48c2b8fc4bd3b9482bbcb6548e364b6e99d490dbd24e33bd0f4c0c
Instruction ID: 39493d7eb6766e39aa65d1ed4e152f27b3a341dc419d634511c31ed32a6823f3
Opcode Fuzzy Hash: 41b619a71a48c2b8fc4bd3b9482bbcb6548e364b6e99d490dbd24e33bd0f4c0c
Instruction Fuzzy Hash: EDF0F031B14208ABE758DB29CC01B56B7EDEF98301F1080789949D7260EAB2ED01D358

Uniqueness

Uniqueness Score: -1.00%

Function 01A1131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30859d3b88c76bea70ad8ae269f3e34538e6084df2ff065a89514ba724259f28
Instruction ID: 7862b887789fb949732176329338fb33eb5f70e75afc8abc0390a9c290ce9179
Opcode Fuzzy Hash: 30859d3b88c76bea70ad8ae269f3e34538e6084df2ff065a89514ba724259f28
Instruction Fuzzy Hash: 55013C75A01209AFCB44EFE9D545AAEB7F4FF58700F404059B909EB381E634AA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0197C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018db88379fe78cb7a0897f9a68715d4e83c0245e25a7669b0636f0cf3dbda25
Instruction ID: 5def8a99684796346c51f863f0d33fa7452062e13e23bff49536692fd2532ef2
Opcode Fuzzy Hash: 018db88379fe78cb7a0897f9a68715d4e83c0245e25a7669b0636f0cf3dbda25
Instruction Fuzzy Hash: 07F090B291DA939EE7368B5C8044B217FDC9F45772F444866D50D87112D6A6DC80C250

Uniqueness

Uniqueness Score: -1.00%

Function 01A12073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08e401d15d50f9ced2f358ccc781004d62ecb89f2d4e8063eebf60b467d32f3
Instruction ID: 98d6d760761f9f4df614132778bea60c196dcc1b7e7859b42b2c7d27523e8096
Opcode Fuzzy Hash: a08e401d15d50f9ced2f358ccc781004d62ecb89f2d4e8063eebf60b467d32f3
Instruction Fuzzy Hash: 9AF0A06E8151894BDE33AB7872113E13B92D7D5260B2A0586D5901720EC93ECC93DB24

Uniqueness

Uniqueness Score: -1.00%

Function 0199927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 279a0ef77a96418298510806335eb21b19ecff5d6988c748ca99434d32db3ed1
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: CEE02B323405016BEB119E0DCC80F07775DDFD2725F0040BCB5085F242C6E6DC0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A28D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d39986ce4c240f85ae74574e3436160766333448c1f9e54c59a5d7ca21e6e660
Instruction ID: 2dcbccf90936bc4a7eccdd2ab9372853585fb36ac64c4c5669197aea75313174
Opcode Fuzzy Hash: d39986ce4c240f85ae74574e3436160766333448c1f9e54c59a5d7ca21e6e660
Instruction Fuzzy Hash: 7AF0B470A046189FDB14EFBCD445A6E77F4EF68700F108099F905EB280EA38E904C754

Uniqueness

Uniqueness Score: -1.00%

Function 01A11BA8, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 696ae0a9f02c92f3223f219425b9bf2b31d6f1c78f683a8f899910a83c2c4e24
Instruction ID: 597099c6ae2199783c1da2491dd9b99a2bf3ef900d694613544d9c00b84a841e
Opcode Fuzzy Hash: 696ae0a9f02c92f3223f219425b9bf2b31d6f1c78f683a8f899910a83c2c4e24
Instruction Fuzzy Hash: A6F08275A05248ABDF14DBF9D44AEAE77B4EF58704F040099E605EB280E978E900C758

Uniqueness

Uniqueness Score: -1.00%

Function 01A28BB6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144f859121d7661cc84d9e9d8e93c362191bbe55dd4d68d2cbe3134508ae227a
Instruction ID: 1ffbda9437aa98acade51187ce78eb199e99da9d8febde6c4fcf85f29f6f7832
Opcode Fuzzy Hash: 144f859121d7661cc84d9e9d8e93c362191bbe55dd4d68d2cbe3134508ae227a
Instruction Fuzzy Hash: A8F05E74A05259ABDB14EBACE905E6E77B4EF54600F440059F905DB281EA38E900C798

