Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.Variant.Bulz.785643.17886.29229

Overview

General Information

Sample Name:SecuriteInfo.com.Variant.Bulz.785643.17886.29229 (renamed file extension from 29229 to exe)
Analysis ID:552971
MD5:83ac585e99b527eeb278702f8f711568
SHA1:a576a927b067c94cdbc1e7b353f60577f5b310f9
SHA256:9e2502b3945f31482623e8e61dcb85b9ebb7d9a4244d9074fa289596c9da513e
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.topeasyip.company/i5nb/"], "decoy": ["integratedheartspsychology.com", "tappsis.land", "norfg.com", "1531700.win", "oneplusoneexperience.com", "circlessalaries.com", "tlcremodelingcompany.com", "susalud.info", "liyanghua.club", "pink-zemi.com", "orphe.biz", "themodelclarified.com", "candidate.tools", "morotrip.com", "d2dfms.com", "leisuresabah.com", "bjbwx114.com", "lz-fcaini1718-hw0917-bs.xyz", "at-commerce-co.net", "buymypolicy.net", "5151vip73.com", "rentglide.com", "louiecruzbeltran.info", "lanabasargina.com", "lakeforestparkapartments.com", "guangkaiyinwu.com", "bornthin.com", "restaurantkitchenbuilders.com", "ecommerceoptimise.com", "datahk99.com", "markfwalker.com", "granitowawarszawa.com", "theyouthwave.com", "iabg.xyz", "jholbrook.com", "bsc.promo", "xn--grlitzerseebhne-8sb7i.com", "cafeteriasula.com", "plushcrispies.com", "dedicatedvirtualassistance.com", "ventura-taxi.com", "thoethertb434-ocn.xyz", "ylhwcl.com", "bigsyncmusic.biz", "terapiaholisticaemformacao.com", "comidies.com", "171diproad.com", "07dgj.xyz", "vppaintllc.com", "thepatriottutor.com", "wxfive.com", "ceinpsico.com", "tuningelement.store", "asinment.com", "diafraz.xyz", "8crhnwh658ga.biz", "redwolf-tech.com", "ksherfan.com", "sensationalshroom.com", "buy-instagram-followers.net", "treeserviceconsulting.com", "vnln.space", "kate-films.com", "selfmeta.club"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.302962488.00000000033D3000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 10 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.33c02a4.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
            • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
            • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
            • 0x16b18:$sqlite3text: 68 38 2A 90 C5
            • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
            • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
            • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
            12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
              Click to see the 24 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.topeasyip.company/i5nb/"], "decoy": ["integratedheartspsychology.com", "tappsis.land", "norfg.com", "1531700.win", "oneplusoneexperience.com", "circlessalaries.com", "tlcremodelingcompany.com", "susalud.info", "liyanghua.club", "pink-zemi.com", "orphe.biz", "themodelclarified.com", "candidate.tools", "morotrip.com", "d2dfms.com", "leisuresabah.com", "bjbwx114.com", "lz-fcaini1718-hw0917-bs.xyz", "at-commerce-co.net", "buymypolicy.net", "5151vip73.com", "rentglide.com", "louiecruzbeltran.info", "lanabasargina.com", "lakeforestparkapartments.com", "guangkaiyinwu.com", "bornthin.com", "restaurantkitchenbuilders.com", "ecommerceoptimise.com", "datahk99.com", "markfwalker.com", "granitowawarszawa.com", "theyouthwave.com", "iabg.xyz", "jholbrook.com", "bsc.promo", "xn--grlitzerseebhne-8sb7i.com", "cafeteriasula.com", "plushcrispies.com", "dedicatedvirtualassistance.com", "ventura-taxi.com", "thoethertb434-ocn.xyz", "ylhwcl.com", "bigsyncmusic.biz", "terapiaholisticaemformacao.com", "comidies.com", "171diproad.com", "07dgj.xyz", "vppaintllc.com", "thepatriottutor.com", "wxfive.com", "ceinpsico.com", "tuningelement.store", "asinment.com", "diafraz.xyz", "8crhnwh658ga.biz", "redwolf-tech.com", "ksherfan.com", "sensationalshroom.com", "buy-instagram-followers.net", "treeserviceconsulting.com", "vnln.space", "kate-films.com", "selfmeta.club"]}
              Multi AV Scanner detection for submitted fileShow sources
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exeVirustotal: Detection: 43%Perma Link
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exeReversingLabs: Detection: 43%
              Yara detected FormBookShow sources
              Source: Yara matchFile source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORY
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exeAvira: detected
              Antivirus detection for URL or domainShow sources
              Source: www.topeasyip.company/i5nb/Avira URL Cloud: Label: malware
              Machine Learning detection for sampleShow sources
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exeJoe Sandbox ML: detected
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302747431.0000000001A9F000.00000040.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp
              Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302747431.0000000001A9F000.00000040.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 4x nop then pop esi12_2_0041584D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 4x nop then pop edi12_2_004162F6

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: www.topeasyip.company/i5nb/
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302319122.00000000014EB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              E-Banking Fraud:

              barindex
              Yara detected FormBookShow sources
              Source: Yara matchFile source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORY

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
              Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 0_2_014D81220_2_014D8122
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 0_2_014D6A080_2_014D6A08
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 0_2_014D6D2E0_2_014D6D2E
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 0_2_014D7E100_2_014D7E10
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 0_2_014D6D720_2_014D6D72
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 0_2_014D72710_2_014D7271
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_0040103012_2_00401030
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_0041C95A12_2_0041C95A
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_0041C96E12_2_0041C96E
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_0041D12812_2_0041D128
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_0041C38D12_2_0041C38D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_0041BB9E12_2_0041BB9E
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_00408C9012_2_00408C90
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_00402D8A12_2_00402D8A
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_00402D9012_2_00402D90
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_0041BF8B12_2_0041BF8B
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_00402FB012_2_00402FB0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019BC1C012_2_019BC1C0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019C412012_2_019C4120
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019BB09012_2_019BB090
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A720A812_2_01A720A8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D20A012_2_019D20A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A660F512_2_01A660F5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D701D12_2_019D701D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6100212_2_01A61002
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D138B12_2_019D138B
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A523E312_2_01A523E3
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A603DA12_2_01A603DA
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA30912_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6231B12_2_01A6231B
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019C336012_2_019C3360
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A722AE12_2_01A722AE
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A732A912_2_01A732A9
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019AC2C312_2_019AC2C3
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6E2C512_2_01A6E2C5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CB23612_2_019CB236
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D258112_2_019D2581
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D65A012_2_019D65A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A725DD12_2_01A725DD
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019BD5E012_2_019BD5E0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6449612_2_01A64496
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019B841F12_2_019B841F
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019C243012_2_019C2430
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6D46612_2_01A6D466
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CB47712_2_019CB477
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A667E212_2_01A667E2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D06C012_2_019D06C0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019C560012_2_019C5600
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6D61612_2_01A6D616
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A966012_2_019A9660
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019C299012_2_019C2990
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019C99BF12_2_019C99BF
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019B191512_2_019B1915
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019AF90012_2_019AF900
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A728EC12_2_01A728EC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: String function: 019AB150 appears 103 times
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: String function: 01A35720 appears 65 times
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: String function: 019FD08C appears 32 times
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_004185F0 NtCreateFile,12_2_004185F0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_004186A0 NtReadFile,12_2_004186A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_00418720 NtClose,12_2_00418720
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_004187D0 NtAllocateVirtualMemory,12_2_004187D0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_00418642 NtCreateFile,12_2_00418642
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_0041869D NtReadFile,12_2_0041869D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_0041871A NtClose,12_2_0041871A
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_004187CB NtAllocateVirtualMemory,12_2_004187CB
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E96E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_019E96E0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E9660 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_019E9660
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E9860 NtQuerySystemInformation,LdrInitializeThunk,12_2_019E9860