Uniqueness

Uniqueness Score: -1.00%

Function 01A28B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da744bdbebfd1ecd60928518a3371576c7611b06e50203b0ccdf556b6bdc4618
Instruction ID: c3a23a4e7515858242db24e063950276b21141b0e43264f079995842be680553
Opcode Fuzzy Hash: da744bdbebfd1ecd60928518a3371576c7611b06e50203b0ccdf556b6bdc4618
Instruction Fuzzy Hash: 94F05EB0A04259ABDB14EBA8D906E6E77B4EF54600F040459BA059B280EA38E900C798

Uniqueness

Uniqueness Score: -1.00%

Function 01A28CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74129128b5c288a267265d57409c220c526ba3775a73bceb73038b2d05205a94
Instruction ID: 4a7d877fa71b5095abfe820d069a6fba4bf41a9e2c1a44b24158ce9c4b6f6a17
Opcode Fuzzy Hash: 74129128b5c288a267265d57409c220c526ba3775a73bceb73038b2d05205a94
Instruction Fuzzy Hash: 7AF08270A05219AFDF04DBECE945E6E77F4EF68300F140199F916EB280EA38E904C754

Uniqueness

Uniqueness Score: -1.00%

Function 0195354C, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd95180b4096fe04081dc55e4158ae325ff53068670f0fb2a05fca6956b3b497
Instruction ID: c1aac09f6af569ce11279c0acb748f91c3a6ce34fb814b1d55f8d1fc70569d7e
Opcode Fuzzy Hash: dd95180b4096fe04081dc55e4158ae325ff53068670f0fb2a05fca6956b3b497
Instruction Fuzzy Hash: 20F0EC329116998FD722C32CC140F2ABBDCAB01B72FA540A1EA0C87913C328E888C3C0

Uniqueness

Uniqueness Score: -1.00%

Function 0195F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 47709e7a35e646091b4c83eaff32a5904664c83dac3705242189e106c2ef197e
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 42E0D832A41118FBDB61F6D99D05F5ABFACDB94BA1F000155BE08E7151D5709D00C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 019515C1, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd4c1e868dd77add1da121991445beedef88028e086df1525fa9b969b472fc7
Instruction ID: aef36c7ed757ee112ae6939223ace84ca306fcdd0c196d4b66d58139792976d5
Opcode Fuzzy Hash: abd4c1e868dd77add1da121991445beedef88028e086df1525fa9b969b472fc7
Instruction Fuzzy Hash: 3CE02B3120024693CF72EA48C400FB6B79DAF91708F088171ED0A9B141D670DC43D3D0

Uniqueness

Uniqueness Score: -1.00%

Function 019E41E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b35fa4463e2fd19c3c0135c5b61ab57af42ce56ef89753f9eedfcb3bcae2ba
Instruction ID: 963ee5c6553f1d4a1c6b3f49898b3b70e580a022e464c55ea099d92bbc81fd4d
Opcode Fuzzy Hash: d0b35fa4463e2fd19c3c0135c5b61ab57af42ce56ef89753f9eedfcb3bcae2ba
Instruction Fuzzy Hash: 94F0F27C8927019FCBA2EBE9E5247283AE8F7D4322F40411A910887688D73945A6CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01A0D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 9a49a121057dfa245101c8191a6a77d6c68f893e8672dc586c9cf33ff6bae0af
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 6BE0C232280205BBDB235EC4DC00F69BB2ADF907A1F104031FE086A6D0C6719D91D6C5

Uniqueness

Uniqueness Score: -1.00%

Function 01952CDB, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2301cbb80807bd86986fb20a83a6222ed7f6f329ba40549649f5f350f115ca8
Instruction ID: 2cd90ff6628b01c7a9cda03a3a3d61e725ebeaf4b6b193454e4871e0f2da36ac
Opcode Fuzzy Hash: a2301cbb80807bd86986fb20a83a6222ed7f6f329ba40549649f5f350f115ca8
Instruction Fuzzy Hash: 04E0C231450210EFDF32AB28EC04F5276A5BF90712F10086DE48D291B5DB719881CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0198A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7991c5775afb183d12a656a4df2d45a6b3830dc1eddd524e090c8ddd2ca49b
Instruction ID: 6f8b75702bb7d736b120565f4cad9fc7f906b5ccb76fe806d0ecddb40aa456b4
Opcode Fuzzy Hash: be7991c5775afb183d12a656a4df2d45a6b3830dc1eddd524e090c8ddd2ca49b
Instruction Fuzzy Hash: 60D05E611610016BD72FB750D958B253612FBC6B64F38480EF20F8B9A5EAA898D6D208

Uniqueness

Uniqueness Score: -1.00%

Function 019D53CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 480a970351c9147c40a8d608ab12d75807e7cdf4488e2bdd35b9cdcabe785e84
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 36E08C31900680DBDF12DB99CA50F4EFBF9FB84B00F154404A10C5B620CA34AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0196AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: d56a2f80780ce1698d6fb6837b06b502f427b64a984f5a8d35c651ba2ddf6cdc
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 9ED0E935352980CFD617CB1DC594B5577ADBB44B45FC504A0E505CB762E62CD944CA10

Uniqueness

Uniqueness Score: -1.00%

Function 019835A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 869f4bc9820692fead7afcf4911eb973941e557e34bb0ed4d9008b5e99c2955e
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 62D0A9314011819AEB02FB24C218B683BBABB00A09F582865800E06852C33ECB0AC720

Uniqueness

Uniqueness Score: -1.00%

Function 0195DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 3d978a742278238ba50a4d0a29f38b26e0315f22e39eccfc2f923f6be0a95068
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: B0C08C30380A01EAEB226F20CD01B003AA5BB50B02F4400A06704EA0F0EB78D801E600

Uniqueness

Uniqueness Score: -1.00%

Function 019DA537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 3e4bdfde73b79a0b9c24e842b0571f9d8a8410f35743abf02c51d01fba64ff58
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: E5C01232080248BBCB126E81CC00F067B2AEBA4B60F108410BA080A5608632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 01973A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: b537754ba3786cac887f78757ab4cfa27fa32838253cff9dc8d94d3c6e61f3d4
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: B8C04C32180648FBC7126E45DD01F157B69EBA4B60F154021B6080B5618576ED61D598

Uniqueness

Uniqueness Score: -1.00%

Function 0195AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: e087fb446a041b293a183d07ae55be816d0382c0f5a8ae2ddbe94d1895b86d3b
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 77C02B330C0248BBC7126F85CD00F01BF2DEBE0B60F000020F6080B671C932EC61D588

Uniqueness

Uniqueness Score: -1.00%

Function 01984190, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
Instruction ID: e1a5bcd03adf4ad99fd164972c41df776810f08726d77a9dd8b3774b397cee1e
Opcode Fuzzy Hash: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
Instruction Fuzzy Hash: 82C04C357115418FCF15CB69C284F1577E4BB44B45F150890E809CB721E624E800DA11

Uniqueness

Uniqueness Score: -1.00%

Function 01A08D47, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction ID: 5346d2a43d7da605ba354a2e6d16b8446a93829ecec8a8ffa8f9b05263492173
Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction Fuzzy Hash: 55C09B1F5556C54DCD278F3453127D5BF60D7429D0F1D14C1D4D11F553C1184517D629

Uniqueness

Uniqueness Score: -1.00%

Function 01977D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 8891f5bbea1a8171a86282e5a26d0304a6161884ab35284033b26d5f7512a9ae
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 8FB092353019408FCE1ADF18C084B1533E8BB48A40B8400D0E404CBA21D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 01982ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 73849123b4bdb03c75b38d38a555b98cf24c8ea2bdd05e7005d4d979975eeb7c
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: D6B01232C10441CFCF02EF50C610B197335FB40750F054490900127930C229AC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019999A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b230cbff2933367e649220cb26c385f88a73e6ab73d2f393569aef6cb55be31
Instruction ID: c9f8808e1f06c46900b7c8adf83ed800a14a7b82f097fa5f9bc898d1586b4bc9
Opcode Fuzzy Hash: 6b230cbff2933367e649220cb26c385f88a73e6ab73d2f393569aef6cb55be31
Instruction Fuzzy Hash: 409002A174110452D10061994414B064095E7E1345FD1C015E1094594DCA59CC5671A6