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019EB040 NtSuspendThread,12_2_019EB040
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019EA3B0 NtGetContextThread,12_2_019EA3B0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E95D0 NtClose,12_2_019E95D0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E95F0 NtQueryInformationFile,12_2_019E95F0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E9520 NtWaitForSingleObject,12_2_019E9520
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E9540 NtReadFile,12_2_019E9540
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E9560 NtWriteFile,12_2_019E9560
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E9780 NtMapViewOfSection,12_2_019E9780
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E97A0 NtUnmapViewOfSection,12_2_019E97A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E9710 NtQueryInformationToken,12_2_019E9710
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019EA710 NtOpenProcessToken,12_2_019EA710
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E9730 NtQueryVirtualMemory,12_2_019E9730
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019EA770 NtOpenThread,12_2_019EA770
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E9770 NtSetInformationFile,12_2_019E9770
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E9760 NtOpenProcess,12_2_019E9760
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E96D0 NtCreateKey,12_2_019E96D0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E9610 NtEnumerateValueKey,12_2_019E9610
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E9650 NtQueryValueKey,12_2_019E9650
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E9670 NtQueryInformationProcess,12_2_019E9670
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E99A0 NtCreateSection,12_2_019E99A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E99D0 NtCreateProcessEx,12_2_019E99D0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E9910 NtAdjustPrivilegesToken,12_2_019E9910
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E9950 NtQueueApcThread,12_2_019E9950
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E98A0 NtWriteVirtualMemory,12_2_019E98A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E98F0 NtReadVirtualMemory,12_2_019E98F0
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302319122.00000000014EB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000000.278924225.0000000000D62000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegetDeviceClaimsd.exe8 vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.306336909.0000000007930000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302747431.0000000001A9F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000000.298139804.0000000000F92000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegetDeviceClaimsd.exe8 vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.303018064.0000000001C2F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exeBinary or memory string: OriginalFilenamegetDeviceClaimsd.exe8 vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exeVirustotal: Detection: 43%
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exeReversingLabs: Detection: 43%
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Variant.Bulz.785643.17886.exe.logJump to behavior
              Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@0/0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302747431.0000000001A9F000.00000040.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp
              Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302747431.0000000001A9F000.00000040.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.d60000.0.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.d60000.0.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.3.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.1.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.2.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.0.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.7.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.9.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.1.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.5.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 0_2_00D6E0EF push esp; iretd 0_2_00D6E0F2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_0041B842 push eax; ret 12_2_0041B848
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_0041B84B push eax; ret 12_2_0041B8B2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_004188F2 push ds; ret 12_2_004188F3
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_0041B8AC push eax; ret 12_2_0041B8B2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_00416109 push cs; iretd 12_2_0041610A
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_00415237 pushfd ; iretd 12_2_00415238
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_0041B7F5 push eax; ret 12_2_0041B848
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_00F9E0EF push esp; iretd 12_2_00F9E0F2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019FD0D1 push ecx; ret 12_2_019FD0E4
              Source: initial sampleStatic PE information: section name: .text entropy: 7.74258433139
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM3Show sources