Uniqueness

Uniqueness Score: -1.00%

Function 019999D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 901a3db55da879b3898f57e50915a4d61bead5d8ed45fcf72f16fecf5b1d8fc0
Instruction ID: c1a5e875edc4b1723fe5df9280ade6f6954ce783fd050f05d62f0398070c98aa
Opcode Fuzzy Hash: 901a3db55da879b3898f57e50915a4d61bead5d8ed45fcf72f16fecf5b1d8fc0
Instruction Fuzzy Hash: D59002A161110052D1046199440470640D5A7E1245FD1C012A2184594CC9698C6561A5

Uniqueness

Uniqueness Score: -1.00%

Function 01999910, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e365d88cc041173329ef930983d380daf90116b4d68cfb0f2b2c94d0c00e16
Instruction ID: 2a925c913d4eb14694f30305c9a07ae4016602b9f1b9202e429b6573b088cb38
Opcode Fuzzy Hash: 15e365d88cc041173329ef930983d380daf90116b4d68cfb0f2b2c94d0c00e16
Instruction Fuzzy Hash: ED9002B160110412D140719944047464095A7D0345FD1C011A5094594ECA998DD976E5

Uniqueness

Uniqueness Score: -1.00%

Function 01999950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb1449c0d5cd84e3dcd6daff85f9f0424bde0c0f0fb4efed8f6e0dc522dea85
Instruction ID: d4ab29ac862358eafbe06b620cfb68c47d2fea051044354ec99b1c246c3edcb7
Opcode Fuzzy Hash: ebb1449c0d5cd84e3dcd6daff85f9f0424bde0c0f0fb4efed8f6e0dc522dea85
Instruction Fuzzy Hash: 059002A160150413D140659948046074095A7D0346FD1C011A2094595ECE698C5571B5

Uniqueness

Uniqueness Score: -1.00%

Function 019998A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d46388f1f97fe6513c3ab483ea7820068193ec26aaed37fc80926901e01ab14
Instruction ID: a48db841fed9787252fe16a4ea8746a0a6bf63f4db4bedabeb3ca2fcedfa08b6
Opcode Fuzzy Hash: 9d46388f1f97fe6513c3ab483ea7820068193ec26aaed37fc80926901e01ab14
Instruction Fuzzy Hash: 0990026170110412D102619944146064099E7D1389FD1C012E1454595DCA658957B1B2

Uniqueness

Uniqueness Score: -1.00%

Function 019998F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a0fa1cec57d4d269b59d6ef0ee539898b49c144664688f15cb3d26a70f5744
Instruction ID: d8e52f15c7f924edadf17b995ec474168350a0365db13ea9293740be086422d0
Opcode Fuzzy Hash: c5a0fa1cec57d4d269b59d6ef0ee539898b49c144664688f15cb3d26a70f5744
Instruction Fuzzy Hash: 77900261A0110512D10171994404616409AA7D0285FD1C022A1054595ECE658996B1B1

Uniqueness

Uniqueness Score: -1.00%

Function 01999820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75b7b4036dc068d0d8f998b42fe6f627c56fc2035da7bbae0fef4a10c012aeae
Instruction ID: c06833b598423cc6d3f0fdd9a13c608124ab9f8418a4e231c7a0760d9705203b
Opcode Fuzzy Hash: 75b7b4036dc068d0d8f998b42fe6f627c56fc2035da7bbae0fef4a10c012aeae
Instruction Fuzzy Hash: 1590027164110412D141719944046064099B7D0285FD1C012A0454594ECA958A5ABAE1

Uniqueness

Uniqueness Score: -1.00%

Function 0199B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e509d615ea6fb8fd8c0d7cd35b5d4947f9ec4a596c0ac79055d29593b2d175
Instruction ID: 8a9627ffb8457fa1f7aa818db3b6a5147e2d65969e5829a5c803ccc0d8499892
Opcode Fuzzy Hash: 24e509d615ea6fb8fd8c0d7cd35b5d4947f9ec4a596c0ac79055d29593b2d175
Instruction Fuzzy Hash: EA9002A1A01240534540B199480440690A5B7E13453D1C121A04845A0CCAA88859A2E5

Uniqueness

Uniqueness Score: -1.00%

Function 01999840, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb241a068594bce0ea21ad88b7c3cd2aac9409c606675ab906e010aa91f5797
Instruction ID: 5d46f5170ff25ea85e63f61183180231fd813cb2bb7de440b37e3854bc595194
Opcode Fuzzy Hash: 0bb241a068594bce0ea21ad88b7c3cd2aac9409c606675ab906e010aa91f5797
Instruction Fuzzy Hash: E5900261642141625545B19944045078096B7E02857D1C012A1444990CC966985AE6A1

Uniqueness

Uniqueness Score: -1.00%

Function 0199A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc38f7e82bf4f7b853c5f731c22f5da8f9409af2b06e24300bd4387b404a0a4e
Instruction ID: 090ddf20f08de0898d1af8748a73cfe5bf56c846aef13faf2308f0479203715c
Opcode Fuzzy Hash: cc38f7e82bf4f7b853c5f731c22f5da8f9409af2b06e24300bd4387b404a0a4e
Instruction Fuzzy Hash: B290027160154012D1407199844460B9095B7E0345FD1C411E0455594CCA55885AA2A1

Uniqueness

Uniqueness Score: -1.00%

Function 01999B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb790b023217df090d83807b1330234bb89c4d76f842fe45781c691592acf9eb
Instruction ID: 6b81daa87807c0ccdf3ce87bd996c7a2196bf6bf494afc8af5331e6038d02abb
Opcode Fuzzy Hash: bb790b023217df090d83807b1330234bb89c4d76f842fe45781c691592acf9eb
Instruction Fuzzy Hash: CB90026164110812D140719984147074096E7D0645FD1C011A0054594DCA56896976F1

Uniqueness

Uniqueness Score: -1.00%

Function 01999A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885c42f73cb74ade21978285b1e583db5fbea76a6938e576f2a724a50258b394
Instruction ID: ac11124b3b13de47a9afea600518b88efb7474b87c5ae840f90e00bb9d87bbdb
Opcode Fuzzy Hash: 885c42f73cb74ade21978285b1e583db5fbea76a6938e576f2a724a50258b394
Instruction Fuzzy Hash: CA90026160154452D14062994804B0F8195A7E1246FD1C019A4186594CCD55885967A1

Uniqueness

Uniqueness Score: -1.00%

Function 01999A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f7f9a57093e2db4d94209d380c42b3caa6e2e306466ed14e40c3bde75caebd
Instruction ID: 421da2d4a4b0951af8ec3c02ac92e3da989c276073c353b398dfc855791cdf90
Opcode Fuzzy Hash: 65f7f9a57093e2db4d94209d380c42b3caa6e2e306466ed14e40c3bde75caebd
Instruction Fuzzy Hash: E490027160150412D100619948087474095A7D0346FD1C011A5194595ECAA5C89575B1

Uniqueness

Uniqueness Score: -1.00%

Function 01999A00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076fc5c8653c18727cb08bcb26cd61002988a18888d032100e8343d87520f6ce
Instruction ID: 5cad27c51edd512369f8100342d8c5ce731c028177fb122b0a2a6a4ded7fb80e
Opcode Fuzzy Hash: 076fc5c8653c18727cb08bcb26cd61002988a18888d032100e8343d87520f6ce
Instruction Fuzzy Hash: D890027160150412D1006199481470B4095A7D0346FD1C011A1194595DCA65885575F1

Uniqueness

Uniqueness Score: -1.00%

Function 01999A20, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4fbcd8f6a9c65e88591ee136591a2b5f4feec7ad4c0fae48282e4018b452ff7
Instruction ID: 055e15fee905155aa8e077ab1c262a24af6adb894c7841596e7f97684aab97c6
Opcode Fuzzy Hash: e4fbcd8f6a9c65e88591ee136591a2b5f4feec7ad4c0fae48282e4018b452ff7
Instruction Fuzzy Hash: 20900261A0110052414071A988449068095BBE12557D1C121A09C8590DC999886966E5