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.33c02a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.340c584.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.302962488.00000000033D3000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Variant.Bulz.785643.17886.exe PID: 7128, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302962488.00000000033D3000.00000004.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302962488.00000000033D3000.00000004.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Tries to detect virtualization through RDTSC time measurementsShow sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe TID: 7132Thread sleep time: -37702s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe TID: 4784Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_004088E0 rdtsc 12_2_004088E0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeAPI coverage: 1.8 %
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeThread delayed: delay time: 37702Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_004088E0 rdtsc 12_2_004088E0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A519E mov eax, dword ptr fs:[00000030h]12_2_019A519E
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A519E mov ecx, dword ptr fs:[00000030h]12_2_019A519E
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A8190 mov ecx, dword ptr fs:[00000030h]12_2_019A8190
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D4190 mov eax, dword ptr fs:[00000030h]12_2_019D4190
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A7F1B5 mov eax, dword ptr fs:[00000030h]12_2_01A7F1B5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A7F1B5 mov eax, dword ptr fs:[00000030h]12_2_01A7F1B5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019DA185 mov eax, dword ptr fs:[00000030h]12_2_019DA185
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A251BE mov eax, dword ptr fs:[00000030h]12_2_01A251BE
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A251BE mov eax, dword ptr fs:[00000030h]12_2_01A251BE
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A251BE mov eax, dword ptr fs:[00000030h]12_2_01A251BE
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A251BE mov eax, dword ptr fs:[00000030h]12_2_01A251BE
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CC182 mov eax, dword ptr fs:[00000030h]12_2_019CC182
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6A189 mov eax, dword ptr fs:[00000030h]12_2_01A6A189
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6A189 mov ecx, dword ptr fs:[00000030h]12_2_01A6A189
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019B61A7 mov eax, dword ptr fs:[00000030h]12_2_019B61A7
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019B61A7 mov eax, dword ptr fs:[00000030h]12_2_019B61A7
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019B61A7 mov eax, dword ptr fs:[00000030h]12_2_019B61A7
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019B61A7 mov eax, dword ptr fs:[00000030h]12_2_019B61A7
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D61A0 mov eax, dword ptr fs:[00000030h]12_2_019D61A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D61A0 mov eax, dword ptr fs:[00000030h]12_2_019D61A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A341E8 mov eax, dword ptr fs:[00000030h]12_2_01A341E8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A3D1F9 mov eax, dword ptr fs:[00000030h]12_2_01A3D1F9
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019BC1C0 mov eax, dword ptr fs:[00000030h]12_2_019BC1C0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CD1EF mov eax, dword ptr fs:[00000030h]12_2_019CD1EF
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]12_2_01A631DC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]12_2_01A631DC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]12_2_01A631DC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]12_2_01A631DC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]12_2_01A631DC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]12_2_01A631DC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]12_2_01A631DC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A631DC mov ecx, dword ptr fs:[00000030h]12_2_01A631DC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A631DC mov ecx, dword ptr fs:[00000030h]12_2_01A631DC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]12_2_01A631DC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]12_2_01A631DC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]12_2_01A631DC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]12_2_01A631DC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A31E0 mov eax, dword ptr fs:[00000030h]12_2_019A31E0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019AB1E1 mov eax, dword ptr fs:[00000030h]12_2_019AB1E1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019AB1E1 mov eax, dword ptr fs:[00000030h]12_2_019AB1E1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019AB1E1 mov eax, dword ptr fs:[00000030h]12_2_019AB1E1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A9100 mov eax, dword ptr fs:[00000030h]12_2_019A9100
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A9100 mov eax, dword ptr fs:[00000030h]12_2_019A9100
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A9100 mov eax, dword ptr fs:[00000030h]12_2_019A9100
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019B0100 mov eax, dword ptr fs:[00000030h]12_2_019B0100
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019B0100 mov eax, dword ptr fs:[00000030h]12_2_019B0100
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019B0100 mov eax, dword ptr fs:[00000030h]12_2_019B0100
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A3138 mov ecx, dword ptr fs:[00000030h]12_2_019A3138