Uniqueness

Uniqueness Score: -1.00%

Function 01999A50, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6462cb65273a2974faa4a9fdcca08ebe77662a9c0a2868872f17b870e71a58
Instruction ID: 5f46615f644c047551818c09a5d0f192ef81776ccb611028164636e70338ab1b
Opcode Fuzzy Hash: ef6462cb65273a2974faa4a9fdcca08ebe77662a9c0a2868872f17b870e71a58
Instruction Fuzzy Hash: 5C90026161190052D20065A94C14B074095A7D0347FD1C115A0184594CCD55886565A1

Uniqueness

Uniqueness Score: -1.00%

Function 019995D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c66ff9a4478d9bbb8529203072200f47768c45a053c050e59cedf310584231a
Instruction ID: b941196addefbab8b7d9e6bc204d17f654ab9dd0e93f0d023cdf18e988a69181
Opcode Fuzzy Hash: 4c66ff9a4478d9bbb8529203072200f47768c45a053c050e59cedf310584231a
Instruction Fuzzy Hash: 579002A160210013410571994414616809AA7E0245BD1C021E10445D0DC965889571A5

Uniqueness

Uniqueness Score: -1.00%

Function 019995F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde5ee976b710b44ef7642a5dcc43720ca920bcced3495b05cda703301b1707c
Instruction ID: 44f0e5b1cbf476eb8c070d4e974fd7ce679ee0894e8bade2090a36b257df69a5
Opcode Fuzzy Hash: bde5ee976b710b44ef7642a5dcc43720ca920bcced3495b05cda703301b1707c
Instruction Fuzzy Hash: F790027160110812D104619948046864095A7D0345FD1C011A6054695EDAA5889571B1

Uniqueness

Uniqueness Score: -1.00%

Function 0199AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 725dfd29d8bb323ba679d63413ce4b621115fed4f8425980cebd8249cf11195d
Instruction ID: 5ed0a5cc061d4e35664f63c91f81a55f763ce10880043509a3d0062c48e36d83
Opcode Fuzzy Hash: 725dfd29d8bb323ba679d63413ce4b621115fed4f8425980cebd8249cf11195d
Instruction Fuzzy Hash: B3900271E05100229140719948146468096B7E0785BD5C011A0544594CCD948A5963E1

Uniqueness

Uniqueness Score: -1.00%

Function 01999520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4b3f7a286fc99d7c0b46c75e45ac1f522daeb783d9068b707fcafbf85408cf
Instruction ID: d3e8e352635df7f8757503a480879196fcc759812b014b435f00f9b883286713
Opcode Fuzzy Hash: fd4b3f7a286fc99d7c0b46c75e45ac1f522daeb783d9068b707fcafbf85408cf
Instruction Fuzzy Hash: B09002E1601240A24500A2998404B0A8595A7E0245BD1C016E10845A0CC9658855A1B5

Uniqueness

Uniqueness Score: -1.00%

Function 01999540, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d54d3f5df9934613ecc23c4dfaac208e391d95c9a5fc2d4aa1f16aa5807245
Instruction ID: 7b1c29e1913b719bc1a99a1f8ae10bb685351eb83762f67df90c31ef63a89c25
Opcode Fuzzy Hash: d5d54d3f5df9934613ecc23c4dfaac208e391d95c9a5fc2d4aa1f16aa5807245
Instruction Fuzzy Hash: A9900265611100130105A599070450740D6A7D53953D1C021F1045590CDA61886561A1

Uniqueness

Uniqueness Score: -1.00%

Function 01999560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2efc0f64745797c5d94b2a217810733a900f43b624ee66d472dfaf85e688a287
Instruction ID: da76e36b4e6c14158301fa5011b80f7f87e71ba6be81381a1a3ffbf274992a6e
Opcode Fuzzy Hash: 2efc0f64745797c5d94b2a217810733a900f43b624ee66d472dfaf85e688a287
Instruction Fuzzy Hash: 7E900265621100120145A599060450B44D5B7D63953D1C015F14465D0CCA61886963A1

Uniqueness

Uniqueness Score: -1.00%

Function 01999780, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c548fb8cf0b607538dc16b72c5506fede83654446de4e2643b8267e6eed273
Instruction ID: 3049c52c52f2da07a432404f75d3d844a80808a0be47b1f87dc61e98c9418ac8
Opcode Fuzzy Hash: 26c548fb8cf0b607538dc16b72c5506fede83654446de4e2643b8267e6eed273
Instruction Fuzzy Hash: 0B90026961310012D1807199540860A4095A7D1246FD1D415A0045598CCD55886D63A1