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D513A mov eax, dword ptr fs:[00000030h]12_2_019D513A
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D513A mov eax, dword ptr fs:[00000030h]12_2_019D513A
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019C4120 mov eax, dword ptr fs:[00000030h]12_2_019C4120
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019C4120 mov eax, dword ptr fs:[00000030h]12_2_019C4120
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019C4120 mov eax, dword ptr fs:[00000030h]12_2_019C4120
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019C4120 mov eax, dword ptr fs:[00000030h]12_2_019C4120
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019C4120 mov ecx, dword ptr fs:[00000030h]12_2_019C4120
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019AB171 mov eax, dword ptr fs:[00000030h]12_2_019AB171
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019AB171 mov eax, dword ptr fs:[00000030h]12_2_019AB171
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A2714D mov eax, dword ptr fs:[00000030h]12_2_01A2714D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A2714D mov eax, dword ptr fs:[00000030h]12_2_01A2714D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A9080 mov eax, dword ptr fs:[00000030h]12_2_019A9080
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019AB080 mov eax, dword ptr fs:[00000030h]12_2_019AB080
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019DF0BF mov ecx, dword ptr fs:[00000030h]12_2_019DF0BF
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019DF0BF mov eax, dword ptr fs:[00000030h]12_2_019DF0BF
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019DF0BF mov eax, dword ptr fs:[00000030h]12_2_019DF0BF
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E90AF mov eax, dword ptr fs:[00000030h]12_2_019E90AF
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D20A0 mov eax, dword ptr fs:[00000030h]12_2_019D20A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D20A0 mov eax, dword ptr fs:[00000030h]12_2_019D20A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D20A0 mov eax, dword ptr fs:[00000030h]12_2_019D20A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D20A0 mov eax, dword ptr fs:[00000030h]12_2_019D20A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D20A0 mov eax, dword ptr fs:[00000030h]12_2_019D20A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D20A0 mov eax, dword ptr fs:[00000030h]12_2_019D20A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A660F5 mov eax, dword ptr fs:[00000030h]12_2_01A660F5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A660F5 mov eax, dword ptr fs:[00000030h]12_2_01A660F5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A660F5 mov eax, dword ptr fs:[00000030h]12_2_01A660F5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A660F5 mov eax, dword ptr fs:[00000030h]12_2_01A660F5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A70C0 mov eax, dword ptr fs:[00000030h]12_2_019A70C0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A70C0 mov eax, dword ptr fs:[00000030h]12_2_019A70C0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6B0C7 mov eax, dword ptr fs:[00000030h]12_2_01A6B0C7
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6B0C7 mov eax, dword ptr fs:[00000030h]12_2_01A6B0C7
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A40E1 mov eax, dword ptr fs:[00000030h]12_2_019A40E1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A40E1 mov eax, dword ptr fs:[00000030h]12_2_019A40E1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A40E1 mov eax, dword ptr fs:[00000030h]12_2_019A40E1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D701D mov eax, dword ptr fs:[00000030h]12_2_019D701D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D701D mov eax, dword ptr fs:[00000030h]12_2_019D701D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D701D mov eax, dword ptr fs:[00000030h]12_2_019D701D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D701D mov eax, dword ptr fs:[00000030h]12_2_019D701D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D701D mov eax, dword ptr fs:[00000030h]12_2_019D701D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D701D mov eax, dword ptr fs:[00000030h]12_2_019D701D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D002D mov eax, dword ptr fs:[00000030h]12_2_019D002D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D002D mov eax, dword ptr fs:[00000030h]12_2_019D002D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D002D mov eax, dword ptr fs:[00000030h]12_2_019D002D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D002D mov eax, dword ptr fs:[00000030h]12_2_019D002D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D002D mov eax, dword ptr fs:[00000030h]12_2_019D002D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019BB02A mov eax, dword ptr fs:[00000030h]12_2_019BB02A
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019BB02A mov eax, dword ptr fs:[00000030h]12_2_019BB02A
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019BB02A mov eax, dword ptr fs:[00000030h]12_2_019BB02A
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019BB02A mov eax, dword ptr fs:[00000030h]12_2_019BB02A
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A74015 mov eax, dword ptr fs:[00000030h]12_2_01A74015
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A74015 mov eax, dword ptr fs:[00000030h]12_2_01A74015
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A27016 mov eax, dword ptr fs:[00000030h]12_2_01A27016
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A27016 mov eax, dword ptr fs:[00000030h]12_2_01A27016
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A27016 mov eax, dword ptr fs:[00000030h]12_2_01A27016
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A33019 mov eax, dword ptr fs:[00000030h]12_2_01A33019
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D4020 mov edi, dword ptr fs:[00000030h]12_2_019D4020
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A5050 mov eax, dword ptr fs:[00000030h]12_2_019A5050
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A5050 mov eax, dword ptr fs:[00000030h]12_2_019A5050
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A5050 mov eax, dword ptr fs:[00000030h]12_2_019A5050
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019C0050 mov eax, dword ptr fs:[00000030h]12_2_019C0050
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019C0050 mov eax, dword ptr fs:[00000030h]12_2_019C0050
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A7057 mov eax, dword ptr fs:[00000030h]12_2_019A7057
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A71074 mov eax, dword ptr fs:[00000030h]12_2_01A71074
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A62073 mov eax, dword ptr fs:[00000030h]12_2_01A62073
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D2397 mov eax, dword ptr fs:[00000030h]12_2_019D2397
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019DB390 mov eax, dword ptr fs:[00000030h]12_2_019DB390
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D138B mov eax, dword ptr fs:[00000030h]12_2_019D138B
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D138B mov eax, dword ptr fs:[00000030h]12_2_019D138B
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D138B mov eax, dword ptr fs:[00000030h]12_2_019D138B
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A5D380 mov ecx, dword ptr fs:[00000030h]12_2_01A5D380
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6138A mov eax, dword ptr fs:[00000030h]12_2_01A6138A
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A523E3 mov ecx, dword ptr fs:[00000030h]12_2_01A523E3
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A523E3 mov ecx, dword ptr fs:[00000030h]12_2_01A523E3
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A523E3 mov eax, dword ptr fs:[00000030h]12_2_01A523E3
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D53C5 mov eax, dword ptr fs:[00000030h]12_2_019D53C5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A253CA mov eax, dword ptr fs:[00000030h]12_2_01A253CA
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A253CA mov eax, dword ptr fs:[00000030h]12_2_01A253CA
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D03E2 mov eax, dword ptr fs:[00000030h]12_2_019D03E2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D03E2 mov eax, dword ptr fs:[00000030h]12_2_019D03E2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D03E2 mov eax, dword ptr fs:[00000030h]12_2_019D03E2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D03E2 mov eax, dword ptr fs:[00000030h]12_2_019D03E2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D03E2 mov eax, dword ptr fs:[00000030h]12_2_019D03E2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D03E2 mov eax, dword ptr fs:[00000030h]12_2_019D03E2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]12_2_019CA309
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6131B mov eax, dword ptr fs:[00000030h]12_2_01A6131B
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019AF358 mov eax, dword ptr fs:[00000030h]12_2_019AF358
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A36365 mov eax, dword ptr fs:[00000030h]12_2_01A36365
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A36365 mov eax, dword ptr fs:[00000030h]12_2_01A36365
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A36365 mov eax, dword ptr fs:[00000030h]12_2_01A36365
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019BF370 mov eax, dword ptr fs:[00000030h]12_2_019BF370
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019BF370 mov eax, dword ptr fs:[00000030h]12_2_019BF370
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019BF370 mov eax, dword ptr fs:[00000030h]12_2_019BF370
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019DD294 mov eax, dword ptr fs:[00000030h]12_2_019DD294
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019DD294 mov eax, dword ptr fs:[00000030h]12_2_019DD294
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D12BD mov esi, dword ptr fs:[00000030h]12_2_019D12BD
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D12BD mov eax, dword ptr fs:[00000030h]12_2_019D12BD
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D12BD mov eax, dword ptr fs:[00000030h]12_2_019D12BD
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019B62A0 mov eax, dword ptr fs:[00000030h]12_2_019B62A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019B62A0 mov eax, dword ptr fs:[00000030h]12_2_019B62A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019B62A0 mov eax, dword ptr fs:[00000030h]12_2_019B62A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019B62A0 mov eax, dword ptr fs:[00000030h]12_2_019B62A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6129A mov eax, dword ptr fs:[00000030h]12_2_01A6129A
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A52A5 mov eax, dword ptr fs:[00000030h]12_2_019A52A5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A52A5 mov eax, dword ptr fs:[00000030h]12_2_019A52A5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A52A5 mov eax, dword ptr fs:[00000030h]12_2_019A52A5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A52A5 mov eax, dword ptr fs:[00000030h]12_2_019A52A5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A52A5 mov eax, dword ptr fs:[00000030h]12_2_019A52A5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A12D4 mov eax, dword ptr fs:[00000030h]12_2_019A12D4
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6B2E8 mov eax, dword ptr fs:[00000030h]12_2_01A6B2E8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6B2E8 mov eax, dword ptr fs:[00000030h]12_2_01A6B2E8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6B2E8 mov eax, dword ptr fs:[00000030h]12_2_01A6B2E8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6B2E8 mov eax, dword ptr fs:[00000030h]12_2_01A6B2E8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A5210 mov eax, dword ptr fs:[00000030h]12_2_019A5210
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A5210 mov ecx, dword ptr fs:[00000030h]12_2_019A5210
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A5210 mov eax, dword ptr fs:[00000030h]12_2_019A5210
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A5210 mov eax, dword ptr fs:[00000030h]12_2_019A5210
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A61229 mov eax, dword ptr fs:[00000030h]12_2_01A61229
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A8239 mov eax, dword ptr fs:[00000030h]12_2_019A8239
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A8239 mov eax, dword ptr fs:[00000030h]12_2_019A8239
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A8239 mov eax, dword ptr fs:[00000030h]12_2_019A8239
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019AB233 mov eax, dword ptr fs:[00000030h]12_2_019AB233
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019AB233 mov eax, dword ptr fs:[00000030h]12_2_019AB233
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CB236 mov eax, dword ptr fs:[00000030h]12_2_019CB236
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CB236 mov eax, dword ptr fs:[00000030h]12_2_019CB236
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CB236 mov eax, dword ptr fs:[00000030h]12_2_019CB236
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CB236 mov eax, dword ptr fs:[00000030h]12_2_019CB236
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CB236 mov eax, dword ptr fs:[00000030h]12_2_019CB236
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CB236 mov eax, dword ptr fs:[00000030h]12_2_019CB236
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA229 mov eax, dword ptr fs:[00000030h]12_2_019CA229
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA229 mov eax, dword ptr fs:[00000030h]12_2_019CA229
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA229 mov eax, dword ptr fs:[00000030h]12_2_019CA229
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA229 mov eax, dword ptr fs:[00000030h]12_2_019CA229
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA229 mov eax, dword ptr fs:[00000030h]12_2_019CA229
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA229 mov eax, dword ptr fs:[00000030h]12_2_019CA229
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA229 mov eax, dword ptr fs:[00000030h]12_2_019CA229
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA229 mov eax, dword ptr fs:[00000030h]12_2_019CA229
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019CA229 mov eax, dword ptr fs:[00000030h]12_2_019CA229
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A5B260 mov eax, dword ptr fs:[00000030h]12_2_01A5B260
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A5B260 mov eax, dword ptr fs:[00000030h]12_2_01A5B260
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A9240 mov eax, dword ptr fs:[00000030h]12_2_019A9240
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A9240 mov eax, dword ptr fs:[00000030h]12_2_019A9240
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A9240 mov eax, dword ptr fs:[00000030h]12_2_019A9240
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A9240 mov eax, dword ptr fs:[00000030h]12_2_019A9240
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019E927A mov eax, dword ptr fs:[00000030h]12_2_019E927A
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A34257 mov eax, dword ptr fs:[00000030h]12_2_01A34257
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A705AC mov eax, dword ptr fs:[00000030h]12_2_01A705AC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A705AC mov eax, dword ptr fs:[00000030h]12_2_01A705AC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019A3591 mov eax, dword ptr fs:[00000030h]12_2_019A3591
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D2581 mov eax, dword ptr fs:[00000030h]12_2_019D2581
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D2581 mov eax, dword ptr fs:[00000030h]12_2_019D2581
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D2581 mov eax, dword ptr fs:[00000030h]12_2_019D2581
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_019D2581 mov eax, dword ptr fs:[00000030h]12_2_019D2581
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6B581 mov eax, dword ptr fs:[00000030h]12_2_01A6B581
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6B581 mov eax, dword ptr fs:[00000030h]12_2_01A6B581
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6B581 mov eax, dword ptr fs:[00000030h]12_2_01A6B581
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCode function: 12_2_01A6B581 mov eax, dword ptr fs:[00000030h]12_2_01A6B581
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exeCod