Uniqueness

Uniqueness Score: -1.00%

Function 019997A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcac8557cbb53d6f302ef4d0b50b96b2c8995c027f13cc91a4aa7a19caee01ab
Instruction ID: a148360f000a28055841a58aa698856f90b2f7742980597370012f7f713ae4ce
Opcode Fuzzy Hash: bcac8557cbb53d6f302ef4d0b50b96b2c8995c027f13cc91a4aa7a19caee01ab
Instruction Fuzzy Hash: DE90026170110013D140719954186068095F7E1345FD1D011E0444594CDD55885A62A2

Uniqueness

Uniqueness Score: -1.00%

Function 01999FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acde6547b550a4c93a9af7d234b052917ba6894b6d304fb0bff9e4819db50816
Instruction ID: c234d3b4388978ae5cf1b271c706602f24249f8fa3b723399b91258c22be49c7
Opcode Fuzzy Hash: acde6547b550a4c93a9af7d234b052917ba6894b6d304fb0bff9e4819db50816
Instruction Fuzzy Hash: FF90027171124412D110619984047064095A7D1245FD1C411A0854598DCAD5889571A2

Uniqueness

Uniqueness Score: -1.00%

Function 01999710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b9faa0300a28cad942a862bb63cbe14d5a5e0b0555760966327ce4671cd5b7
Instruction ID: fde6bc0deb1942b13568f6ec4f3988f1427fd826bf15c88435df177dac75a577
Opcode Fuzzy Hash: b0b9faa0300a28cad942a862bb63cbe14d5a5e0b0555760966327ce4671cd5b7
Instruction Fuzzy Hash: B990027160110412D10065D954086464095A7E0345FD1D011A5054595ECAA5889571B1

Uniqueness

Uniqueness Score: -1.00%

Function 0199A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5fe2363efaaad87c104aea33df9f3466ea109ab6e5f80a3cd330e41b25c58d
Instruction ID: 5c4b68d6c275a587ea9058e47a2e8b9d4cab810f2f1cd402a7567f68d71d2ca4
Opcode Fuzzy Hash: fc5fe2363efaaad87c104aea33df9f3466ea109ab6e5f80a3cd330e41b25c58d
Instruction Fuzzy Hash: D6900271701100629500A6D95804A4A8195A7F0345BD1D015A4044594CC994886561A1

Uniqueness

Uniqueness Score: -1.00%

Function 01999730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa2cd5468562213197d6cf44433df7036c060e98d5c6cd07731ce039f336b59
Instruction ID: 6f7ea252ea82aed8b757db66c2c3c83d986360f69e84bf4fa5e055695eb6f42b
Opcode Fuzzy Hash: 1fa2cd5468562213197d6cf44433df7036c060e98d5c6cd07731ce039f336b59
Instruction Fuzzy Hash: B8900261A0510412D1407199541870640A5A7D0245FD1D011A0054594DCA998A5976E1

Uniqueness

Uniqueness Score: -1.00%

Function 0199A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e975384fa566f843e1a82a1a6e0fa47d5864303a9d8e4bdfb75f01c4ab9bcabd
Instruction ID: 840c0ded4461d0295845b8ff409cffb6a0e0c5a75a0e76f3f27780385be1cabf
Opcode Fuzzy Hash: e975384fa566f843e1a82a1a6e0fa47d5864303a9d8e4bdfb75f01c4ab9bcabd
Instruction Fuzzy Hash: 2B90027560514452D50065995804A874095A7D0349FD1D411A04545DCDCA948865B1A1

Uniqueness

Uniqueness Score: -1.00%

Function 01999770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa1863d89a47a90f7769e801c038cbcc0c7b70112f40fc7337f4b1ad404d2a5
Instruction ID: 469b333a675783a75aafccac6c51f21980687250f6a76f96814483200178d246
Opcode Fuzzy Hash: 1fa1863d89a47a90f7769e801c038cbcc0c7b70112f40fc7337f4b1ad404d2a5
Instruction Fuzzy Hash: 5D90026160514452D10065995408A064095A7D0249FD1D011A10945D5DCA758855B1B1

Uniqueness

Uniqueness Score: -1.00%

Function 01999760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5fa81bb42fa2bd7a0b1fe5990e3dc7bc7a2a71a96c6fbfdd857d74c1d5710c
Instruction ID: 0d218770859fe39e54d15216e103dada9481a41f8813ed59c64a0e5dd120a97e
Opcode Fuzzy Hash: 6b5fa81bb42fa2bd7a0b1fe5990e3dc7bc7a2a71a96c6fbfdd857d74c1d5710c
Instruction Fuzzy Hash: C290027160110413D100619955087074095A7D0245FD1D411A0454598DDA96885571A1

Uniqueness

Uniqueness Score: -1.00%

Function 019996D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c66af03d3637263344430743a4cb8dd68ddbad3737292d2628104d226fee807a
Instruction ID: 9e2e1465589092b8c47891410de1d56d6e780df204578abdf296c0d1b7699a6d
Opcode Fuzzy Hash: c66af03d3637263344430743a4cb8dd68ddbad3737292d2628104d226fee807a
Instruction Fuzzy Hash: BE90027160110852D10061994404B464095A7E0345FD1C016A0154694DCA55C85575A1

Uniqueness

Uniqueness Score: -1.00%

Function 019540FD, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 195COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 019B058F
ExecuteOptions, xrefs: 019B050A
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 019B04BF
Execute=1, xrefs: 019B057D
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 019B0566
CLIENT(ntdll): Processing section info %ws..., xrefs: 019B05F1
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 019B05AC

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 27f0a593d4f5274532613f247214c7c44d963e4e02a174571e0df862de2b4181
Instruction ID: 9316f4afec1fac7f9bda27f445594c22a0e6a20eff88bc14d5673507b7363415
Opcode Fuzzy Hash: 27f0a593d4f5274532613f247214c7c44d963e4e02a174571e0df862de2b4181
Instruction Fuzzy Hash: A1613B3570021ABAEF91DA95DC85FEA77BCBFB4305F040099E90DB7181F6709A818B60

Uniqueness

Uniqueness Score: -1.00%

Function 019577A0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019B2953

Strings

RTL: Resource at %p, xrefs: 019B296B
RTL: Re-Waiting, xrefs: 019B2988
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 019B295B

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: a8c644841ba97b18a4d5705a90bb21d5dea218fcb4d82108aca7b164cd10ba16
Instruction ID: bf7d1b0f912adf4fc5ac22ce02ab4c337c135c6ddef26d1f9333ec8338446012
Opcode Fuzzy Hash: a8c644841ba97b18a4d5705a90bb21d5dea218fcb4d82108aca7b164cd10ba16
Instruction Fuzzy Hash: CA315935A00636BBDB228B55CDC4FAB7BA8EF95B61F500218ED4C6B241DB21BC11C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 01991CC7, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

@, xrefs: 01991D1B
$, xrefs: 01991D37

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 0995c06733b2898860fb51431f289e61e5df557ba9c64be26053139ce4c774a7
Instruction ID: 2060d2a0434b9fdc6793e6cea1e3ed07e3afd11aa0f4d093db0c5951468d4400
Opcode Fuzzy Hash: 0995c06733b2898860fb51431f289e61e5df557ba9c64be26053139ce4c774a7
Instruction Fuzzy Hash: 48812C71D002699BDB31DF98CD44BEEBAB8AF49714F0441EAAA0DB7240D7705E85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019EFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019EFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 019EFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 019EFE01

Memory Dump Source

Source File: 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 678c8bc4b171268a57cb556802ac9d1ade0d112b91bc673ae543e6f3cefa90e7
Instruction ID: d2359b1ae136f20abd9eb52cb4a53866f7b6d6fc8e37a91e1dc169d5d610d9f6
Opcode Fuzzy Hash: 678c8bc4b171268a57cb556802ac9d1ade0d112b91bc673ae543e6f3cefa90e7
Instruction Fuzzy Hash: 85F0C276640201BBEA211A86DC06E23BB9AEB84B30F150219F62C561D1DA62B83086A4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Variant.Bulz.349164.25568.5993

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Function 0041825B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 0041838A, Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Function 01A11C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON