Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.Variant.Bulz.785643.17886.29229

Overview

General Information

Sample Name:	SecuriteInfo.com.Variant.Bulz.785643.17886.29229 (renamed file extension from 29229 to exe)
Analysis ID:	552971
MD5:	83ac585e99b527eeb278702f8f711568
SHA1:	a576a927b067c94cdbc1e7b353f60577f5b310f9
SHA256:	9e2502b3945f31482623e8e61dcb85b9ebb7d9a4244d9074fa289596c9da513e
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Variant.Bulz.785643.17886.exe (PID: 7128 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe" MD5: 83AC585E99B527EEB278702F8F711568)

SecuriteInfo.com.Variant.Bulz.785643.17886.exe (PID: 5636 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe MD5: 83AC585E99B527EEB278702F8F711568)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.topeasyip.company/i5nb/"], "decoy": ["integratedheartspsychology.com", "tappsis.land", "norfg.com", "1531700.win", "oneplusoneexperience.com", "circlessalaries.com", "tlcremodelingcompany.com", "susalud.info", "liyanghua.club", "pink-zemi.com", "orphe.biz", "themodelclarified.com", "candidate.tools", "morotrip.com", "d2dfms.com", "leisuresabah.com", "bjbwx114.com", "lz-fcaini1718-hw0917-bs.xyz", "at-commerce-co.net", "buymypolicy.net", "5151vip73.com", "rentglide.com", "louiecruzbeltran.info", "lanabasargina.com", "lakeforestparkapartments.com", "guangkaiyinwu.com", "bornthin.com", "restaurantkitchenbuilders.com", "ecommerceoptimise.com", "datahk99.com", "markfwalker.com", "granitowawarszawa.com", "theyouthwave.com", "iabg.xyz", "jholbrook.com", "bsc.promo", "xn--grlitzerseebhne-8sb7i.com", "cafeteriasula.com", "plushcrispies.com", "dedicatedvirtualassistance.com", "ventura-taxi.com", "thoethertb434-ocn.xyz", "ylhwcl.com", "bigsyncmusic.biz", "terapiaholisticaemformacao.com", "comidies.com", "171diproad.com", "07dgj.xyz", "vppaintllc.com", "thepatriottutor.com", "wxfive.com", "ceinpsico.com", "tuningelement.store", "asinment.com", "diafraz.xyz", "8crhnwh658ga.biz", "redwolf-tech.com", "ksherfan.com", "sensationalshroom.com", "buy-instagram-followers.net", "treeserviceconsulting.com", "vnln.space", "kate-films.com", "selfmeta.club"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.302962488.00000000033D3000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x52180:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x5251a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2d3968:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2d3d02:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2fc788:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2fcb22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x5e22d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2dfa15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x308835:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x5dd19:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2df501:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x308321:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x5e32f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2dfb17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x308937:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x5e4a7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2dfc8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x308aaf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x52f32:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2d471a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2fd53a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x60651:$sqlite3step: 68 34 1C 7B E1 0x60764:$sqlite3step: 68 34 1C 7B E1 0x2e1e39:$sqlite3step: 68 34 1C 7B E1 0x2e1f4c:$sqlite3step: 68 34 1C 7B E1 0x30ac59:$sqlite3step: 68 34 1C 7B E1 0x30ad6c:$sqlite3step: 68 34 1C 7B E1 0x60680:$sqlite3text: 68 38 2A 90 C5 0x607a5:$sqlite3text: 68 38 2A 90 C5 0x2e1e68:$sqlite3text: 68 38 2A 90 C5 0x2e1f8d:$sqlite3text: 68 38 2A 90 C5 0x30ac88:$sqlite3text: 68 38 2A 90 C5 0x30adad:$sqlite3text: 68 38 2A 90 C5 0x60693:$sqlite3blob: 68 53 D8 7F 8C 0x607bb:$sqlite3blob: 68 53 D8 7F 8C 0x2e1e7b:$sqlite3blob: 68 53 D8 7F 8C 0x2e1fa3:$sqlite3blob: 68 53 D8 7F 8C 0x30ac9b:$sqlite3blob: 68 53 D8 7F 8C 0x30adc3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: SecuriteInfo.com.Variant.Bulz.785643.17886.exe PID: 7128	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.33c02a4.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.340c584.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x139688:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x139a22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1624a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x162842:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x145735:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16e555:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x145221:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16e041:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x145837:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16e657:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1459af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x16e7cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13a43a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x16325a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14449c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x16d2bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x13b1b2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x163fd2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x14ac27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x173a47:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x14bcda:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x147b59:$sqlite3step: 68 34 1C 7B E1 0x147c6c:$sqlite3step: 68 34 1C 7B E1 0x170979:$sqlite3step: 68 34 1C 7B E1 0x170a8c:$sqlite3step: 68 34 1C 7B E1 0x147b88:$sqlite3text: 68 38 2A 90 C5 0x147cad:$sqlite3text: 68 38 2A 90 C5 0x1709a8:$sqlite3text: 68 38 2A 90 C5 0x170acd:$sqlite3text: 68 38 2A 90 C5 0x147b9b:$sqlite3blob: 68 53 D8 7F 8C 0x147cc3:$sqlite3blob: 68 53 D8 7F 8C 0x1709bb:$sqlite3blob: 68 53 D8 7F 8C 0x170ae3:$sqlite3blob: 68 53 D8 7F 8C
0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1906a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x190a42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1b94c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1b9862:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x19c755:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1c5575:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x19c241:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1c5061:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x19c857:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1c5677:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x19c9cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1c57ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x19145a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1ba27a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x19b4bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1c42dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1921d2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1baff2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a1c47:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1caa67:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a2cfa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19eb79:$sqlite3step: 68 34 1C 7B E1 0x19ec8c:$sqlite3step: 68 34 1C 7B E1 0x1c7999:$sqlite3step: 68 34 1C 7B E1 0x1c7aac:$sqlite3step: 68 34 1C 7B E1 0x19eba8:$sqlite3text: 68 38 2A 90 C5 0x19eccd:$sqlite3text: 68 38 2A 90 C5 0x1c79c8:$sqlite3text: 68 38 2A 90 C5 0x1c7aed:$sqlite3text: 68 38 2A 90 C5 0x19ebbb:$sqlite3blob: 68 53 D8 7F 8C 0x19ece3:$sqlite3blob: 68 53 D8 7F 8C 0x1c79db:$sqlite3blob: 68 53 D8 7F 8C 0x1c7b03:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 24 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.topeasyip.company/i5nb/"], "decoy": ["integratedheartspsychology.com", "tappsis.land", "norfg.com", "1531700.win", "oneplusoneexperience.com", "circlessalaries.com", "tlcremodelingcompany.com", "susalud.info", "liyanghua.club", "pink-zemi.com", "orphe.biz", "themodelclarified.com", "candidate.tools", "morotrip.com", "d2dfms.com", "leisuresabah.com", "bjbwx114.com", "lz-fcaini1718-hw0917-bs.xyz", "at-commerce-co.net", "buymypolicy.net", "5151vip73.com", "rentglide.com", "louiecruzbeltran.info", "lanabasargina.com", "lakeforestparkapartments.com", "guangkaiyinwu.com", "bornthin.com", "restaurantkitchenbuilders.com", "ecommerceoptimise.com", "datahk99.com", "markfwalker.com", "granitowawarszawa.com", "theyouthwave.com", "iabg.xyz", "jholbrook.com", "bsc.promo", "xn--grlitzerseebhne-8sb7i.com", "cafeteriasula.com", "plushcrispies.com", "dedicatedvirtualassistance.com", "ventura-taxi.com", "thoethertb434-ocn.xyz", "ylhwcl.com", "bigsyncmusic.biz", "terapiaholisticaemformacao.com", "comidies.com", "171diproad.com", "07dgj.xyz", "vppaintllc.com", "thepatriottutor.com", "wxfive.com", "ceinpsico.com", "tuningelement.store", "asinment.com", "diafraz.xyz", "8crhnwh658ga.biz", "redwolf-tech.com", "ksherfan.com", "sensationalshroom.com", "buy-instagram-followers.net", "treeserviceconsulting.com", "vnln.space", "kate-films.com", "selfmeta.club"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Virustotal: Detection: 43%			Perma Link
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe	ReversingLabs: Detection: 43%

Yara detected FormBook

Show sources

Source: Yara match	File source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Show sources

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Avira: detected

Antivirus detection for URL or domain

Show sources

Source: www.topeasyip.company/i5nb/

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Joe Sandbox ML: detected

Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302747431.0000000001A9F000.00000040.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302747431.0000000001A9F000.00000040.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 4x nop then pop esi		12_2_0041584D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 4x nop then pop edi		12_2_004162F6

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.topeasyip.company/i5nb/

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302319122.00000000014EB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 0_2_014D8122	0_2_014D8122
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 0_2_014D6A08	0_2_014D6A08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 0_2_014D6D2E	0_2_014D6D2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 0_2_014D7E10	0_2_014D7E10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 0_2_014D6D72	0_2_014D6D72
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 0_2_014D7271	0_2_014D7271
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00401030	12_2_00401030
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041C95A	12_2_0041C95A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041C96E	12_2_0041C96E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041D128	12_2_0041D128
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041C38D	12_2_0041C38D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041BB9E	12_2_0041BB9E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00408C90	12_2_00408C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00402D8A	12_2_00402D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00402D90	12_2_00402D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041BF8B	12_2_0041BF8B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00402FB0	12_2_00402FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BC1C0	12_2_019BC1C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C4120	12_2_019C4120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BB090	12_2_019BB090
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A720A8	12_2_01A720A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D20A0	12_2_019D20A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A660F5	12_2_01A660F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D701D	12_2_019D701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A61002	12_2_01A61002
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D138B	12_2_019D138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A523E3	12_2_01A523E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A603DA	12_2_01A603DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6231B	12_2_01A6231B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C3360	12_2_019C3360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A722AE	12_2_01A722AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A732A9	12_2_01A732A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AC2C3	12_2_019AC2C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6E2C5	12_2_01A6E2C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB236	12_2_019CB236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D2581	12_2_019D2581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D65A0	12_2_019D65A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A725DD	12_2_01A725DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BD5E0	12_2_019BD5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A64496	12_2_01A64496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B841F	12_2_019B841F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C2430	12_2_019C2430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6D466	12_2_01A6D466
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB477	12_2_019CB477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A667E2	12_2_01A667E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D06C0	12_2_019D06C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6D616	12_2_01A6D616
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A9660	12_2_019A9660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C2990	12_2_019C2990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C99BF	12_2_019C99BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B1915	12_2_019B1915
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AF900	12_2_019AF900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A728EC	12_2_01A728EC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: String function: 019AB150 appears 103 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: String function: 01A35720 appears 65 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: String function: 019FD08C appears 32 times

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_004185F0 NtCreateFile,	12_2_004185F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_004186A0 NtReadFile,	12_2_004186A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00418720 NtClose,	12_2_00418720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_004187D0 NtAllocateVirtualMemory,	12_2_004187D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00418642 NtCreateFile,	12_2_00418642
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041869D NtReadFile,	12_2_0041869D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041871A NtClose,	12_2_0041871A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_004187CB NtAllocateVirtualMemory,	12_2_004187CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_019E96E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_019E9660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9860 NtQuerySystemInformation,LdrInitializeThunk,	12_2_019E9860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019EB040 NtSuspendThread,	12_2_019EB040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019EA3B0 NtGetContextThread,	12_2_019EA3B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E95D0 NtClose,	12_2_019E95D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E95F0 NtQueryInformationFile,	12_2_019E95F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9520 NtWaitForSingleObject,	12_2_019E9520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9540 NtReadFile,	12_2_019E9540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9560 NtWriteFile,	12_2_019E9560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9780 NtMapViewOfSection,	12_2_019E9780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E97A0 NtUnmapViewOfSection,	12_2_019E97A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9710 NtQueryInformationToken,	12_2_019E9710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019EA710 NtOpenProcessToken,	12_2_019EA710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9730 NtQueryVirtualMemory,	12_2_019E9730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019EA770 NtOpenThread,	12_2_019EA770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9770 NtSetInformationFile,	12_2_019E9770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9760 NtOpenProcess,	12_2_019E9760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E96D0 NtCreateKey,	12_2_019E96D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9610 NtEnumerateValueKey,	12_2_019E9610
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9650 NtQueryValueKey,	12_2_019E9650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9670 NtQueryInformationProcess,	12_2_019E9670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E99A0 NtCreateSection,	12_2_019E99A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E99D0 NtCreateProcessEx,	12_2_019E99D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9910 NtAdjustPrivilegesToken,	12_2_019E9910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9950 NtQueueApcThread,	12_2_019E9950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E98A0 NtWriteVirtualMemory,	12_2_019E98A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E98F0 NtReadVirtualMemory,	12_2_019E98F0

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302319122.00000000014EB000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000000.278924225.0000000000D62000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamegetDeviceClaimsd.exe8 vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.306336909.0000000007930000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302747431.0000000001A9F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000000.298139804.0000000000F92000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamegetDeviceClaimsd.exe8 vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.303018064.0000000001C2F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Binary or memory string: OriginalFilenamegetDeviceClaimsd.exe8 vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Virustotal: Detection: 43%
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe	ReversingLabs: Detection: 43%

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Variant.Bulz.785643.17886.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302747431.0000000001A9F000.00000040.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302747431.0000000001A9F000.00000040.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.d60000.0.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.d60000.0.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.3.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.1.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.2.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.0.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.7.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.9.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.1.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.5.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 0_2_00D6E0EF push esp; iretd	0_2_00D6E0F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041B842 push eax; ret	12_2_0041B848
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041B84B push eax; ret	12_2_0041B8B2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_004188F2 push ds; ret	12_2_004188F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041B8AC push eax; ret	12_2_0041B8B2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00416109 push cs; iretd	12_2_0041610A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00415237 pushfd ; iretd	12_2_00415238
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041B7F5 push eax; ret	12_2_0041B848
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00F9E0EF push esp; iretd	12_2_00F9E0F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019FD0D1 push ecx; ret	12_2_019FD0E4

Source: initial sample

Static PE information: section name: .text entropy: 7.74258433139

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.33c02a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.340c584.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.302962488.00000000033D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.Bulz.785643.17886.exe PID: 7128, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302962488.00000000033D3000.00000004.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302962488.00000000033D3000.00000004.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe TID: 7132	Thread sleep time: -37702s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe TID: 4784	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Code function: 12_2_004088E0 rdtsc

12_2_004088E0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe

API coverage: 1.8 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Thread delayed: delay time: 37702			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Code function: 12_2_004088E0 rdtsc

12_2_004088E0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A519E mov eax, dword ptr fs:[00000030h]	12_2_019A519E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A519E mov ecx, dword ptr fs:[00000030h]	12_2_019A519E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A8190 mov ecx, dword ptr fs:[00000030h]	12_2_019A8190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D4190 mov eax, dword ptr fs:[00000030h]	12_2_019D4190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A7F1B5 mov eax, dword ptr fs:[00000030h]	12_2_01A7F1B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A7F1B5 mov eax, dword ptr fs:[00000030h]	12_2_01A7F1B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DA185 mov eax, dword ptr fs:[00000030h]	12_2_019DA185
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A251BE mov eax, dword ptr fs:[00000030h]	12_2_01A251BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A251BE mov eax, dword ptr fs:[00000030h]	12_2_01A251BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A251BE mov eax, dword ptr fs:[00000030h]	12_2_01A251BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A251BE mov eax, dword ptr fs:[00000030h]	12_2_01A251BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CC182 mov eax, dword ptr fs:[00000030h]	12_2_019CC182
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6A189 mov eax, dword ptr fs:[00000030h]	12_2_01A6A189
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6A189 mov ecx, dword ptr fs:[00000030h]	12_2_01A6A189
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B61A7 mov eax, dword ptr fs:[00000030h]	12_2_019B61A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B61A7 mov eax, dword ptr fs:[00000030h]	12_2_019B61A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B61A7 mov eax, dword ptr fs:[00000030h]	12_2_019B61A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B61A7 mov eax, dword ptr fs:[00000030h]	12_2_019B61A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D61A0 mov eax, dword ptr fs:[00000030h]	12_2_019D61A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D61A0 mov eax, dword ptr fs:[00000030h]	12_2_019D61A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A341E8 mov eax, dword ptr fs:[00000030h]	12_2_01A341E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A3D1F9 mov eax, dword ptr fs:[00000030h]	12_2_01A3D1F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BC1C0 mov eax, dword ptr fs:[00000030h]	12_2_019BC1C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CD1EF mov eax, dword ptr fs:[00000030h]	12_2_019CD1EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]	12_2_01A631DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]	12_2_01A631DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]	12_2_01A631DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]	12_2_01A631DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]	12_2_01A631DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]	12_2_01A631DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]	12_2_01A631DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A631DC mov ecx, dword ptr fs:[00000030h]	12_2_01A631DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A631DC mov ecx, dword ptr fs:[00000030h]	12_2_01A631DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]	12_2_01A631DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]	12_2_01A631DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]	12_2_01A631DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A631DC mov eax, dword ptr fs:[00000030h]	12_2_01A631DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A31E0 mov eax, dword ptr fs:[00000030h]	12_2_019A31E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AB1E1 mov eax, dword ptr fs:[00000030h]	12_2_019AB1E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AB1E1 mov eax, dword ptr fs:[00000030h]	12_2_019AB1E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AB1E1 mov eax, dword ptr fs:[00000030h]	12_2_019AB1E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A9100 mov eax, dword ptr fs:[00000030h]	12_2_019A9100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A9100 mov eax, dword ptr fs:[00000030h]	12_2_019A9100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A9100 mov eax, dword ptr fs:[00000030h]	12_2_019A9100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B0100 mov eax, dword ptr fs:[00000030h]	12_2_019B0100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B0100 mov eax, dword ptr fs:[00000030h]	12_2_019B0100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B0100 mov eax, dword ptr fs:[00000030h]	12_2_019B0100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A3138 mov ecx, dword ptr fs:[00000030h]	12_2_019A3138
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D513A mov eax, dword ptr fs:[00000030h]	12_2_019D513A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D513A mov eax, dword ptr fs:[00000030h]	12_2_019D513A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C4120 mov eax, dword ptr fs:[00000030h]	12_2_019C4120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C4120 mov eax, dword ptr fs:[00000030h]	12_2_019C4120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C4120 mov eax, dword ptr fs:[00000030h]	12_2_019C4120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C4120 mov eax, dword ptr fs:[00000030h]	12_2_019C4120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C4120 mov ecx, dword ptr fs:[00000030h]	12_2_019C4120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AB171 mov eax, dword ptr fs:[00000030h]	12_2_019AB171
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AB171 mov eax, dword ptr fs:[00000030h]	12_2_019AB171
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A2714D mov eax, dword ptr fs:[00000030h]	12_2_01A2714D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A2714D mov eax, dword ptr fs:[00000030h]	12_2_01A2714D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A9080 mov eax, dword ptr fs:[00000030h]	12_2_019A9080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AB080 mov eax, dword ptr fs:[00000030h]	12_2_019AB080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DF0BF mov ecx, dword ptr fs:[00000030h]	12_2_019DF0BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DF0BF mov eax, dword ptr fs:[00000030h]	12_2_019DF0BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DF0BF mov eax, dword ptr fs:[00000030h]	12_2_019DF0BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E90AF mov eax, dword ptr fs:[00000030h]	12_2_019E90AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D20A0 mov eax, dword ptr fs:[00000030h]	12_2_019D20A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D20A0 mov eax, dword ptr fs:[00000030h]	12_2_019D20A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D20A0 mov eax, dword ptr fs:[00000030h]	12_2_019D20A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D20A0 mov eax, dword ptr fs:[00000030h]	12_2_019D20A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D20A0 mov eax, dword ptr fs:[00000030h]	12_2_019D20A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D20A0 mov eax, dword ptr fs:[00000030h]	12_2_019D20A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A660F5 mov eax, dword ptr fs:[00000030h]	12_2_01A660F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A660F5 mov eax, dword ptr fs:[00000030h]	12_2_01A660F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A660F5 mov eax, dword ptr fs:[00000030h]	12_2_01A660F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A660F5 mov eax, dword ptr fs:[00000030h]	12_2_01A660F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A70C0 mov eax, dword ptr fs:[00000030h]	12_2_019A70C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A70C0 mov eax, dword ptr fs:[00000030h]	12_2_019A70C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6B0C7 mov eax, dword ptr fs:[00000030h]	12_2_01A6B0C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6B0C7 mov eax, dword ptr fs:[00000030h]	12_2_01A6B0C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A40E1 mov eax, dword ptr fs:[00000030h]	12_2_019A40E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A40E1 mov eax, dword ptr fs:[00000030h]	12_2_019A40E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A40E1 mov eax, dword ptr fs:[00000030h]	12_2_019A40E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D701D mov eax, dword ptr fs:[00000030h]	12_2_019D701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D701D mov eax, dword ptr fs:[00000030h]	12_2_019D701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D701D mov eax, dword ptr fs:[00000030h]	12_2_019D701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D701D mov eax, dword ptr fs:[00000030h]	12_2_019D701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D701D mov eax, dword ptr fs:[00000030h]	12_2_019D701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D701D mov eax, dword ptr fs:[00000030h]	12_2_019D701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D002D mov eax, dword ptr fs:[00000030h]	12_2_019D002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D002D mov eax, dword ptr fs:[00000030h]	12_2_019D002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D002D mov eax, dword ptr fs:[00000030h]	12_2_019D002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D002D mov eax, dword ptr fs:[00000030h]	12_2_019D002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D002D mov eax, dword ptr fs:[00000030h]	12_2_019D002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BB02A mov eax, dword ptr fs:[00000030h]	12_2_019BB02A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BB02A mov eax, dword ptr fs:[00000030h]	12_2_019BB02A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BB02A mov eax, dword ptr fs:[00000030h]	12_2_019BB02A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BB02A mov eax, dword ptr fs:[00000030h]	12_2_019BB02A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A74015 mov eax, dword ptr fs:[00000030h]	12_2_01A74015
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A74015 mov eax, dword ptr fs:[00000030h]	12_2_01A74015
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A27016 mov eax, dword ptr fs:[00000030h]	12_2_01A27016
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A27016 mov eax, dword ptr fs:[00000030h]	12_2_01A27016
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A27016 mov eax, dword ptr fs:[00000030h]	12_2_01A27016
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A33019 mov eax, dword ptr fs:[00000030h]	12_2_01A33019
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D4020 mov edi, dword ptr fs:[00000030h]	12_2_019D4020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A5050 mov eax, dword ptr fs:[00000030h]	12_2_019A5050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A5050 mov eax, dword ptr fs:[00000030h]	12_2_019A5050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A5050 mov eax, dword ptr fs:[00000030h]	12_2_019A5050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C0050 mov eax, dword ptr fs:[00000030h]	12_2_019C0050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C0050 mov eax, dword ptr fs:[00000030h]	12_2_019C0050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A7057 mov eax, dword ptr fs:[00000030h]	12_2_019A7057
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A71074 mov eax, dword ptr fs:[00000030h]	12_2_01A71074
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A62073 mov eax, dword ptr fs:[00000030h]	12_2_01A62073
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D2397 mov eax, dword ptr fs:[00000030h]	12_2_019D2397
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DB390 mov eax, dword ptr fs:[00000030h]	12_2_019DB390
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D138B mov eax, dword ptr fs:[00000030h]	12_2_019D138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D138B mov eax, dword ptr fs:[00000030h]	12_2_019D138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D138B mov eax, dword ptr fs:[00000030h]	12_2_019D138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A5D380 mov ecx, dword ptr fs:[00000030h]	12_2_01A5D380
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6138A mov eax, dword ptr fs:[00000030h]	12_2_01A6138A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A523E3 mov ecx, dword ptr fs:[00000030h]	12_2_01A523E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A523E3 mov ecx, dword ptr fs:[00000030h]	12_2_01A523E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A523E3 mov eax, dword ptr fs:[00000030h]	12_2_01A523E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D53C5 mov eax, dword ptr fs:[00000030h]	12_2_019D53C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A253CA mov eax, dword ptr fs:[00000030h]	12_2_01A253CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A253CA mov eax, dword ptr fs:[00000030h]	12_2_01A253CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D03E2 mov eax, dword ptr fs:[00000030h]	12_2_019D03E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D03E2 mov eax, dword ptr fs:[00000030h]	12_2_019D03E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D03E2 mov eax, dword ptr fs:[00000030h]	12_2_019D03E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D03E2 mov eax, dword ptr fs:[00000030h]	12_2_019D03E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D03E2 mov eax, dword ptr fs:[00000030h]	12_2_019D03E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D03E2 mov eax, dword ptr fs:[00000030h]	12_2_019D03E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309 mov eax, dword ptr fs:[00000030h]	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6131B mov eax, dword ptr fs:[00000030h]	12_2_01A6131B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AF358 mov eax, dword ptr fs:[00000030h]	12_2_019AF358
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A36365 mov eax, dword ptr fs:[00000030h]	12_2_01A36365
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A36365 mov eax, dword ptr fs:[00000030h]	12_2_01A36365
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A36365 mov eax, dword ptr fs:[00000030h]	12_2_01A36365
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BF370 mov eax, dword ptr fs:[00000030h]	12_2_019BF370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BF370 mov eax, dword ptr fs:[00000030h]	12_2_019BF370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BF370 mov eax, dword ptr fs:[00000030h]	12_2_019BF370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DD294 mov eax, dword ptr fs:[00000030h]	12_2_019DD294
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DD294 mov eax, dword ptr fs:[00000030h]	12_2_019DD294
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D12BD mov esi, dword ptr fs:[00000030h]	12_2_019D12BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D12BD mov eax, dword ptr fs:[00000030h]	12_2_019D12BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D12BD mov eax, dword ptr fs:[00000030h]	12_2_019D12BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B62A0 mov eax, dword ptr fs:[00000030h]	12_2_019B62A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B62A0 mov eax, dword ptr fs:[00000030h]	12_2_019B62A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B62A0 mov eax, dword ptr fs:[00000030h]	12_2_019B62A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B62A0 mov eax, dword ptr fs:[00000030h]	12_2_019B62A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6129A mov eax, dword ptr fs:[00000030h]	12_2_01A6129A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A52A5 mov eax, dword ptr fs:[00000030h]	12_2_019A52A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A52A5 mov eax, dword ptr fs:[00000030h]	12_2_019A52A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A52A5 mov eax, dword ptr fs:[00000030h]	12_2_019A52A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A52A5 mov eax, dword ptr fs:[00000030h]	12_2_019A52A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A52A5 mov eax, dword ptr fs:[00000030h]	12_2_019A52A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A12D4 mov eax, dword ptr fs:[00000030h]	12_2_019A12D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6B2E8 mov eax, dword ptr fs:[00000030h]	12_2_01A6B2E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6B2E8 mov eax, dword ptr fs:[00000030h]	12_2_01A6B2E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6B2E8 mov eax, dword ptr fs:[00000030h]	12_2_01A6B2E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6B2E8 mov eax, dword ptr fs:[00000030h]	12_2_01A6B2E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A5210 mov eax, dword ptr fs:[00000030h]	12_2_019A5210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A5210 mov ecx, dword ptr fs:[00000030h]	12_2_019A5210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A5210 mov eax, dword ptr fs:[00000030h]	12_2_019A5210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A5210 mov eax, dword ptr fs:[00000030h]	12_2_019A5210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A61229 mov eax, dword ptr fs:[00000030h]	12_2_01A61229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A8239 mov eax, dword ptr fs:[00000030h]	12_2_019A8239
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A8239 mov eax, dword ptr fs:[00000030h]	12_2_019A8239
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A8239 mov eax, dword ptr fs:[00000030h]	12_2_019A8239
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AB233 mov eax, dword ptr fs:[00000030h]	12_2_019AB233
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AB233 mov eax, dword ptr fs:[00000030h]	12_2_019AB233
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB236 mov eax, dword ptr fs:[00000030h]	12_2_019CB236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB236 mov eax, dword ptr fs:[00000030h]	12_2_019CB236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB236 mov eax, dword ptr fs:[00000030h]	12_2_019CB236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB236 mov eax, dword ptr fs:[00000030h]	12_2_019CB236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB236 mov eax, dword ptr fs:[00000030h]	12_2_019CB236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB236 mov eax, dword ptr fs:[00000030h]	12_2_019CB236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA229 mov eax, dword ptr fs:[00000030h]	12_2_019CA229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA229 mov eax, dword ptr fs:[00000030h]	12_2_019CA229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA229 mov eax, dword ptr fs:[00000030h]	12_2_019CA229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA229 mov eax, dword ptr fs:[00000030h]	12_2_019CA229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA229 mov eax, dword ptr fs:[00000030h]	12_2_019CA229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA229 mov eax, dword ptr fs:[00000030h]	12_2_019CA229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA229 mov eax, dword ptr fs:[00000030h]	12_2_019CA229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA229 mov eax, dword ptr fs:[00000030h]	12_2_019CA229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA229 mov eax, dword ptr fs:[00000030h]	12_2_019CA229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A5B260 mov eax, dword ptr fs:[00000030h]	12_2_01A5B260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A5B260 mov eax, dword ptr fs:[00000030h]	12_2_01A5B260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A9240 mov eax, dword ptr fs:[00000030h]	12_2_019A9240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A9240 mov eax, dword ptr fs:[00000030h]	12_2_019A9240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A9240 mov eax, dword ptr fs:[00000030h]	12_2_019A9240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A9240 mov eax, dword ptr fs:[00000030h]	12_2_019A9240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E927A mov eax, dword ptr fs:[00000030h]	12_2_019E927A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A34257 mov eax, dword ptr fs:[00000030h]	12_2_01A34257
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A705AC mov eax, dword ptr fs:[00000030h]	12_2_01A705AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A705AC mov eax, dword ptr fs:[00000030h]	12_2_01A705AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A3591 mov eax, dword ptr fs:[00000030h]	12_2_019A3591
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D2581 mov eax, dword ptr fs:[00000030h]	12_2_019D2581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D2581 mov eax, dword ptr fs:[00000030h]	12_2_019D2581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D2581 mov eax, dword ptr fs:[00000030h]	12_2_019D2581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D2581 mov eax, dword ptr fs:[00000030h]	12_2_019D2581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6B581 mov eax, dword ptr fs:[00000030h]	12_2_01A6B581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6B581 mov eax, dword ptr fs:[00000030h]	12_2_01A6B581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6B581 mov eax, dword ptr fs:[00000030h]	12_2_01A6B581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6B581 mov eax, dword ptr fs:[00000030h]	12_2_01A6B581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D35A1 mov eax, dword ptr fs:[00000030h]	12_2_019D35A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D65A0 mov eax, dword ptr fs:[00000030h]	12_2_019D65A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D65A0 mov eax, dword ptr fs:[00000030h]	12_2_019D65A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D65A0 mov eax, dword ptr fs:[00000030h]	12_2_019D65A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A15C1 mov eax, dword ptr fs:[00000030h]	12_2_019A15C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A95F0 mov eax, dword ptr fs:[00000030h]	12_2_019A95F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A95F0 mov ecx, dword ptr fs:[00000030h]	12_2_019A95F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D95EC mov eax, dword ptr fs:[00000030h]	12_2_019D95EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BD5E0 mov eax, dword ptr fs:[00000030h]	12_2_019BD5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BD5E0 mov eax, dword ptr fs:[00000030h]	12_2_019BD5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A751A mov eax, dword ptr fs:[00000030h]	12_2_019A751A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A751A mov eax, dword ptr fs:[00000030h]	12_2_019A751A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A751A mov eax, dword ptr fs:[00000030h]	12_2_019A751A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A751A mov eax, dword ptr fs:[00000030h]	12_2_019A751A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A9515 mov ecx, dword ptr fs:[00000030h]	12_2_019A9515
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A2A537 mov eax, dword ptr fs:[00000030h]	12_2_01A2A537
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6E539 mov eax, dword ptr fs:[00000030h]	12_2_01A6E539
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DF527 mov eax, dword ptr fs:[00000030h]	12_2_019DF527
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DF527 mov eax, dword ptr fs:[00000030h]	12_2_019DF527
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DF527 mov eax, dword ptr fs:[00000030h]	12_2_019DF527
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A63518 mov eax, dword ptr fs:[00000030h]	12_2_01A63518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A63518 mov eax, dword ptr fs:[00000030h]	12_2_01A63518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A63518 mov eax, dword ptr fs:[00000030h]	12_2_01A63518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A354C mov eax, dword ptr fs:[00000030h]	12_2_019A354C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A354C mov eax, dword ptr fs:[00000030h]	12_2_019A354C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AB540 mov eax, dword ptr fs:[00000030h]	12_2_019AB540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AB540 mov eax, dword ptr fs:[00000030h]	12_2_019AB540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A23540 mov eax, dword ptr fs:[00000030h]	12_2_01A23540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CC577 mov eax, dword ptr fs:[00000030h]	12_2_019CC577
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CC577 mov eax, dword ptr fs:[00000030h]	12_2_019CC577
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B849B mov eax, dword ptr fs:[00000030h]	12_2_019B849B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A649B mov eax, dword ptr fs:[00000030h]	12_2_019A649B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A649B mov eax, dword ptr fs:[00000030h]	12_2_019A649B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A334A0 mov eax, dword ptr fs:[00000030h]	12_2_01A334A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A334A0 mov eax, dword ptr fs:[00000030h]	12_2_01A334A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A334A0 mov eax, dword ptr fs:[00000030h]	12_2_01A334A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A364B5 mov eax, dword ptr fs:[00000030h]	12_2_01A364B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A364B5 mov eax, dword ptr fs:[00000030h]	12_2_01A364B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A1480 mov eax, dword ptr fs:[00000030h]	12_2_019A1480
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B34B1 mov eax, dword ptr fs:[00000030h]	12_2_019B34B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B34B1 mov eax, dword ptr fs:[00000030h]	12_2_019B34B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DD4B0 mov eax, dword ptr fs:[00000030h]	12_2_019DD4B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A64496 mov eax, dword ptr fs:[00000030h]	12_2_01A64496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A64496 mov eax, dword ptr fs:[00000030h]	12_2_01A64496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A64496 mov eax, dword ptr fs:[00000030h]	12_2_01A64496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A64496 mov eax, dword ptr fs:[00000030h]	12_2_01A64496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A64496 mov eax, dword ptr fs:[00000030h]	12_2_01A64496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A64496 mov eax, dword ptr fs:[00000030h]	12_2_01A64496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A64496 mov eax, dword ptr fs:[00000030h]	12_2_01A64496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A64496 mov eax, dword ptr fs:[00000030h]	12_2_01A64496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A64496 mov eax, dword ptr fs:[00000030h]	12_2_01A64496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A64496 mov eax, dword ptr fs:[00000030h]	12_2_01A64496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A64496 mov eax, dword ptr fs:[00000030h]	12_2_01A64496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A64496 mov eax, dword ptr fs:[00000030h]	12_2_01A64496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A64496 mov eax, dword ptr fs:[00000030h]	12_2_01A64496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B14A9 mov eax, dword ptr fs:[00000030h]	12_2_019B14A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B14A9 mov ecx, dword ptr fs:[00000030h]	12_2_019B14A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A614FB mov eax, dword ptr fs:[00000030h]	12_2_01A614FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D84E0 mov eax, dword ptr fs:[00000030h]	12_2_019D84E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D84E0 mov eax, dword ptr fs:[00000030h]	12_2_019D84E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D84E0 mov eax, dword ptr fs:[00000030h]	12_2_019D84E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D84E0 mov eax, dword ptr fs:[00000030h]	12_2_019D84E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D84E0 mov eax, dword ptr fs:[00000030h]	12_2_019D84E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D84E0 mov eax, dword ptr fs:[00000030h]	12_2_019D84E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A8410 mov eax, dword ptr fs:[00000030h]	12_2_019A8410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A4439 mov eax, dword ptr fs:[00000030h]	12_2_019A4439
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BB433 mov eax, dword ptr fs:[00000030h]	12_2_019BB433
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BB433 mov eax, dword ptr fs:[00000030h]	12_2_019BB433
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BB433 mov eax, dword ptr fs:[00000030h]	12_2_019BB433
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A7740D mov eax, dword ptr fs:[00000030h]	12_2_01A7740D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A7740D mov eax, dword ptr fs:[00000030h]	12_2_01A7740D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A7740D mov eax, dword ptr fs:[00000030h]	12_2_01A7740D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C2430 mov eax, dword ptr fs:[00000030h]	12_2_019C2430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C2430 mov eax, dword ptr fs:[00000030h]	12_2_019C2430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A9450 mov eax, dword ptr fs:[00000030h]	12_2_019A9450
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DA44B mov eax, dword ptr fs:[00000030h]	12_2_019DA44B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB477 mov eax, dword ptr fs:[00000030h]	12_2_019CB477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB477 mov eax, dword ptr fs:[00000030h]	12_2_019CB477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB477 mov eax, dword ptr fs:[00000030h]	12_2_019CB477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB477 mov eax, dword ptr fs:[00000030h]	12_2_019CB477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB477 mov eax, dword ptr fs:[00000030h]	12_2_019CB477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB477 mov eax, dword ptr fs:[00000030h]	12_2_019CB477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB477 mov eax, dword ptr fs:[00000030h]	12_2_019CB477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB477 mov eax, dword ptr fs:[00000030h]	12_2_019CB477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB477 mov eax, dword ptr fs:[00000030h]	12_2_019CB477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB477 mov eax, dword ptr fs:[00000030h]	12_2_019CB477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB477 mov eax, dword ptr fs:[00000030h]	12_2_019CB477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB477 mov eax, dword ptr fs:[00000030h]	12_2_019CB477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C746D mov eax, dword ptr fs:[00000030h]	12_2_019C746D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A3C450 mov eax, dword ptr fs:[00000030h]	12_2_01A3C450
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A3C450 mov eax, dword ptr fs:[00000030h]	12_2_01A3C450
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A78450 mov eax, dword ptr fs:[00000030h]	12_2_01A78450
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A8466 mov eax, dword ptr fs:[00000030h]	12_2_019A8466
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A8466 mov eax, dword ptr fs:[00000030h]	12_2_019A8466
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B8794 mov eax, dword ptr fs:[00000030h]	12_2_019B8794
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B17B5 mov eax, dword ptr fs:[00000030h]	12_2_019B17B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A27794 mov eax, dword ptr fs:[00000030h]	12_2_01A27794
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A27794 mov eax, dword ptr fs:[00000030h]	12_2_01A27794
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A27794 mov eax, dword ptr fs:[00000030h]	12_2_01A27794
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DD7CA mov eax, dword ptr fs:[00000030h]	12_2_019DD7CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DD7CA mov eax, dword ptr fs:[00000030h]	12_2_019DD7CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A787CF mov eax, dword ptr fs:[00000030h]	12_2_01A787CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E37F5 mov eax, dword ptr fs:[00000030h]	12_2_019E37F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C97ED mov eax, dword ptr fs:[00000030h]	12_2_019C97ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C97ED mov eax, dword ptr fs:[00000030h]	12_2_019C97ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C97ED mov eax, dword ptr fs:[00000030h]	12_2_019C97ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C97ED mov eax, dword ptr fs:[00000030h]	12_2_019C97ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C97ED mov eax, dword ptr fs:[00000030h]	12_2_019C97ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C97ED mov eax, dword ptr fs:[00000030h]	12_2_019C97ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C97ED mov eax, dword ptr fs:[00000030h]	12_2_019C97ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A617D2 mov eax, dword ptr fs:[00000030h]	12_2_01A617D2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D37EB mov eax, dword ptr fs:[00000030h]	12_2_019D37EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D37EB mov eax, dword ptr fs:[00000030h]	12_2_019D37EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D37EB mov eax, dword ptr fs:[00000030h]	12_2_019D37EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D37EB mov eax, dword ptr fs:[00000030h]	12_2_019D37EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D37EB mov eax, dword ptr fs:[00000030h]	12_2_019D37EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D37EB mov eax, dword ptr fs:[00000030h]	12_2_019D37EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D37EB mov eax, dword ptr fs:[00000030h]	12_2_019D37EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DD715 mov eax, dword ptr fs:[00000030h]	12_2_019DD715
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DD715 mov eax, dword ptr fs:[00000030h]	12_2_019DD715
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CF716 mov eax, dword ptr fs:[00000030h]	12_2_019CF716
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D4710 mov eax, dword ptr fs:[00000030h]	12_2_019D4710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DA70E mov eax, dword ptr fs:[00000030h]	12_2_019DA70E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DA70E mov eax, dword ptr fs:[00000030h]	12_2_019DA70E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DC707 mov eax, dword ptr fs:[00000030h]	12_2_019DC707
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DC707 mov ecx, dword ptr fs:[00000030h]	12_2_019DC707
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DC707 mov eax, dword ptr fs:[00000030h]	12_2_019DC707
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB73D mov eax, dword ptr fs:[00000030h]	12_2_019CB73D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB73D mov eax, dword ptr fs:[00000030h]	12_2_019CB73D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A7070D mov eax, dword ptr fs:[00000030h]	12_2_01A7070D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A7070D mov eax, dword ptr fs:[00000030h]	12_2_01A7070D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A6730 mov eax, dword ptr fs:[00000030h]	12_2_019A6730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A6730 mov eax, dword ptr fs:[00000030h]	12_2_019A6730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A6730 mov eax, dword ptr fs:[00000030h]	12_2_019A6730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DE730 mov eax, dword ptr fs:[00000030h]	12_2_019DE730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AA745 mov eax, dword ptr fs:[00000030h]	12_2_019AA745
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A61751 mov eax, dword ptr fs:[00000030h]	12_2_01A61751
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A8760 mov eax, dword ptr fs:[00000030h]	12_2_019A8760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A8760 mov eax, dword ptr fs:[00000030h]	12_2_019A8760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A8760 mov eax, dword ptr fs:[00000030h]	12_2_019A8760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A8760 mov ecx, dword ptr fs:[00000030h]	12_2_019A8760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A8760 mov eax, dword ptr fs:[00000030h]	12_2_019A8760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A8760 mov eax, dword ptr fs:[00000030h]	12_2_019A8760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A8760 mov eax, dword ptr fs:[00000030h]	12_2_019A8760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A8760 mov eax, dword ptr fs:[00000030h]	12_2_019A8760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A8760 mov eax, dword ptr fs:[00000030h]	12_2_019A8760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A8760 mov eax, dword ptr fs:[00000030h]	12_2_019A8760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CE760 mov eax, dword ptr fs:[00000030h]	12_2_019CE760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CE760 mov eax, dword ptr fs:[00000030h]	12_2_019CE760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A246A7 mov eax, dword ptr fs:[00000030h]	12_2_01A246A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A656B6 mov eax, dword ptr fs:[00000030h]	12_2_01A656B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A656B6 mov eax, dword ptr fs:[00000030h]	12_2_01A656B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A86A0 mov eax, dword ptr fs:[00000030h]	12_2_019A86A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D36CC mov eax, dword ptr fs:[00000030h]	12_2_019D36CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D06C0 mov eax, dword ptr fs:[00000030h]	12_2_019D06C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D06C0 mov ecx, dword ptr fs:[00000030h]	12_2_019D06C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D06C0 mov eax, dword ptr fs:[00000030h]	12_2_019D06C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D06C0 mov eax, dword ptr fs:[00000030h]	12_2_019D06C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D06C0 mov eax, dword ptr fs:[00000030h]	12_2_019D06C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D06C0 mov eax, dword ptr fs:[00000030h]	12_2_019D06C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D06C0 mov eax, dword ptr fs:[00000030h]	12_2_019D06C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D06C0 mov eax, dword ptr fs:[00000030h]	12_2_019D06C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D06C0 mov eax, dword ptr fs:[00000030h]	12_2_019D06C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D06C0 mov eax, dword ptr fs:[00000030h]	12_2_019D06C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D06C0 mov eax, dword ptr fs:[00000030h]	12_2_019D06C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D06C0 mov eax, dword ptr fs:[00000030h]	12_2_019D06C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D06C0 mov eax, dword ptr fs:[00000030h]	12_2_019D06C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B76E2 mov eax, dword ptr fs:[00000030h]	12_2_019B76E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D16E0 mov ecx, dword ptr fs:[00000030h]	12_2_019D16E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DA61C mov eax, dword ptr fs:[00000030h]	12_2_019DA61C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DA61C mov eax, dword ptr fs:[00000030h]	12_2_019DA61C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A25623 mov eax, dword ptr fs:[00000030h]	12_2_01A25623
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A25623 mov eax, dword ptr fs:[00000030h]	12_2_01A25623
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A25623 mov eax, dword ptr fs:[00000030h]	12_2_01A25623
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A25623 mov eax, dword ptr fs:[00000030h]	12_2_01A25623
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A25623 mov eax, dword ptr fs:[00000030h]	12_2_01A25623
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A25623 mov eax, dword ptr fs:[00000030h]	12_2_01A25623
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A25623 mov eax, dword ptr fs:[00000030h]	12_2_01A25623
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A25623 mov eax, dword ptr fs:[00000030h]	12_2_01A25623
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A25623 mov eax, dword ptr fs:[00000030h]	12_2_01A25623
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B161A mov eax, dword ptr fs:[00000030h]	12_2_019B161A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A1618 mov eax, dword ptr fs:[00000030h]	12_2_019A1618
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AC600 mov eax, dword ptr fs:[00000030h]	12_2_019AC600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AC600 mov eax, dword ptr fs:[00000030h]	12_2_019AC600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AC600 mov eax, dword ptr fs:[00000030h]	12_2_019AC600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov eax, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov eax, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov eax, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov eax, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov ecx, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov ecx, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov eax, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov ecx, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov ecx, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov eax, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov eax, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov eax, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov eax, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov eax, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov eax, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov eax, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov eax, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov eax, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600 mov eax, dword ptr fs:[00000030h]	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DC63D mov eax, dword ptr fs:[00000030h]	12_2_019DC63D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AA63B mov eax, dword ptr fs:[00000030h]	12_2_019AA63B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AA63B mov eax, dword ptr fs:[00000030h]	12_2_019AA63B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A61608 mov eax, dword ptr fs:[00000030h]	12_2_01A61608
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BB62E mov eax, dword ptr fs:[00000030h]	12_2_019BB62E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BB62E mov eax, dword ptr fs:[00000030h]	12_2_019BB62E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AE620 mov eax, dword ptr fs:[00000030h]	12_2_019AE620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D7620 mov eax, dword ptr fs:[00000030h]	12_2_019D7620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D7620 mov eax, dword ptr fs:[00000030h]	12_2_019D7620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D7620 mov eax, dword ptr fs:[00000030h]	12_2_019D7620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D7620 mov eax, dword ptr fs:[00000030h]	12_2_019D7620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D7620 mov eax, dword ptr fs:[00000030h]	12_2_019D7620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D7620 mov eax, dword ptr fs:[00000030h]	12_2_019D7620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C4670 mov eax, dword ptr fs:[00000030h]	12_2_019C4670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C4670 mov eax, dword ptr fs:[00000030h]	12_2_019C4670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C4670 mov eax, dword ptr fs:[00000030h]	12_2_019C4670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C4670 mov eax, dword ptr fs:[00000030h]	12_2_019C4670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A36652 mov eax, dword ptr fs:[00000030h]	12_2_01A36652
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B766D mov eax, dword ptr fs:[00000030h]	12_2_019B766D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A649A4 mov eax, dword ptr fs:[00000030h]	12_2_01A649A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A649A4 mov eax, dword ptr fs:[00000030h]	12_2_01A649A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A649A4 mov eax, dword ptr fs:[00000030h]	12_2_01A649A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A649A4 mov eax, dword ptr fs:[00000030h]	12_2_01A649A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A269A6 mov eax, dword ptr fs:[00000030h]	12_2_01A269A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AB990 mov eax, dword ptr fs:[00000030h]	12_2_019AB990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D2990 mov eax, dword ptr fs:[00000030h]	12_2_019D2990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D99BC mov eax, dword ptr fs:[00000030h]	12_2_019D99BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DC9BF mov eax, dword ptr fs:[00000030h]	12_2_019DC9BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019DC9BF mov eax, dword ptr fs:[00000030h]	12_2_019DC9BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C99BF mov ecx, dword ptr fs:[00000030h]	12_2_019C99BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C99BF mov ecx, dword ptr fs:[00000030h]	12_2_019C99BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C99BF mov eax, dword ptr fs:[00000030h]	12_2_019C99BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C99BF mov ecx, dword ptr fs:[00000030h]	12_2_019C99BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C99BF mov ecx, dword ptr fs:[00000030h]	12_2_019C99BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C99BF mov eax, dword ptr fs:[00000030h]	12_2_019C99BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C99BF mov ecx, dword ptr fs:[00000030h]	12_2_019C99BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C99BF mov ecx, dword ptr fs:[00000030h]	12_2_019C99BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C99BF mov eax, dword ptr fs:[00000030h]	12_2_019C99BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C99BF mov ecx, dword ptr fs:[00000030h]	12_2_019C99BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C99BF mov ecx, dword ptr fs:[00000030h]	12_2_019C99BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C99BF mov eax, dword ptr fs:[00000030h]	12_2_019C99BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A789E7 mov eax, dword ptr fs:[00000030h]	12_2_01A789E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B99C7 mov eax, dword ptr fs:[00000030h]	12_2_019B99C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B99C7 mov eax, dword ptr fs:[00000030h]	12_2_019B99C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B99C7 mov eax, dword ptr fs:[00000030h]	12_2_019B99C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B99C7 mov eax, dword ptr fs:[00000030h]	12_2_019B99C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AC9FF mov eax, dword ptr fs:[00000030h]	12_2_019AC9FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AC9FF mov eax, dword ptr fs:[00000030h]	12_2_019AC9FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AC9FF mov eax, dword ptr fs:[00000030h]	12_2_019AC9FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A619D8 mov eax, dword ptr fs:[00000030h]	12_2_01A619D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B1915 mov eax, dword ptr fs:[00000030h]	12_2_019B1915
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B1915 mov eax, dword ptr fs:[00000030h]	12_2_019B1915
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A78966 mov eax, dword ptr fs:[00000030h]	12_2_01A78966
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6E962 mov eax, dword ptr fs:[00000030h]	12_2_01A6E962
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A395E mov eax, dword ptr fs:[00000030h]	12_2_019A395E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A395E mov eax, dword ptr fs:[00000030h]	12_2_019A395E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB944 mov eax, dword ptr fs:[00000030h]	12_2_019CB944
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB944 mov eax, dword ptr fs:[00000030h]	12_2_019CB944
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A61951 mov eax, dword ptr fs:[00000030h]	12_2_01A61951
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AC962 mov eax, dword ptr fs:[00000030h]	12_2_019AC962
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A3880 mov eax, dword ptr fs:[00000030h]	12_2_019A3880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A3880 mov eax, dword ptr fs:[00000030h]	12_2_019A3880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A23884 mov eax, dword ptr fs:[00000030h]	12_2_01A23884
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A23884 mov eax, dword ptr fs:[00000030h]	12_2_01A23884
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B28AE mov eax, dword ptr fs:[00000030h]	12_2_019B28AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B28AE mov eax, dword ptr fs:[00000030h]	12_2_019B28AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B28AE mov eax, dword ptr fs:[00000030h]	12_2_019B28AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B28AE mov ecx, dword ptr fs:[00000030h]	12_2_019B28AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B28AE mov eax, dword ptr fs:[00000030h]	12_2_019B28AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B28AE mov eax, dword ptr fs:[00000030h]	12_2_019B28AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D78A0 mov eax, dword ptr fs:[00000030h]	12_2_019D78A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D78A0 mov eax, dword ptr fs:[00000030h]	12_2_019D78A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Code function: 12_2_019E96E0 NtFreeVirtualMemory,LdrInitializeThunk,

12_2_019E96E0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection111	Masquerading1	Input Capture1	Security Software Discovery221	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	System Information Discovery112	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Bulz.785643.17886.exe	43%	Virustotal		Browse
SecuriteInfo.com.Variant.Bulz.785643.17886.exe	44%	ReversingLabs	ByteCode-MSIL.Trojan.Bulz
SecuriteInfo.com.Variant.Bulz.785643.17886.exe	100%	Avira	HEUR/AGEN.1211287
SecuriteInfo.com.Variant.Bulz.785643.17886.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.3.unpack	100%	Avira	HEUR/AGEN.1211287	Download File
12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.1.unpack	100%	Avira	HEUR/AGEN.1211287	Download File
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.2.unpack	100%	Avira	HEUR/AGEN.1211287	Download File
0.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.d60000.0.unpack	100%	Avira	HEUR/AGEN.1211287	Download File
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.0.unpack	100%	Avira	HEUR/AGEN.1211287	Download File
0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.d60000.0.unpack	100%	Avira	HEUR/AGEN.1211287	Download File
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.7.unpack	100%	Avira	HEUR/AGEN.1211287	Download File
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.9.unpack	100%	Avira	HEUR/AGEN.1211287	Download File
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.1.unpack	100%	Avira	HEUR/AGEN.1211287	Download File
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.5.unpack	100%	Avira	HEUR/AGEN.1211287	Download File
12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
www.topeasyip.company/i5nb/	4%	Virustotal		Browse
www.topeasyip.company/i5nb/	100%	Avira URL Cloud	malware
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.topeasyip.company/i5nb/	true	4%, Virustotal, Browse Avira URL Cloud: malware	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false		high
http://www.tiro.com	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false		high
http://www.fonts.com	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	552971
Start date:	14.01.2022
Start time:	00:16:43
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Variant.Bulz.785643.17886.29229 (renamed file extension from 29229 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/1@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 8.1% (good quality ratio 5.8%) Quality average: 52% Quality standard deviation: 39.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 40 Number of non-executed functions: 215
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:17:43	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Variant.Bulz.785643.17886.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Variant.Bulz.785643.17886.exe.log Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.345651901398759
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
MD5:	A9EFF9253CAF99EC8665E41D736DDAED
SHA1:	D95BB4ABC856D774DA4602A59DE252B4BF560530
SHA-256:	DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
SHA-512:	96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.729098788142576
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Variant.Bulz.785643.17886.exe
File size:	417792
MD5:	83ac585e99b527eeb278702f8f711568
SHA1:	a576a927b067c94cdbc1e7b353f60577f5b310f9
SHA256:	9e2502b3945f31482623e8e61dcb85b9ebb7d9a4244d9074fa289596c9da513e
SHA512:	f4a5f197cca552237ca4ca0dbdba4af5e5c0f6bca7a05313a61d96c5021049edeb0b38d8e4ad5ee3b062692038f05254787a57c5c1a0e951e9a9b9f091a304ac
SSDEEP:	12288:gyK777777777777OPMfcmnxTLrXEQ0/Ll1PishiMkNMfPjJ8W:jK777777777777OKLQR1Pf+aP6W
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H?.a.................V..........:u... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x46753a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61E03F48 [Thu Jan 13 15:03:36 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x674e0	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x68000	0x598	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x65540	0x65600	False	0.877254161529	data	7.74258433139	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x68000	0x598	0x600	False	0.426432291667	data	4.37535552335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x680a0	0x344	data
RT_MANIFEST	0x683e4	0x1b4	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2015
Assembly Version	1.0.0.0
InternalName	getDeviceClaimsd.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	ram machine
ProductVersion	1.0.0.0
FileDescription	ram machine
OriginalFilename	getDeviceClaimsd.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Variant.Bulz.785643.17886.exe PID: 7128 Parent PID: 3428

General

Start time:	00:17:34
Start date:	14/01/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe"
Imagebase:	0xd60000
File size:	417792 bytes
MD5 hash:	83AC585E99B527EEB278702F8F711568
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.302962488.00000000033D3000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: SecuriteInfo.com.Variant.Bulz.785643.17886.exe PID: 5636 Parent PID: 7128

General

Start time:	00:17:43
Start date:	14/01/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Imagebase:	0xf90000
File size:	417792 bytes
MD5 hash:	83AC585E99B527EEB278702F8F711568
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.Variant.Bulz.785643.17886.exe PID: 7128 Parent PID: 3428 SecuriteInfo.com.Variant.Bulz.785643.17886.exeCOMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	46
Total number of Limit Nodes:	4

Executed Functions

Function 014D6D2E, Relevance: 3.5, Strings: 2, Instructions: 972
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,Lll, xrefs: 014D7A78
,Lll, xrefs: 014D7A33

Memory Dump Source

Source File: 00000000.00000002.302288509.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ,Lll$,Lll
API String ID: 0-3854024501
Opcode ID: 96f1b6c58cf3b4158a354d4d2b7f15daf9b484fabfbaa45a2dc7c45a4d5d0e39
Instruction ID: 02ef4a4827540445c67ad924cce7b9af6f7ab06526e44914c2d7eac85921cf91
Opcode Fuzzy Hash: 96f1b6c58cf3b4158a354d4d2b7f15daf9b484fabfbaa45a2dc7c45a4d5d0e39
Instruction Fuzzy Hash: 5682CE71A002298FDB14CF69D890AAEB7F2FF88305F15C56AE409EB769D734AD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014D7E10, Relevance: 1.5, Strings: 1, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`kl, xrefs: 014D7E8D

Memory Dump Source

Source File: 00000000.00000002.302288509.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: `kl
API String ID: 0-1495814759
Opcode ID: e093bd650cf42b455e3697a1084e9c6f418093efe46cddfa78867f335e829a94
Instruction ID: cf54dcb4ea55131a21bb6944203ccc1648535889bbd9c6737acfe4e501c2c91c
Opcode Fuzzy Hash: e093bd650cf42b455e3697a1084e9c6f418093efe46cddfa78867f335e829a94
Instruction Fuzzy Hash: 7C819E72F101258FDB14DB69DC90AAEB3E3EFC8614F1A8565E405EB765DB31AC018B80

Uniqueness

Uniqueness Score: -1.00%

Function 014D8122, Relevance: 1.4, Strings: 1, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 014D824E

Memory Dump Source

Source File: 00000000.00000002.302288509.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d93b09ff1717caf28d48885900685e1d2e548144d26d633383529e195159fcb3
Instruction ID: debf297560dbbfd398517eed9c581b8125175e29953fc7123be4c5b95266f2ca
Opcode Fuzzy Hash: d93b09ff1717caf28d48885900685e1d2e548144d26d633383529e195159fcb3
Instruction Fuzzy Hash: 9451DF35B0010A8FCB14DBBDD8945AEBBF2FF88225B19857AD505DB369DB30EC458B90

Uniqueness

Uniqueness Score: -1.00%

Function 014D6D72, Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302288509.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64671d5a5354d86b142291731eed9b8c31e058245d7c9b3279eb1a4f26d32b3
Instruction ID: 09c86dfc031ef9d0d59ad32a2a67078138d8bc1c26cbbdb36ba0d3baeccf2243
Opcode Fuzzy Hash: c64671d5a5354d86b142291731eed9b8c31e058245d7c9b3279eb1a4f26d32b3
Instruction Fuzzy Hash: 54D1A075A001298FDB14CF79D894AAEB7F2BFC8309F15C669D405EB768DB30AD058B90

Uniqueness

Uniqueness Score: -1.00%

Function 014D6A08, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302288509.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8748f54e271c8e6a825112974d906b0a02e792318eab487e2b8eb504994ca886
Instruction ID: 01e8bfb2abb0db1d0b284226a165fbb5bf656dabee92927dd2c1cb106e78f71d
Opcode Fuzzy Hash: 8748f54e271c8e6a825112974d906b0a02e792318eab487e2b8eb504994ca886
Instruction Fuzzy Hash: CF7138B8E4011A9FDF14CFAAD594AAEBBB1FF48304F10A619D402EB364CB31A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 014DE342, Relevance: 6.1, APIs: 4, Instructions: 138
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 014DE3B0
GetCurrentThread.KERNEL32 ref: 014DE3ED
GetCurrentProcess.KERNEL32 ref: 014DE42A
GetCurrentThreadId.KERNEL32 ref: 014DE483

Memory Dump Source

Source File: 00000000.00000002.302288509.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: aea1616e8f1fd84914c508cd93c7203df7f1e885398427259221d41f0ef92eef
Instruction ID: 834db872a068f95f21a33a9aeff74b613806cac4356ce4693a5562b766b57a00
Opcode Fuzzy Hash: aea1616e8f1fd84914c508cd93c7203df7f1e885398427259221d41f0ef92eef
Instruction Fuzzy Hash: 7A5166B49006498FDB14CFA9D588BEEBBF1FF49304F14886AD019BB360D7356988CB65

Uniqueness

Uniqueness Score: -1.00%

Function 014DE350, Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 014DE3B0
GetCurrentThread.KERNEL32 ref: 014DE3ED
GetCurrentProcess.KERNEL32 ref: 014DE42A
GetCurrentThreadId.KERNEL32 ref: 014DE483

Memory Dump Source

Source File: 00000000.00000002.302288509.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c51bbb8b1e461036ba2fa76ae86c16d609f7b428287646dfd5984d57debdffef
Instruction ID: dbfd8f669cf03f523064f5d04258550fd83cbab8e9052c0c0573bcb8c0bfb666
Opcode Fuzzy Hash: c51bbb8b1e461036ba2fa76ae86c16d609f7b428287646dfd5984d57debdffef
Instruction Fuzzy Hash: F55146B49006498FDB14CFAAC588BEEBBF5FF48304F24896AE019B7360D7355984CB65

Uniqueness

Uniqueness Score: -1.00%

Function 014DBF38, Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.302288509.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebba800beea69716f8683e03b6de554e3656c45344ff8fe61c24c32b72244b9e
Instruction ID: a3075005d44cbc045c9d2ad7cf7a0d16b8e280d03aaafc27f0f98a71258cccb0
Opcode Fuzzy Hash: ebba800beea69716f8683e03b6de554e3656c45344ff8fe61c24c32b72244b9e
Instruction Fuzzy Hash: C6815870A007058FDB25DF69C4A079ABBF5FF89214F008A6ED086CBA61D735E849CF91

Uniqueness

Uniqueness Score: -1.00%

Function 014D3E38, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014D5439

Memory Dump Source

Source File: 00000000.00000002.302288509.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9fd980cb2b0829d8dc663603a9c79fa2c89a4b2855a53870431e8c3c37b4ad2f
Instruction ID: 3a7519135c4aabcdd58b6d7a9f33d1b0c2bbcd9a1ab50c8f6df7a3617a242391
Opcode Fuzzy Hash: 9fd980cb2b0829d8dc663603a9c79fa2c89a4b2855a53870431e8c3c37b4ad2f
Instruction Fuzzy Hash: 5E41EF70D0065CCBDF24DFA9C884BDEBBB5BF49308F24856AD408AB251DB745946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 014D537F, Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014D5439

Memory Dump Source

Source File: 00000000.00000002.302288509.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: efbed8c2e102757661b7587d6f4a5f94a27483ab55c731d2ce406386febc7a0b
Instruction ID: 86687836c68acfc60c1c57aed5e82d386efede7ae4512c1a2263ada481c4add3
Opcode Fuzzy Hash: efbed8c2e102757661b7587d6f4a5f94a27483ab55c731d2ce406386febc7a0b
Instruction Fuzzy Hash: E941EFB1D00658CFDB24DFA9C884BDEBBB5BF48308F24856AD408AB250DB716946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 014DE572, Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014DE5FF

Memory Dump Source

Source File: 00000000.00000002.302288509.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7fdfd28d616912e5a3db091a62503279ed3e884eb2349d21e6cbc24b40d38ce6
Instruction ID: 14da3afb694f8e2782545f0485949b291b3afd295ad47b9c51c4b7cb22bcf65e
Opcode Fuzzy Hash: 7fdfd28d616912e5a3db091a62503279ed3e884eb2349d21e6cbc24b40d38ce6
Instruction Fuzzy Hash: 0F21D2B59002589FDF10CFA9D884AEEBBF5FB48324F14851AE918A7310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014DE578, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014DE5FF

Memory Dump Source

Source File: 00000000.00000002.302288509.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 72cd7424c248e0b571bf4a0eadcf16199c75e464e5ff68cd22696d08b25b0232
Instruction ID: d0f75ad5eef6f66c279fb558cbb2e59200fdbfd6b42360736694c564179f6274
Opcode Fuzzy Hash: 72cd7424c248e0b571bf4a0eadcf16199c75e464e5ff68cd22696d08b25b0232
Instruction Fuzzy Hash: 5A21B3B59002099FDF10CF99D884ADEBBF9EB48324F14841AE918A7310D375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014DC138, Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014DC611,00000800,00000000,00000000), ref: 014DC822

Memory Dump Source

Source File: 00000000.00000002.302288509.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0b548b1d2a88b8df314df902c9c5877110a647d6861d7ae524ad1a9952b95316
Instruction ID: 3b91d682e86abdedcc30e3c8c45e6a25f452fa5090d7f584c982d0f26bb8ffbe
Opcode Fuzzy Hash: 0b548b1d2a88b8df314df902c9c5877110a647d6861d7ae524ad1a9952b95316
Instruction Fuzzy Hash: 561103B69002099FDF10CF9AD484ADEFBF5EB48320F14852EE519A7210C374A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 014DC7B1, Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014DC611,00000800,00000000,00000000), ref: 014DC822

Memory Dump Source

Source File: 00000000.00000002.302288509.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 81dbfd37c44638e82ca0239f95e7b2122a598c784f9863290e101c1ee05249fe
Instruction ID: f8e355faf97fb2e1d8198d7bc6dbee6b3bf09db13c5a0bbea05e1fb6a014070d
Opcode Fuzzy Hash: 81dbfd37c44638e82ca0239f95e7b2122a598c784f9863290e101c1ee05249fe
Instruction Fuzzy Hash: 831117B6D003499FDF10CF9AD484ADEFBF5AB88320F14852EE515A7200C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014DC528, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 014DC596

Memory Dump Source

Source File: 00000000.00000002.302288509.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 698e5c636ee078173c9d72a6fea51eca5c4f7d5e296f445eccf668ca63792d5c
Instruction ID: c3c57da5944251a18a0f129894e7b5db92e000b998bec86ff4e456dd15f3b9b4
Opcode Fuzzy Hash: 698e5c636ee078173c9d72a6fea51eca5c4f7d5e296f445eccf668ca63792d5c
Instruction Fuzzy Hash: EB1112B58002488FDB10CF9AC484ADEBBF4AF49224F14855ED869B7610C374A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014DC530, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 014DC596

Memory Dump Source

Source File: 00000000.00000002.302288509.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3bdb0bf85ae774460d3877b712a488601d37bca6f0ecc8fec96212ea3ec1c96f
Instruction ID: 611029084b812acbee934000a8bb536e3bcfc61d4f46330d6e2465cb5b7faec8
Opcode Fuzzy Hash: 3bdb0bf85ae774460d3877b712a488601d37bca6f0ecc8fec96212ea3ec1c96f
Instruction Fuzzy Hash: 8E110FB6C006098FDB10CF9AC484ADEFBF4AF89224F14856AD429B7610C374A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0136D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302135283.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_136d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4daca008a1190995e00251eb4ca1540dc6302979bf78da515502d9e062458401
Instruction ID: b338edcedbb92a8162581ada1f400e83d622ba22c18ea5a2f5edd5af2ca8d892
Opcode Fuzzy Hash: 4daca008a1190995e00251eb4ca1540dc6302979bf78da515502d9e062458401
Instruction Fuzzy Hash: E62103B1604244DFDB01DF94D8C4B66BF69FB8832CF24C569E9850BA0AC336D856CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0148D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302178755.000000000148D000.00000040.00000001.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_148d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64dce3de7b9b0e4ab6f0705f90eb0fec61c5b8e3595c3d5432c700c2da92895f
Instruction ID: 97240d40be7e96fe39209e85f7a41688c43ac5ae917a20f1a653fe4470b86d99
Opcode Fuzzy Hash: 64dce3de7b9b0e4ab6f0705f90eb0fec61c5b8e3595c3d5432c700c2da92895f
Instruction Fuzzy Hash: FD216AB0904200DFCB15EF94D8C4B2ABBA5FB85358F20C96AD8090B396C336D847C661

Uniqueness

Uniqueness Score: -1.00%

Function 0148D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302178755.000000000148D000.00000040.00000001.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_148d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e16a434d843673abcc5296def95dd96dc234a66d51dd0242b7c6078772e3b597
Instruction ID: 332c7e4a47c4052321b7eedfdcf4155d26ee1f1b530f0705a098a38f5dacdbbf
Opcode Fuzzy Hash: e16a434d843673abcc5296def95dd96dc234a66d51dd0242b7c6078772e3b597
Instruction Fuzzy Hash: 77212975904244DFDB01EF94D9C4F2ABBA5FB84324F24CA6EE8094B392C736D846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0148D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302178755.000000000148D000.00000040.00000001.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_148d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925ac232f1d665ea142f3b53f8e4b0a54046bb16d603e71d1e300f1f96d2204f
Instruction ID: 6e7235960836f336a139cfbe8d8d9e63130838d513aabb0a069d3fc283da859a
Opcode Fuzzy Hash: 925ac232f1d665ea142f3b53f8e4b0a54046bb16d603e71d1e300f1f96d2204f
Instruction Fuzzy Hash: 3D2180755093808FDB02CF64D594B16BF71EB46214F28C5DBD8498B6A7C33A984BCB62

Uniqueness

Uniqueness Score: -1.00%

Function 0136D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302135283.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_136d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f781e3e22243257e7c2cd1e7ae3ee94a8cb0c0f556951c160f75036b1b3388de
Instruction ID: 5acf5444eb42d49084637882dc12fe794248db5fc059ff9f2101ea72f7af6a03
Opcode Fuzzy Hash: f781e3e22243257e7c2cd1e7ae3ee94a8cb0c0f556951c160f75036b1b3388de
Instruction Fuzzy Hash: 6C11D376504280CFCF12CF54D5C4B16BF71FB84328F28C6AAD9450B65AC33AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0148D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302178755.000000000148D000.00000040.00000001.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_148d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7725c651bc0dbb99a59bbb3ef5fefc7b652fbefa08161400189807505c1d87ac
Instruction ID: 0bcabbf6b812a4de87ab6ef27a2e6bf8eee4c4cc1541e58b0e8f13135687380d
Opcode Fuzzy Hash: 7725c651bc0dbb99a59bbb3ef5fefc7b652fbefa08161400189807505c1d87ac
Instruction Fuzzy Hash: C8118B75904280DFDB12DF54D5C4B1ABBA1FB84324F28C6AAD8494B7A6C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0136D745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302135283.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_136d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b36de43868d7c79c8413153c3a92c282c92a6d78d109cc63cb78c4357db92c3
Instruction ID: 4269a584835e1d15165ce3a93c1a81e44db88c21928784e94371d6647f46f925
Opcode Fuzzy Hash: 8b36de43868d7c79c8413153c3a92c282c92a6d78d109cc63cb78c4357db92c3
Instruction Fuzzy Hash: 7901F7316083C49BE7104FA5DCC4B67BB9CEF4127CF08C51AE9850B64AD37D9844CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0136D744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302135283.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_136d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164eedcf9091f012d4cb210c8c076e76f56ead31f8ea8c16095b71aa7363444b
Instruction ID: 2a6a73d6233299c28f225a2b3fae3ec4625ba061d49fda3c0ad076bd5dd11df9
Opcode Fuzzy Hash: 164eedcf9091f012d4cb210c8c076e76f56ead31f8ea8c16095b71aa7363444b
Instruction Fuzzy Hash: ECF0C2715042849AEB108E59DCC4B62FFACEB41638F18C45AED480B28AC3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 014D7271, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302288509.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed85d4495d58e408f3582732e2c2c53cbd5bb2c907b70b7467d118918563f58
Instruction ID: 2316b37b5d1b19df7ab40133cec613e17b18150e7246f5bbd337bf3026f861ad
Opcode Fuzzy Hash: 8ed85d4495d58e408f3582732e2c2c53cbd5bb2c907b70b7467d118918563f58
Instruction Fuzzy Hash: AE312579E5110A8FDF20CFA9E481AADF3F2BF48304B14E219E025EB654DB31A805CB50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.Variant.Bulz.785643.17886.exe PID: 5636 Parent PID: 7128 SecuriteInfo.com.Variant.Bulz.785643.17886.exeCOMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	2.8%
Signature Coverage:	8.5%
Total number of Nodes:	212
Total number of Limit Nodes:	37

Executed Functions

Function 0041869D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5

Strings

*9A, xrefs: 00418678
A:A, xrefs: 004186BC, 004186C8

Memory Dump Source

Source File: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: *9A$A:A
API String ID: 2738559852-3393056465
Opcode ID: 440a9c7ae0bab30013401e29e9defbe0b8e429ac0d839d9d3a50a4294f0c9365
Instruction ID: 5c1d1326be290633bbf7c449a0da179942d7f590496206b3234f5423b5ffce47
Opcode Fuzzy Hash: 440a9c7ae0bab30013401e29e9defbe0b8e429ac0d839d9d3a50a4294f0c9365
Instruction Fuzzy Hash: F31190B2200109ABCB08DF8DDC91DEB73ADAF8C754B158249BA1D93241D634EC518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004186A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E004186A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191F0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a41
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36,  *_t4); // executed
				return _t18;
			}

0x004186a3
0x004186af
0x004186b7
0x004186bc
0x004186e5
0x004186e9

APIs

NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5

Strings

A:A, xrefs: 004186BC, 004186C8

Memory Dump Source

Source File: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: A:A
API String ID: 2738559852-2859176346
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: f080bec4c040545e3dab2a82d2c0628179b57ce59769f180118a0d9c745142a3
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 84F0A4B2200208ABDB14DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004185F0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D

Memory Dump Source

Source File: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 6e88bdc2a8d45a62887e6f3ef0105f77e511591ccf53121fd16df0132ea8aa9a
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 17F0BDB2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418642, Relevance: 1.5, APIs: 1, Instructions: 32
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D

Memory Dump Source

Source File: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: be5f7221360a20a6c443f830ae1769a090a9f8139e61cb02de094cd56315abc9
Instruction ID: 4edb876a31e947ab0c02694570741f517bd03378cb2f4498f26c29c628b4aa59
Opcode Fuzzy Hash: be5f7221360a20a6c443f830ae1769a090a9f8139e61cb02de094cd56315abc9
Instruction Fuzzy Hash: 6CF05EB2605144AFDB04CF98D980CDB77BDAF8C350714864DF94DD7205C634E801CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004187CB, Relevance: 1.5, APIs: 1, Instructions: 31
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004187CB(void* __edx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t23;

				asm("sbb [ebx-0x74aa0b80], bl");
				_t10 = _a4;
				_t3 = _t10 + 0xc60; // 0xca0
				E004191F0(_t23, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004187cc
0x004187d3
0x004187df
0x004187e7
0x00418809
0x0041880d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809

Memory Dump Source

Source File: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 79c3af1193ff1e2b57c7f02acaddb116459a30812e5dc8473a3119e805696343
Instruction ID: 6f6f66c420e0c48cba723085a2a6e8f894150d1d44e5b27eee268e6ee1ff7d92
Opcode Fuzzy Hash: 79c3af1193ff1e2b57c7f02acaddb116459a30812e5dc8473a3119e805696343
Instruction Fuzzy Hash: 85F058B5200108ABCB14CF99CC90EE77BA8AF88254F00825DFA0897241C230E814CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004187D0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004187D0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191F0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004187df
0x004187e7
0x00418809
0x0041880d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809

Memory Dump Source

Source File: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 706794cddc655a9f1cf9aa3041d650f47f408424a1237cb237646820d67af729
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: C6F015B2200208ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041871A, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E0041871A(void* _a4) {
				intOrPtr _v0;
				long _t8;
				void* _t11;

				_push(ds);
				asm("ror byte [ebp+0x55ca53fe], 0x8b");
				_t5 = _v0;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409773
				E004191F0(_t11, _v0, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a4); // executed
				return _t8;
			}

0x0041871a
0x0041871b
0x00418723
0x00418726
0x0041872f
0x00418737
0x00418745
0x00418749

APIs

NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745

Memory Dump Source

Source File: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: b2021938b182c0061c6cfed2ca3d905344e31e54a27a8be7faff85f3049b4d8d
Instruction ID: 033e3eae8491c448c814c9b8cc424ed027314fb1eabbe8a6d0e5cdda3b8ff964
Opcode Fuzzy Hash: b2021938b182c0061c6cfed2ca3d905344e31e54a27a8be7faff85f3049b4d8d
Instruction Fuzzy Hash: A6E08C752002046BDB11DFA8CC88EE73F18EF88320F144299BE689B292C131A640C690

Uniqueness

Uniqueness Score: -1.00%

Function 00418720, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00418720(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409773
				E004191F0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00418723
0x00418726
0x0041872f
0x00418737
0x00418745
0x00418749

APIs

NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745

Memory Dump Source

Source File: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 78d7ac03eca040244b58aa8b13355d71f7060bfbe0c396a3df5df4df45d4e392
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: D4D01776200218BBE710EF99CC89EE77BACEF48760F154499BA189B242C530FA4086E0

Uniqueness

Uniqueness Score: -1.00%

Function 019E9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019E986A

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bdb18dffd5a0b939dc053aa063f666963ff9fdd9823520192ffb5154c2e8f0d
Instruction ID: bf4998f3795cbf782e421e2d05a003923865171afd2665b5d38f7d89b078b985
Opcode Fuzzy Hash: 4bdb18dffd5a0b939dc053aa063f666963ff9fdd9823520192ffb5154c2e8f0d
Instruction Fuzzy Hash: 2690027160110423D111619945047074089A7D0281F92C416A1454558DD6968952B261

Uniqueness

Uniqueness Score: -1.00%

Function 019E96E0, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019E96EA

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f906797e186bea307d25d104381cc09a7aac18be1799cf92856be1cad7d91cb7
Instruction ID: 50166be6e6405cb0a807931ae613230c1fac143ec70641f602cff7bd3194f08a
Opcode Fuzzy Hash: f906797e186bea307d25d104381cc09a7aac18be1799cf92856be1cad7d91cb7
Instruction Fuzzy Hash: 3E90027160118812D1106199840474A4085A7D0341F56C415A5454658DC6D588917261

Uniqueness

Uniqueness Score: -1.00%

Function 019E9660, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019E966A

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ed41493b1a91efdae287e41f3c1b55219f013346595d90fcdbbeb537c3465bd9
Instruction ID: 007f5eaf3979301c0a3aa3cd58cba9483d6d4327d5946befe9ab4077f369219f
Opcode Fuzzy Hash: ed41493b1a91efdae287e41f3c1b55219f013346595d90fcdbbeb537c3465bd9
Instruction Fuzzy Hash: 0290027160110812D1807199440474A4085A7D1341F92C019A1055654DCA558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 004088E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1efa2f8376c553138144e7bf52808227de5cb7bb2b62794fcf5c230629b4f76a
Instruction ID: b342730474dcc0ac064d0d011e1d56cf5cdba0abec35914909fd77f498fa833d
Opcode Fuzzy Hash: 1efa2f8376c553138144e7bf52808227de5cb7bb2b62794fcf5c230629b4f76a
Instruction Fuzzy Hash: 7B21F8B2D4420957CB15E6649E42AFF73AC9B50308F04057FE989A2181F639AB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 004188C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004188C0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413546
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188d7
0x004188e2
0x004188ed
0x004188f1

APIs

RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188ED

Strings

F5A, xrefs: 004188E2, 004188EC

Memory Dump Source

Source File: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: F5A
API String ID: 1279760036-683449296
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: c53d960059fd60d51188ffd50ae561d8054dda033e2458622c390dbd27fda9b7
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 61E012B1200208ABDB14EF99CC85EA777ACAF88654F118559FE085B242C630F914CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 004188F4, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E004188F4(void* __eax, void* __ebx, void* _a4, long _a8, void* _a12) {
				intOrPtr _v0;
				char _t14;
				void* _t21;
				char _t25;

				 *0x53b9b92f = _t25;
				asm("arpl [ebx-0x741374ab], cx");
				_t11 = _v0;
				_t5 = _t11 + 0xc74; // 0xc74
				E004191F0(_t21, _v0, _t5,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
				_t14 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t14;
			}

0x004188f9
0x004188fe
0x00418903
0x0041890f
0x00418917
0x0041892d
0x00418931

APIs

RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D

Memory Dump Source

Source File: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 40e16d1b84d617deca3832357b05040c91571bd3a26d620df365af6c4f8e3855
Instruction ID: 5e0cb83e5d5d92db5aa6902efd79b6b48365383cfded167720f4880b0219a777
Opcode Fuzzy Hash: 40e16d1b84d617deca3832357b05040c91571bd3a26d620df365af6c4f8e3855
Instruction Fuzzy Hash: DCE068B41542C49BEB00FF79C8C089B3BA4FF46214B14859EE88847203C131D459CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00418900, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00418900(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191F0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041890f
0x00418917
0x0041892d
0x00418931

APIs

RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D

Memory Dump Source

Source File: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 5f54135a6d5665afae9514b011c4f342711cdf5a633985feeb8d835705c457f1
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 98E012B1200208ABDB18EF99CC89EA777ACAF88750F018559FE085B242C630E914CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 019E967A, Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019E9694

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 441cb517c5bc47aa878b240d5a0c057cce5308181668a4d6932d01dc56907c56
Instruction ID: 1bd5b7e47a4adeaa97f5a81582286d8d4104d9c0b661a1aceb535dd931a9fca7
Opcode Fuzzy Hash: 441cb517c5bc47aa878b240d5a0c057cce5308181668a4d6932d01dc56907c56
Instruction Fuzzy Hash: 05B09B71D015C5D5D612D7A4860C717798477D0745F17C056D2060641B4778C0D1F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01A5B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01A5B323
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01A5B476
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01A5B47D
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01A5B314
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 01A5B39B
read from, xrefs: 01A5B4AD, 01A5B4B2
write to, xrefs: 01A5B4A6
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01A5B305
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01A5B484
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01A5B53F
*** enter .exr %p for the exception record, xrefs: 01A5B4F1
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01A5B2DC
*** Resource timeout (%p) in %ws:%s, xrefs: 01A5B352
The instruction at %p referenced memory at %p., xrefs: 01A5B432
The instruction at %p tried to %s , xrefs: 01A5B4B6
*** then kb to get the faulting stack, xrefs: 01A5B51C
*** A stack buffer overrun occurred in %ws:%s, xrefs: 01A5B2F3
Go determine why that thread has not released the critical section., xrefs: 01A5B3C5
The critical section is owned by thread %p., xrefs: 01A5B3B9
a NULL pointer, xrefs: 01A5B4E0
This failed because of error %Ix., xrefs: 01A5B446
an invalid address, %p, xrefs: 01A5B4CF
*** An Access Violation occurred in %ws:%s, xrefs: 01A5B48F
*** enter .cxr %p for the context, xrefs: 01A5B50D
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01A5B3D6
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01A5B38F
*** Inpage error in %ws:%s, xrefs: 01A5B418
The resource is owned exclusively by thread %p, xrefs: 01A5B374
<unknown>, xrefs: 01A5B27E, 01A5B2D1, 01A5B350, 01A5B399, 01A5B417, 01A5B48E
The resource is owned shared by %d threads, xrefs: 01A5B37E

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: d805264791dcad5846da1b7b23441192d842ee6009ffbe75bf93fc8112e903b4
Instruction ID: b6d4a34d2bdf48e79a6fcdd701e3c8e5167667324bc05dda5e5e4707f41565ea
Opcode Fuzzy Hash: d805264791dcad5846da1b7b23441192d842ee6009ffbe75bf93fc8112e903b4
Instruction Fuzzy Hash: 9B81F175A04200FFDF26AB4E9D86E7B3F76AF96A62F444048F9082B512D2718551CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 019DC9BF, Relevance: 14.2, Strings: 11, Instructions: 412
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E019DC9BF(signed int __ecx, signed int __edx, signed int _a4, intOrPtr _a12) {
				signed int _v12;
				char _v552;
				char _v1072;
				char _v1073;
				signed int _v1080;
				signed int _v1084;
				signed short _v1088;
				signed int _v1092;
				signed short _v1094;
				char _v1096;
				char _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				char _v1112;
				char _v1116;
				signed short _v1120;
				char _v1124;
				char* _v1128;
				char _v1132;
				char _v1135;
				char _v1136;
				signed int _v1140;
				char _v1144;
				intOrPtr _v1148;
				short _v1150;
				char _v1152;
				signed int _v1156;
				char* _v1160;
				char _v1164;
				signed int _v1168;
				signed int _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				char _v1184;
				signed int _v1188;
				signed int _v1192;
				intOrPtr _v1196;
				char* _v1200;
				intOrPtr _v1204;
				char _v1208;
				char _v1216;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t166;
				void* _t184;
				signed short _t188;
				char _t199;
				intOrPtr _t200;
				signed int _t205;
				signed int _t207;
				intOrPtr _t218;
				short _t219;
				char _t236;
				char _t242;
				signed int _t253;
				intOrPtr _t258;
				void* _t260;
				signed int _t272;
				void* _t276;
				unsigned int _t277;
				signed short _t279;
				signed int _t280;
				void* _t281;
				void* _t305;

				_t271 = __edx;
				_v12 =  *0x1a9d360 ^ _t280;
				_t253 = _a4;
				_v1104 = _a12;
				_t272 = __ecx;
				_v1160 =  &_v1072;
				_v1168 = __ecx;
				_t166 = 0;
				_v1073 = 0;
				_v1084 = 0;
				_t274 = 0;
				_v1156 = 0;
				_v1164 = 0x2080000;
				_v1096 = 0;
				_v1092 = 0;
				_v1112 = 0;
				_v1108 = 0;
				_v1100 = 0;
				if(__ecx == 0) {
					L67:
					_push(_t166);
					_push(_t253);
					_push(_t271);
					_push(_t272);
					E01A35720(0x33, 0, "SXS: %s() bad parameters\nSXS:   Map                : %p\nSXS:   Data               : %p\nSXS:   AssemblyRosterIndex: 0x%lx\nSXS:   Map->AssemblyCount : 0x%lx\n", "RtlpResolveAssemblyStorageMapEntry");
					_t274 = 0xc000000d;
					L21:
					if(_v1073 == 0) {
						L23:
						if(_v1092 != 0) {
							L019AAD30(_v1092);
						}
						L24:
						if(_v1084 != 0) {
							_push(_v1084);
							E019E95D0();
						}
						_t170 = _v1156;
						if(_v1156 != 0) {
							L019C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t170);
						}
						L26:
						return E019EB640(_t274, _t253, _v12 ^ _t280, _t271, _t272, _t274);
					}
					L22:
					_v1144 = _v1100;
					L019DCCC0(4,  &_v1144, _v1104);
					goto L23;
				}
				if(__edx == 0 || _t253 < 1 || _t253 >  *((intOrPtr*)(__ecx + 4))) {
					_t166 =  *((intOrPtr*)(_t272 + 4));
					goto L67;
				} else {
					if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + _t253 * 4)) != 0) {
						goto L26;
					}
					asm("lfence");
					_t258 =  *((intOrPtr*)(__edx + 0x18));
					_t260 =  *((intOrPtr*)(_t258 + __edx + 0x10)) + __edx;
					_t276 =  *((intOrPtr*)(_t253 * 0x18 +  *((intOrPtr*)(_t258 + __edx + 0xc)) + __edx + 0x10)) + __edx;
					_t181 =  *((intOrPtr*)(_t276 + 0x50));
					if( *((intOrPtr*)(_t276 + 0x50)) > 0xfffe) {
						_push(__edx);
						E01A35720(0x33, 0, "SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p\n", _t181);
						_t274 = 0xc0000106;
						goto L23;
					}
					if(( *(_t276 + 4) & 0x00000010) != 0) {
						_v1080 =  &_v1164;
						_t272 =  *((intOrPtr*)(_t276 + 0x18)) + _t260;
						if(_t272 != 0) {
							_t184 = L019F13D0(_t272, 0x5c);
							if(_t184 != 0) {
								_t188 = 0x00000004 + (_t184 - _t272 >> 0x00000001) * 0x00000002 & 0x0000ffff;
								_v1088 = _t188;
								_t277 = _t188 & 0x0000ffff;
								if(_t188 <= 0x208) {
									_t264 = _v1080;
									L39:
									E019EF3E0( *((intOrPtr*)(_t264 + 4)), _t272, _t277 - 2);
									_t281 = _t281 + 0xc;
									 *((short*)( *((intOrPtr*)(_v1080 + 4)) + (_t277 >> 1) * 2 - 2)) = 0;
									 *_v1080 = _v1088 + 0xfffffffe;
									L18:
									if(_v1084 == 0) {
										if(L019B6A00( *((intOrPtr*)(_v1080 + 4)),  &_v1112, 0,  &_v1184) != 0) {
											_v1156 = _v1108;
											_t199 = _v1184;
											if(_t199 == 0) {
												_t200 = 0;
											} else {
												_v1112 = _t199;
												_v1108 = _v1180;
												_t200 = _v1176;
											}
											_v1192 = _v1192 & 0x00000000;
											_v1188 = _v1188 & 0x00000000;
											_v1204 = _t200;
											_push(0x21);
											_v1200 =  &_v1112;
											_push(3);
											_push( &_v1216);
											_v1208 = 0x18;
											_push( &_v1208);
											_push(0x100020);
											_v1196 = 0x40;
											_push( &_v1084);
											_t205 = L019E9830();
											_t272 = _v1172;
											_t274 = _t205;
											if(_t272 != 0) {
												asm("lock xadd [edi], eax");
												if((_t205 | 0xffffffff) == 0) {
													_push( *((intOrPtr*)(_t272 + 4)));
													E019E95D0();
													L019C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t272);
												}
											}
											if(_t274 >= 0) {
												goto L19;
											} else {
												_push(_t274);
												E01A35720(0x33, 0, "SXS: Unable to open assembly directory under storage root \"%S\"; Status = 0x%08lx\n",  *((intOrPtr*)(_v1080 + 4)));
												goto L21;
											}
										}
										E01A35720(0x33, 0, "SXS: Attempt to translate DOS path name \"%S\" to NT format failed\n",  *((intOrPtr*)(_v1080 + 4)));
										_t274 = 0xc000003a;
										goto L21;
									}
									L19:
									_t271 = _t253;
									_t207 = L019DCE6C(_v1168, _t253, _v1080,  &_v1084);
									_t274 = _t207;
									if(_t207 < 0) {
										E01A35720(0x33, 0, "SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx\n", _t274);
									} else {
										_t274 = 0;
									}
									goto L21;
								}
								_v1094 = _t188;
								_t218 = L019C3A1C(_t277);
								_v1092 = _t218;
								if(_t218 != 0) {
									_t264 =  &_v1096;
									_v1080 =  &_v1096;
									goto L39;
								}
								_t274 = 0xc0000017;
								goto L24;
							}
							_t274 = 0xc00000e5;
							goto L23;
						}
						_t274 = 0xc00000e5;
						goto L26;
					}
					_v1080 = _v1080 & 0x00000000;
					_t219 =  *((intOrPtr*)(_t276 + 0x50));
					_v1152 = _t219;
					_v1150 = _t219;
					_v1144 = __edx;
					_v1148 =  *((intOrPtr*)(_t276 + 0x54)) + _t260;
					_v1140 = _t253;
					_v1128 =  &_v552;
					_v1136 = 0;
					_v1132 = 0x2160000;
					_v1124 = 0;
					_v1116 = 0;
					_v1120 = 0;
					L019DCCC0(1,  &_v1144, _v1104);
					if(_v1116 != 0) {
						_t274 = 0xc0000120;
						goto L23;
					}
					if(_v1124 != 0) {
						_t271 =  &_v1132;
						_t274 = L019DCF6A( &_v1132,  &_v1152,  &_v1164,  &_v1096,  &_v1080,  &_v1084);
						if(_t274 >= 0) {
							_t271 = _t253;
							_t274 = L019DCE6C(_t272, _t253,  &_v1132,  &_v1084);
							if(_t274 < 0) {
								_push(_t274);
								_push(_t253);
								_push("SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx\n");
								L44:
								_push(0);
								_push(0x33);
								E01A35720();
								goto L23;
							}
							_t274 = 0;
							goto L23;
						}
						_push(_t274);
						_push( &_v1132);
						_push("SXS: Attempt to probe known root of assembly storage (\"%wZ\") failed; Status = 0x%08lx\n");
						goto L44;
					}
					_t279 = _v1120;
					_t272 = 0;
					_t236 = _v1136;
					_v1100 = _t236;
					_v1088 = _t279;
					_v1073 = 1;
					if(_t279 == 0) {
						L16:
						_t305 = _t272 - _t279;
						L17:
						if(_t305 == 0) {
							L54:
							_push(_t272);
							E01A35720(0x33, 0, "SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries\n",  &_v1152);
							_t274 = 0xc0150004;
							goto L22;
						}
						goto L18;
					} else {
						goto L10;
					}
					while(1) {
						L10:
						_v1144 = _t236;
						_v1128 =  &_v552;
						_v1140 = _t272;
						_v1132 = 0x2160000;
						_v1136 = 0;
						L019DCCC0(2,  &_v1144, _v1104);
						if(_v1136 != 0) {
							break;
						}
						_t242 = _v1132;
						if(_v1135 != 0) {
							if(_t242 == 0) {
								goto L54;
							}
							_t119 = _t272 + 1; // 0x1
							_t279 = _t119;
							_v1088 = _t279;
						}
						if(_t242 == 0) {
							L27:
							_t272 = _t272 + 1;
							if(_t272 >= _t279) {
								goto L17;
							} else {
								_t236 = _v1100;
								continue;
							}
						}
						if(_v1084 != 0) {
							_push(_v1084);
							E019E95D0();
							_v1084 = _v1084 & 0x00000000;
						}
						_t271 =  &_v1132;
						_t274 = L019DCF6A( &_v1132,  &_v1152,  &_v1164,  &_v1096,  &_v1080,  &_v1084);
						if(_t274 < 0) {
							if(_t274 != 0xc0150004) {
								_push(_t274);
								_push( &_v1152);
								E01A35720(0x33, 0, "SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx\n",  &_v1132);
								goto L22;
							}
							_t279 = _v1088;
							goto L27;
						} else {
							_t279 = _v1088;
							goto L16;
						}
					}
					_t274 = 0xc0000120;
					goto L22;
				}
			}

0x019dc9bf
0x019dc9d1
0x019dc9d8
0x019dc9dc
0x019dc9e9
0x019dc9eb
0x019dc9f3
0x019dc9f9
0x019dc9fb
0x019dca01
0x019dca07
0x019dca09
0x019dca0f
0x019dca19
0x019dca1f
0x019dca25
0x019dca2b
0x019dca31
0x019dca39
0x01a1ac23
0x01a1ac23
0x01a1ac24
0x01a1ac25
0x01a1ac26
0x01a1ac34
0x01a1ac3c
0x019dcc3c
0x019dcc43
0x019dcc65
0x019dcc6c
0x01a1ac4c
0x01a1ac4c
0x019dcc72
0x019dcc79
0x01a1ac56
0x01a1ac5c
0x01a1ac5c
0x019dcc7f
0x019dcc87
0x01a1ac72
0x01a1ac72
0x019dcc8d
0x019dcc9f
0x019dcc9f
0x019dcc45
0x019dcc51
0x019dcc60
0x00000000
0x019dcc60
0x019dca41
0x01a1ac20
0x00000000
0x019dca59
0x019dca5f
0x00000000
0x00000000
0x019dca65
0x019dca68
0x019dca76
0x019dca7c
0x019dca7e
0x019dca86
0x01a1a8ea
0x01a1a8f5
0x01a1a8fd
0x00000000
0x01a1a8fd
0x019dca90
0x01a1a90d
0x01a1a916
0x01a1a918
0x01a1a927
0x01a1a930
0x01a1a94c
0x01a1a94f
0x01a1a955
0x01a1a95b
0x01a1a98c
0x01a1a992
0x01a1a99a
0x01a1a9a9
0x01a1a9af
0x01a1a9c3
0x019dcc09
0x019dcc10
0x01a1ab03
0x01a1ab2f
0x01a1ab35
0x01a1ab3e
0x01a1ab5a
0x01a1ab40
0x01a1ab40
0x01a1ab4c
0x01a1ab52
0x01a1ab52
0x01a1ab5c
0x01a1ab63
0x01a1ab6a
0x01a1ab76
0x01a1ab78
0x01a1ab84
0x01a1ab86
0x01a1ab8d
0x01a1ab97
0x01a1ab98
0x01a1aba3
0x01a1abad
0x01a1abae
0x01a1abb3
0x01a1abb9
0x01a1abbd
0x01a1abc2
0x01a1abc6
0x01a1abc8
0x01a1abcb
0x01a1abdc
0x01a1abdc
0x01a1abc6
0x01a1abe3
0x00000000
0x01a1abe9
0x01a1abef
0x01a1abfc
0x00000000
0x01a1ac01
0x01a1abe3
0x01a1ab17
0x01a1ab1f
0x00000000
0x01a1ab1f
0x019dcc16
0x019dcc29
0x019dcc2b
0x019dcc30
0x019dcc34
0x01a1ac13
0x019dcc3a
0x019dcc3a
0x019dcc3a
0x00000000
0x019dcc34
0x01a1a95e
0x01a1a965
0x01a1a96a
0x01a1a972
0x01a1a97e
0x01a1a984
0x00000000
0x01a1a984
0x01a1a974
0x00000000
0x01a1a974
0x01a1a932
0x00000000
0x01a1a932
0x01a1a91a
0x00000000
0x01a1a91a
0x019dca96
0x019dca9d
0x019dcaa7
0x019dcaae
0x019dcaba
0x019dcac0
0x019dcace
0x019dcad4
0x019dcae3
0x019dcae9
0x019dcaf3
0x019dcaf9
0x019dcaff
0x019dcb05
0x019dcb11
0x01a1a9cb
0x00000000
0x01a1a9cb
0x019dcb1e
0x01a1a9f8
0x01a1aa03
0x01a1aa07
0x01a1aa36
0x01a1aa47
0x01a1aa4b
0x01a1aa18
0x01a1aa19
0x01a1aa1a
0x01a1aa1f
0x01a1aa1f
0x01a1aa21
0x01a1aa23
0x00000000
0x01a1aa28
0x01a1aa4d
0x00000000
0x01a1aa4d
0x01a1aa09
0x01a1aa10
0x01a1aa11
0x00000000
0x01a1aa11
0x019dcb24
0x019dcb2a
0x019dcb2c
0x019dcb32
0x019dcb38
0x019dcb3e
0x019dcb47
0x019dcc01
0x019dcc01
0x019dcc03
0x019dcc03
0x01a1aac0
0x01a1aac0
0x01a1aad1
0x01a1aad9
0x00000000
0x01a1aad9
0x00000000
0x00000000
0x00000000
0x00000000
0x019dcb4d
0x019dcb4d
0x019dcb53
0x019dcb5f
0x019dcb6e
0x019dcb74
0x019dcb7e
0x019dcb87
0x019dcb93
0x00000000
0x00000000
0x019dcba0
0x019dcba7
0x01a1aa57
0x00000000
0x00000000
0x01a1aa59
0x01a1aa59
0x01a1aa5c
0x01a1aa5c
0x019dcbb0
0x019dcca2
0x019dcca2
0x019dcca5
0x00000000
0x019dccab
0x019dccab
0x00000000
0x019dccab
0x019dcca5
0x019dcbbd
0x01a1aa67
0x01a1aa6d
0x01a1aa72
0x01a1aa72
0x019dcbe6
0x019dcbf1
0x019dcbf5
0x01a1aa84
0x01a1aa91
0x01a1aa98
0x01a1aaa9
0x00000000
0x01a1aaae
0x01a1aa86
0x00000000
0x019dcbfb
0x019dcbfb
0x00000000
0x019dcbfb
0x019dcbf5
0x01a1aab6
0x00000000
0x01a1aab6

Strings

@, xrefs: 01A1ABA3
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01A1AC2C
RtlpResolveAssemblyStorageMapEntry, xrefs: 01A1AC27
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01A1ABF3
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01A1AC0A
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01A1A8EC
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01A1AB0E
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01A1AAC8
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01A1AAA0
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01A1AA11
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01A1AA1A

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: e8ca00be0a95b58aeb7df96f0a64c140726d486114797f22be70e011882c06dd
Instruction ID: 22c18ac5b7d12e9c78c7bb04ec5024d7303da28e4e6cefd4ed56e6288163ebf1
Opcode Fuzzy Hash: e8ca00be0a95b58aeb7df96f0a64c140726d486114797f22be70e011882c06dd
Instruction Fuzzy Hash: 8B0280F1D012699BDB21DB28CD80BEAB7B8AF54714F4045DAE70DA7241DB309E84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 01A64496, Relevance: 10.4, Strings: 8, Instructions: 417
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E01A64496(signed int* __ecx, void* __edx) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int* _v28;
				char _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t150;
				intOrPtr _t151;
				signed char _t156;
				intOrPtr _t157;
				unsigned int _t169;
				intOrPtr _t170;
				signed int* _t183;
				signed char _t184;
				intOrPtr _t191;
				signed int _t201;
				intOrPtr _t203;
				intOrPtr _t212;
				intOrPtr _t220;
				signed int _t230;
				signed int _t241;
				signed int _t244;
				void* _t259;
				signed int _t260;
				signed int* _t261;
				intOrPtr* _t262;
				signed int _t263;
				signed int* _t264;
				signed int _t267;
				signed int* _t268;
				void* _t270;
				void* _t281;
				signed short _t285;
				signed short _t289;
				signed int _t291;
				signed int _t298;
				signed char _t303;
				signed char _t308;
				signed int _t314;
				intOrPtr _t317;
				unsigned int _t319;
				signed int* _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr _t328;
				signed int _t329;
				signed int _t330;
				signed int* _t331;
				signed int _t332;
				signed int _t350;

				_t259 = __edx;
				_t331 = __ecx;
				_v28 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_t150 = E01A649A4(__ecx);
				_t267 = 1;
				if(_t150 == 0) {
					L61:
					_t151 =  *[fs:0x30];
					__eflags =  *((char*)(_t151 + 2));
					if( *((char*)(_t151 + 2)) != 0) {
						 *0x1a96378 = _t267;
						asm("int3");
						 *0x1a96378 = 0;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_t105 =  &_v16;
						 *_t105 = _v16 & 0x00000000;
						__eflags =  *_t105;
						E019D174B( &_v12,  &_v16, 0x8000);
					}
					L65:
					__eflags = 0;
					return 0;
				}
				if(_t259 != 0 || (__ecx[0x10] & 0x20000000) != 0) {
					_t268 =  &(_t331[0x30]);
					_v32 = 0;
					_t260 =  *_t268;
					_t308 = 0;
					_v24 = 0;
					while(_t268 != _t260) {
						_t260 =  *_t260;
						_v16 =  *_t325 & 0x0000ffff;
						_t156 = _t325[0];
						_v28 = _t325;
						_v5 = _t156;
						__eflags = _t156 & 0x00000001;
						if((_t156 & 0x00000001) != 0) {
							_t157 =  *[fs:0x30];
							__eflags =  *(_t157 + 0xc);
							if( *(_t157 + 0xc) == 0) {
								_push("HEAP: ");
								E019AB150();
							} else {
								E019AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t325);
							E019AB150("dedicated (%04Ix) free list element %p is marked busy\n", _v16);
							L32:
							_t270 = 0;
							__eflags = _t331[0x13];
							if(_t331[0x13] != 0) {
								_t325[0] = _t325[0] ^ _t325[0] ^  *_t325;
								 *_t325 =  *_t325 ^ _t331[0x14];
							}
							L60:
							_t267 = _t270 + 1;
							__eflags = _t267;
							goto L61;
						}
						_t169 =  *_t325 & 0x0000ffff;
						__eflags = _t169 - _t308;
						if(_t169 < _t308) {
							_t170 =  *[fs:0x30];
							__eflags =  *(_t170 + 0xc);
							if( *(_t170 + 0xc) == 0) {
								_push("HEAP: ");
								E019AB150();
							} else {
								E019AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							E019AB150("Non-Dedicated free list element %p is out of order\n", _t325);
							goto L32;
						} else {
							__eflags = _t331[0x13];
							_t308 = _t169;
							_v24 = _t308;
							if(_t331[0x13] != 0) {
								_t325[0] = _t169 >> 0x00000008 ^ _v5 ^ _t308;
								 *_t325 =  *_t325 ^ _t331[0x14];
								__eflags =  *_t325;
							}
							_t26 =  &_v32;
							 *_t26 = _v32 + 1;
							__eflags =  *_t26;
							continue;
						}
					}
					_v16 = 0x208 + (_t331[0x21] & 0x0000ffff) * 4;
					if( *0x1a96350 != 0 && _t331[0x2f] != 0) {
						_push(4);
						_push(0x1000);
						_push( &_v16);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						if(E019E9660() >= 0) {
							_v20 = _v12 + 0x204;
						}
					}
					_t183 =  &(_t331[0x27]);
					_t281 = 0x81;
					_t326 =  *_t183;
					if(_t183 == _t326) {
						L49:
						_t261 =  &(_t331[0x29]);
						_t184 = 0;
						_t327 =  *_t261;
						_t282 = 0;
						_v24 = 0;
						_v36 = 0;
						__eflags = _t327 - _t261;
						if(_t327 == _t261) {
							L53:
							_t328 = _v32;
							_v28 = _t331;
							__eflags = _t328 - _t184;
							if(_t328 == _t184) {
								__eflags = _t331[0x1d] - _t282;
								if(_t331[0x1d] == _t282) {
									__eflags = _v12;
									if(_v12 == 0) {
										L82:
										_t267 = 1;
										__eflags = 1;
										goto L83;
									}
									_t329 = _t331[0x2f];
									__eflags = _t329;
									if(_t329 == 0) {
										L77:
										_t330 = _t331[0x22];
										__eflags = _t330;
										if(_t330 == 0) {
											L81:
											_t129 =  &_v16;
											 *_t129 = _v16 & 0x00000000;
											__eflags =  *_t129;
											E019D174B( &_v12,  &_v16, 0x8000);
											goto L82;
										}
										_t314 = _t331[0x21] & 0x0000ffff;
										_t285 = 1;
										__eflags = 1 - _t314;
										if(1 >= _t314) {
											goto L81;
										} else {
											goto L79;
										}
										while(1) {
											L79:
											_t330 = _t330 + 0x40;
											_t332 = _t285 & 0x0000ffff;
											_t262 = _v20 + _t332 * 4;
											__eflags =  *_t262 -  *((intOrPtr*)(_t330 + 8));
											if( *_t262 !=  *((intOrPtr*)(_t330 + 8))) {
												break;
											}
											_t285 = _t285 + 1;
											__eflags = _t285 - _t314;
											if(_t285 < _t314) {
												continue;
											}
											goto L81;
										}
										_t191 =  *[fs:0x30];
										__eflags =  *(_t191 + 0xc);
										if( *(_t191 + 0xc) == 0) {
											_push("HEAP: ");
											E019AB150();
										} else {
											E019AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_t262);
										_push( *((intOrPtr*)(_v20 + _t332 * 4)));
										_t148 = _t330 + 0x10; // 0x10
										_push( *((intOrPtr*)(_t330 + 8)));
										E019AB150("Tag %04x (%ws) size incorrect (%Ix != %Ix) %p\n", _t332);
										L59:
										_t270 = 0;
										__eflags = 0;
										goto L60;
									}
									_t289 = 1;
									__eflags = 1;
									while(1) {
										_t201 = _v12;
										_t329 = _t329 + 0xc;
										_t263 = _t289 & 0x0000ffff;
										__eflags =  *((intOrPtr*)(_t201 + _t263 * 4)) -  *((intOrPtr*)(_t329 + 8));
										if( *((intOrPtr*)(_t201 + _t263 * 4)) !=  *((intOrPtr*)(_t329 + 8))) {
											break;
										}
										_t289 = _t289 + 1;
										__eflags = _t289 - 0x81;
										if(_t289 < 0x81) {
											continue;
										}
										goto L77;
									}
									_t203 =  *[fs:0x30];
									__eflags =  *(_t203 + 0xc);
									if( *(_t203 + 0xc) == 0) {
										_push("HEAP: ");
										E019AB150();
									} else {
										E019AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_t291 = _v12;
									_push(_t291 + _t263 * 4);
									_push( *((intOrPtr*)(_t291 + _t263 * 4)));
									_push( *((intOrPtr*)(_t329 + 8)));
									E019AB150("Pseudo Tag %04x size incorrect (%Ix != %Ix) %p\n", _t263);
									goto L59;
								}
								_t212 =  *[fs:0x30];
								__eflags =  *(_t212 + 0xc);
								if( *(_t212 + 0xc) == 0) {
									_push("HEAP: ");
									E019AB150();
								} else {
									E019AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_t331[0x1d]);
								_push(_v36);
								_push("Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)\n");
								L58:
								E019AB150();
								goto L59;
							}
							_t220 =  *[fs:0x30];
							__eflags =  *(_t220 + 0xc);
							if( *(_t220 + 0xc) == 0) {
								_push("HEAP: ");
								E019AB150();
							} else {
								E019AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t328);
							_push(_v24);
							_push("Number of free blocks in arena (%ld) does not match number in the free lists (%ld)\n");
							goto L58;
						} else {
							goto L50;
						}
						while(1) {
							L50:
							_t92 = _t327 - 0x10; // -24
							_t282 = _t331;
							_t230 = L01A64AEF(_t331, _t92, _t331,  &_v24,  &_v36,  &_v28, _v20, _v12);
							__eflags = _t230;
							if(_t230 == 0) {
								goto L59;
							}
							_t327 =  *_t327;
							__eflags = _t327 - _t261;
							if(_t327 != _t261) {
								continue;
							}
							_t184 = _v24;
							_t282 = _v36;
							goto L53;
						}
						goto L59;
					} else {
						while(1) {
							_t39 = _t326 + 0x18; // 0x10
							_t264 = _t39;
							if(_t331[0x13] != 0) {
								_t319 = _t331[0x14] ^  *_t264;
								 *_t264 = _t319;
								_t303 = _t319 >> 0x00000010 ^ _t319 >> 0x00000008 ^ _t319;
								_t348 = _t319 >> 0x18 - _t303;
								if(_t319 >> 0x18 != _t303) {
									_push(_t303);
									L01A5FA2B(_t264, _t331, _t264, _t326, _t331, _t348);
								}
								_t281 = 0x81;
							}
							_t317 = _v20;
							if(_t317 != 0) {
								_t241 =  *(_t326 + 0xa) & 0x0000ffff;
								_t350 = _t241;
								if(_t350 != 0) {
									if(_t350 >= 0) {
										__eflags = _t241 & 0x00000800;
										if(__eflags == 0) {
											__eflags = _t241 - _t331[0x21];
											if(__eflags < 0) {
												_t298 = _t241;
												_t65 = _t317 + _t298 * 4;
												 *_t65 =  *(_t317 + _t298 * 4) + ( *(_t326 + 0x10) >> 3);
												__eflags =  *_t65;
											}
										}
									} else {
										_t244 = _t241 & 0x00007fff;
										if(_t244 < _t281) {
											 *((intOrPtr*)(_v12 + _t244 * 4)) =  *((intOrPtr*)(_v12 + _t244 * 4)) + ( *(_t326 + 0x10) >> 3);
										}
									}
								}
							}
							if(( *(_t326 + 0x1a) & 0x00000004) != 0 && E01A523E3(_t331, _t264) == 0) {
								break;
							}
							if(_t331[0x13] != 0) {
								_t264[0] = _t264[0] ^ _t264[0] ^  *_t264;
								 *_t264 =  *_t264 ^ _t331[0x14];
							}
							_t326 =  *_t326;
							if( &(_t331[0x27]) == _t326) {
								goto L49;
							} else {
								_t281 = 0x81;
								continue;
							}
						}
						__eflags = _t331[0x13];
						if(_t331[0x13] != 0) {
							 *(_t326 + 0x1b) =  *(_t326 + 0x1a) ^  *(_t326 + 0x19) ^  *(_t326 + 0x18);
							 *(_t326 + 0x18) =  *(_t326 + 0x18) ^ _t331[0x14];
						}
						goto L65;
					}
				} else {
					L83:
					return _t267;
				}
			}

0x01a644a1
0x01a644a3
0x01a644a7
0x01a644ac
0x01a644af
0x01a644b2
0x01a644b9
0x01a644bc
0x01a647f2
0x01a647f2
0x01a647f8
0x01a647fc
0x01a647fe
0x01a64804
0x01a64805
0x01a64805
0x01a6480c
0x01a64810
0x01a64812
0x01a64812
0x01a64812
0x01a64822
0x01a64822
0x01a64827
0x01a64827
0x00000000
0x01a64827
0x01a644c4
0x01a644d3
0x01a644d9
0x01a644dc
0x01a644de
0x01a644e0
0x01a64560
0x01a64520
0x01a64522
0x01a64525
0x01a64528
0x01a6452b
0x01a6452e
0x01a64530
0x01a64697
0x01a6469d
0x01a646a1
0x01a646c0
0x01a646c5
0x01a646a3
0x01a646b8
0x01a646bd
0x01a646cb
0x01a646d4
0x01a64677
0x01a64677
0x01a64679
0x01a6467c
0x01a6468a
0x01a64690
0x01a64690
0x01a647f1
0x01a647f1
0x01a647f1
0x00000000
0x01a647f1
0x01a64536
0x01a64539
0x01a6453c
0x01a64636
0x01a6463c
0x01a64640
0x01a6465f
0x01a64664
0x01a64642
0x01a64657
0x01a6465c
0x01a64670
0x00000000
0x01a64542
0x01a64542
0x01a64546
0x01a64548
0x01a6454b
0x01a64555
0x01a6455b
0x01a6455b
0x01a6455b
0x01a6455d
0x01a6455d
0x01a6455d
0x00000000
0x01a6455d
0x01a6453c
0x01a64579
0x01a6457c
0x01a64587
0x01a64589
0x01a64591
0x01a64592
0x01a64597
0x01a64598
0x01a645a1
0x01a645ab
0x01a645ab
0x01a645a1
0x01a645ae
0x01a645b4
0x01a645b9
0x01a645bd
0x01a64759
0x01a64759
0x01a6475f
0x01a64761
0x01a64763
0x01a64765
0x01a64768
0x01a6476b
0x01a6476d
0x01a6479c
0x01a6479c
0x01a6479f
0x01a647a2
0x01a647a4
0x01a64830
0x01a64833
0x01a64879
0x01a6487d
0x01a648f1
0x01a648f3
0x01a648f3
0x00000000
0x01a648f3
0x01a6487f
0x01a64885
0x01a64887
0x01a648a8
0x01a648a8
0x01a648ae
0x01a648b0
0x01a648dc
0x01a648dc
0x01a648dc
0x01a648dc
0x01a648ec
0x00000000
0x01a648ec
0x01a648b2
0x01a648bc
0x01a648be
0x01a648c1
0x00000000
0x00000000
0x00000000
0x00000000
0x01a648c3
0x01a648c3
0x01a648c6
0x01a648c9
0x01a648cc
0x01a648d1
0x01a648d4
0x00000000
0x00000000
0x01a648d6
0x01a648d7
0x01a648da
0x00000000
0x00000000
0x00000000
0x01a648da
0x01a6494f
0x01a64955
0x01a64959
0x01a64978
0x01a6497d
0x01a6495b
0x01a64970
0x01a64975
0x01a64986
0x01a64987
0x01a6498a
0x01a6498d
0x01a64997
0x01a647ef
0x01a647ef
0x01a647ef
0x00000000
0x01a647ef
0x01a64890
0x01a64890
0x01a64891
0x01a64891
0x01a64894
0x01a64897
0x01a6489d
0x01a648a0
0x00000000
0x00000000
0x01a648a2
0x01a648a3
0x01a648a6
0x00000000
0x00000000
0x00000000
0x01a648a6
0x01a648fb
0x01a64901
0x01a64905
0x01a64924
0x01a64929
0x01a64907
0x01a6491c
0x01a64921
0x01a6492f
0x01a64935
0x01a64936
0x01a64939
0x01a64942
0x00000000
0x01a64947
0x01a64835
0x01a6483b
0x01a6483f
0x01a6485e
0x01a64863
0x01a64841
0x01a64856
0x01a6485b
0x01a64869
0x01a6486c
0x01a6486f
0x01a647e7
0x01a647e7
0x00000000
0x01a647ec
0x01a647aa
0x01a647b0
0x01a647b4
0x01a647d3
0x01a647d8
0x01a647b6
0x01a647cb
0x01a647d0
0x01a647de
0x01a647df
0x01a647e2
0x00000000
0x00000000
0x00000000
0x00000000
0x01a6476f
0x01a6476f
0x01a64778
0x01a64785
0x01a64787
0x01a6478c
0x01a6478e
0x00000000
0x00000000
0x01a64790
0x01a64792
0x01a64794
0x00000000
0x00000000
0x01a64796
0x01a64799
0x00000000
0x01a64799
0x00000000
0x01a645c3
0x01a645c3
0x01a645c7
0x01a645c7
0x01a645ca
0x01a645cf
0x01a645d3
0x01a645df
0x01a645e4
0x01a645e6
0x01a645e8
0x01a645ed
0x01a645ed
0x01a645f2
0x01a645f2
0x01a645f7
0x01a645fc
0x01a64602
0x01a64606
0x01a64609
0x01a6460f
0x01a646de
0x01a646e3
0x01a646e5
0x01a646ec
0x01a646ee
0x01a646f6
0x01a646f6
0x01a646f6
0x01a646f6
0x01a646ec
0x01a64615
0x01a64615
0x01a6461d
0x01a6462e
0x01a6462e
0x01a6461d
0x01a6460f
0x01a64609
0x01a646fd
0x00000000
0x00000000
0x01a64710
0x01a6471a
0x01a64720
0x01a64720
0x01a64722
0x01a6472c
0x00000000
0x01a6472e
0x01a6472e
0x00000000
0x01a6472e
0x01a6472c
0x01a64738
0x01a6473c
0x01a6474b
0x01a64751
0x01a64751
0x00000000
0x01a6473c
0x01a648f4
0x01a648f4
0x00000000
0x01a648f4

Strings

HEAP[%wZ]: , xrefs: 01A64652, 01A646B3, 01A647C6, 01A64851, 01A64917, 01A6496B
HEAP: , xrefs: 01A6465F, 01A646C0, 01A647D3, 01A6485E, 01A64924, 01A64978
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 01A647E2
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 01A64992
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 01A6486F
dedicated (%04Ix) free list element %p is marked busy, xrefs: 01A646CF
Non-Dedicated free list element %p is out of order, xrefs: 01A6466B
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 01A6493D

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: 1a89eb3a0930a9ebde8ef3a7871704a82373a4de2456438e25c96582a90b15dd
Instruction ID: 234bab39dc942e049b7fd2dc204f802ed8142b6c30ae75bea5c3a08fa4b7943a
Opcode Fuzzy Hash: 1a89eb3a0930a9ebde8ef3a7871704a82373a4de2456438e25c96582a90b15dd
Instruction Fuzzy Hash: 33F14335600646DFDB26DF6DC484BAAFBF9FF8D704F088119E14A9B641C734A985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A631DC, Relevance: 10.2, Strings: 8, Instructions: 190COMMON

Download Yara Rule

Strings

Specified HeapBase (%p) is free or not writable, xrefs: 01A633D8
HEAP[%wZ]: , xrefs: 01A63213, 01A6327A, 01A632C3, 01A63328, 01A63376, 01A633BD
Specified HeapBase (%p) invalid, Status = %lx, xrefs: 01A63344
Invalid CommitSize parameter - %Ix, xrefs: 01A63295
Specified HeapBase (%p) != to BaseAddress (%p), xrefs: 01A63392
HEAP: , xrefs: 01A63220, 01A63287, 01A632D0, 01A63335, 01A63383, 01A633CA
Invalid ReserveSize parameter - %Ix, xrefs: 01A6322C
May not specify Lock parameter with HEAP_NO_SERIALIZE, xrefs: 01A632DB

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
API String ID: 0-2224505338
Opcode ID: 79e7c3bac5e0ddf0cbba84fd504409eb5676bece14d52266eacd8c31e1fa3991
Instruction ID: 57414587c82151dd6526b7874c56ff6a81ba0b2ca096109ffbf55f63fa651fa4
Opcode Fuzzy Hash: 79e7c3bac5e0ddf0cbba84fd504409eb5676bece14d52266eacd8c31e1fa3991
Instruction Fuzzy Hash: 41510A32251245DFDB21DFADC899F6AB7B8FF54A20F088029F50E9B701C671E881CB51

Uniqueness

Uniqueness Score: -1.00%

Function 019D78A0, Relevance: 8.5, Strings: 6, Instructions: 989COMMON

Download Yara Rule

Strings

LdrpResSearchResourceInsideDirectory Enter, xrefs: 019D794C
{, xrefs: 01A18CEE
LdrpResSearchResourceInsideDirectory Exit, xrefs: 019D7960
MUI, xrefs: 019D7BCA
R, xrefs: 019D7956
T, xrefs: 019D7942

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$MUI$R$T${
API String ID: 0-2515562510
Opcode ID: 73e826fdbf5aea13c2a75289ac1ef48bad5e9c25db230f14bf35191d0cc0da98
Instruction ID: b70edf6879a994cd31e0ae3a34b5e7183c7e0e366c05bdae9f41e867b19f41d2
Opcode Fuzzy Hash: 73e826fdbf5aea13c2a75289ac1ef48bad5e9c25db230f14bf35191d0cc0da98
Instruction Fuzzy Hash: 72925771E04229CFDB29CFA8C880BAEBBB6BF45308F148659D95DAB345D7389941CF41

Uniqueness

Uniqueness Score: -1.00%

Function 019CA309, Relevance: 8.2, Strings: 6, Instructions: 687COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01A11E88, 01A11F71, 01A12124, 01A1225C
(UCRBlock != NULL), xrefs: 01A11EA0
(!TrailingUCR), xrefs: 01A12274
HEAP: , xrefs: 01A11E95, 01A11F7E, 01A12131, 01A12269
(LONG)FreeEntry->Size > 1, xrefs: 01A1213C
((LONG)FreeEntry->Size > 1), xrefs: 01A11F89

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 612e286c2650c166683d724a8951c77ae15c23af73fe76e80238cbcbe8fd447c
Instruction ID: c28c0f4a0be40ce9e04262a19bd1839236eb527115cd918d30ec9fd3bc9e8133
Opcode Fuzzy Hash: 612e286c2650c166683d724a8951c77ae15c23af73fe76e80238cbcbe8fd447c
Instruction Fuzzy Hash: 534201716043869FD715CF38C884B2ABBE5FF98A04F18496DE5CA8B352E734D981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 019DC63D, Relevance: 7.6, Strings: 6, Instructions: 111COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01A1A7A7
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01A1A780
RtlGetAssemblyStorageRoot, xrefs: 01A1A768, 01A1A7A2, 01A1A7C2
SXS: %s() passed the empty activation context, xrefs: 01A1A76D
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01A1A7C7
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01A1A788

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 267338a99bbf24e50285cb62e0fe7fdcd3ca9a1206166ee7d518b49f154d1d86
Instruction ID: 3d891e998764692bb9394a25224eeffc16b032533eaf3ba3b91114522a2881ea
Opcode Fuzzy Hash: 267338a99bbf24e50285cb62e0fe7fdcd3ca9a1206166ee7d518b49f154d1d86
Instruction Fuzzy Hash: 72312872F41211BBEB219B5A8D41F6EBB799F90A51F05405DFA09B7240D270AE00C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 019C2430, Relevance: 6.7, Strings: 5, Instructions: 461COMMON

Download Yara Rule

Strings

Internal error check failed, xrefs: 01A0D3DB
, xrefs: 019C24E4
, xrefs: 019C24C0
Status != STATUS_SXS_SECTION_NOT_FOUND, xrefs: 01A0D3CC
minkernel\ntdll\sxsisol.cpp, xrefs: 01A0D3D6

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
API String ID: 0-3393094623
Opcode ID: 463e5060fd794dc648aaddae9c7ab1a9c1906356e94c05e9de8f834499816c7f
Instruction ID: de16606d6c00c3d9f80b32dca9a513a08582d6781b275eb9c9cf3c076962247f
Opcode Fuzzy Hash: 463e5060fd794dc648aaddae9c7ab1a9c1906356e94c05e9de8f834499816c7f
Instruction Fuzzy Hash: 0202AB755083528BD721DF68C180BABBBE4BF88B50F14492EEADD97251E770D844CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 01A364B5, Relevance: 6.4, Strings: 5, Instructions: 116COMMON

Download Yara Rule

Strings

Type:, xrefs: 01A364CE
SR - , xrefs: 01A3652D
Item:, xrefs: 01A36505
Language:, xrefs: 01A364F6
Name:, xrefs: 01A364E7

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Item:$ Language:$ Name:$SR - $Type:
API String ID: 0-3082644519
Opcode ID: aa439289b0ad8d5959fa25d36b8cd5420d86edbfdd4e5132252bf9f992a9c3ec
Instruction ID: 2a1edcc241ef92cb0c771e16b776be0115966b36ba752dbe488cd97e29eb3f92
Opcode Fuzzy Hash: aa439289b0ad8d5959fa25d36b8cd5420d86edbfdd4e5132252bf9f992a9c3ec
Instruction Fuzzy Hash: 5C418071A012297BDF25DB69CC98BDABBBCAF95310F0401E5A54DA7244DE309E84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 019A40E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01A0043F
Invalid heap signature for heap at %p, xrefs: 01A00458
, passed to %s, xrefs: 01A00469
HEAP: , xrefs: 01A0044C
RtlAllocateHeap, xrefs: 01A00468

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: f3c5789100536c0310412a4f3ee487b50c1ab42c29d1a42e19da2bda29c39706
Instruction ID: 8c85495b0d19df70f362928e75c2714d8d8c3172429988e64264f7614a786757
Opcode Fuzzy Hash: f3c5789100536c0310412a4f3ee487b50c1ab42c29d1a42e19da2bda29c39706
Instruction Fuzzy Hash: A10170361042419FD326AB6DF54DF927BA4EBC1F70F1A802DF00E4B782CAE5A484C254

Uniqueness

Uniqueness Score: -1.00%

Function 019C5600, Relevance: 6.2, Strings: 3, Instructions: 2418COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01A0EE7C, 01A0F0FA
HEAP: , xrefs: 01A0EE8B, 01A0F109
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01A0EEA5, 01A0F123

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 0c92de2a6a5e50bbd9e1c791a1302e83b202f66c81b5dfb95b50fc65444f5439
Instruction ID: 19861a8f8c255fcc1c1049ed52acbe822927709dccf6aa447a625cf1eff48038
Opcode Fuzzy Hash: 0c92de2a6a5e50bbd9e1c791a1302e83b202f66c81b5dfb95b50fc65444f5439
Instruction Fuzzy Hash: 5723B070A00215DFEB25CF68C480BA9BBF5FF49704F1485ADD48AAB386D735A941CF92

Uniqueness

Uniqueness Score: -1.00%

Function 019D06C0, Relevance: 5.9, Strings: 4, Instructions: 901COMMON

Download Yara Rule

Strings

@, xrefs: 01A15250
HEAP[%wZ]: , xrefs: 01A15076
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 01A1508E
HEAP: , xrefs: 01A15083

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 2994545307-3570731704
Opcode ID: 243429b62f6d459ed6bb344ca7135b8762eae1535788298ac8b291cb900cc4c6
Instruction ID: a7e2c204d803aa17fe669df8b8f2f47e851bf5fd40dc0c0b6687e50b972f84c8
Opcode Fuzzy Hash: 243429b62f6d459ed6bb344ca7135b8762eae1535788298ac8b291cb900cc4c6
Instruction Fuzzy Hash: EB822871E01269CFEB25CF18C884BA9B7B5BF85310F1981EAE94DAB251D7309E80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 019D701D, Relevance: 5.6, Strings: 4, Instructions: 569COMMON

Download Yara Rule

Strings

#, xrefs: 01A186BA
LdrpResSearchResourceMappedFile Enter, xrefs: 019D70B9
MUI, xrefs: 019D75E1
LdrpResSearchResourceMappedFile Exit, xrefs: 019D70D4

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: #$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
API String ID: 0-3266796247
Opcode ID: c2d58f6fe5550be0b2ee39f496217efc99daa53fcae9413986248ff211949296
Instruction ID: 7c254d514f75ba433450d39cf22f48c8c283508d9c7a0610768b3863dc38e28b
Opcode Fuzzy Hash: c2d58f6fe5550be0b2ee39f496217efc99daa53fcae9413986248ff211949296
Instruction Fuzzy Hash: A832C131A402A98BDF2ACF58CC84BEDBBB5AF45344F1484E9E94DA7251DB349E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01A334A0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 01A335C1

Strings

@, xrefs: 01A3350A
\Wow\Wow, xrefs: 01A335D9, 01A335DE, 01A335F5

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$\Wow\Wow
API String ID: 4062629308-816453441
Opcode ID: dcbeb65f507b48df2328e9dd49731326ecf34d6a548e4439cb44682489ddc477
Instruction ID: d6023e57d136519175dbd2d40c747b072ee364d5ba074983ce1f2850a81c3c29
Opcode Fuzzy Hash: dcbeb65f507b48df2328e9dd49731326ecf34d6a548e4439cb44682489ddc477
Instruction Fuzzy Hash: F3417A71905219AFDF219FA9C940A6EBBF8FF94B00F04452AF909DB264D734C941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 019DC707, Relevance: 5.3, Strings: 4, Instructions: 251COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 01A1A7E6
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01A1A8BE
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01A1A7E1, 01A1A8B9
.Local, xrefs: 019DC9A4

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: c771aef3027a935871d2eacc82d644ff6b482f70125d75341252c2cd5b6e5544
Instruction ID: eb3995c714f752bedae391706e6cc0a2e9333b48c205640fa0f4b882c24356ae
Opcode Fuzzy Hash: c771aef3027a935871d2eacc82d644ff6b482f70125d75341252c2cd5b6e5544
Instruction Fuzzy Hash: 9BA1DF31A4122ADBDB25CF58DC88BA9B7B5BF58314F1485EED90CAB250D7309E81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 019D7620, Relevance: 5.2, Strings: 4, Instructions: 220COMMON

Download Yara Rule

Strings

LdrpResGetResourceDirectory Enter, xrefs: 019D7645
MUI, xrefs: 019D76BD, 019D781D
{, xrefs: 01A18841
LdrpResGetResourceDirectory Exit, xrefs: 019D7657

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit$MUI${
API String ID: 0-3203766739
Opcode ID: d6e0dbe6ea1a242c211a5032065b92aeacef672d234f1f047ece98b9580eea7f
Instruction ID: 700ac419234231cc4e76ca22806961a2b543fed8d9a23ae4f5cc9da9a833b2d6
Opcode Fuzzy Hash: d6e0dbe6ea1a242c211a5032065b92aeacef672d234f1f047ece98b9580eea7f
Instruction Fuzzy Hash: 4081F735D00205CFEB2ACF98D940BEE77B5FF00358F198595E919AB290D7789A40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019CD1EF, Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01A1348D
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01A13513
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01A134D0
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01A1344A

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 21b3bf211f74b825401f34c34401d593a08c9ee9d676cd4f0fea3f613c4e12a1
Instruction ID: 797e8545c12654947078038b3c0bcab7d5caf628c93479cb262f51999e1a6921
Opcode Fuzzy Hash: 21b3bf211f74b825401f34c34401d593a08c9ee9d676cd4f0fea3f613c4e12a1
Instruction Fuzzy Hash: 6271AEB1904305AFCB21DF94C885F9BBBE9AF94B64F40096DF98D4A242D734D588CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 019CA229, Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01A11DD7
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 01A11DF9
HEAP: , xrefs: 01A11DE4
`, xrefs: 01A11C8D

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: f6c1ebf9431c9ff78ab188dbef85a73467151f12bd7950b1c650a6e1805fc956
Instruction ID: 0b7bfc1274181d97fd5d9fbabce6da8be5c19c186e605acebce4d7485e405971
Opcode Fuzzy Hash: f6c1ebf9431c9ff78ab188dbef85a73467151f12bd7950b1c650a6e1805fc956
Instruction Fuzzy Hash: 085108722056959FE712DB78C844F777BE9FF80B50F080968F6998B292E734D904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01A649A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01A64A3D, 01A64AB7
HEAP: , xrefs: 01A64A4A, 01A64A5D, 01A64A5F, 01A64AC4
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01A64A61
This is located in the %s field of the heap header., xrefs: 01A64AD6

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 830d2814ecdb7b261ee5c133b2cacb046db3b307efeb625e0b0d518c85252b98
Instruction ID: 0e2b2654417fc946fabc33a7c9cafd1dca1d10972e3e000977f268aae8b16ed8
Opcode Fuzzy Hash: 830d2814ecdb7b261ee5c133b2cacb046db3b307efeb625e0b0d518c85252b98
Instruction Fuzzy Hash: 7E31E136200105FFD721DF59C889F6AB7ECEF58A20F184169F50ACB291D670A844CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 019A751A, Relevance: 5.1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

Strings

VirtualProtect Failed 0x%p %x, xrefs: 01A02811
VirtualQuery Failed 0x%p %x, xrefs: 01A0284E
HEAP[%wZ]: , xrefs: 01A027F7, 01A02834
HEAP: , xrefs: 01A02804, 01A02841

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 55f0abef636adb0c18b97c8ddba7c2dd9c868d5c7fd953906569c26313f34360
Instruction ID: f0da5700e3319cfa26c80191806c1a5b88df456fb7b86e2fd0547de7a4720d7a
Opcode Fuzzy Hash: 55f0abef636adb0c18b97c8ddba7c2dd9c868d5c7fd953906569c26313f34360
Instruction Fuzzy Hash: 0C312C36900245EFDB12DF99CC89FAAB7B8FF84720F544165F90DA7281D771E944CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A63518, Relevance: 5.1, Strings: 4, Instructions: 55COMMON

Download Yara Rule

Strings

RtlDestroyHeap, xrefs: 01A63571
May not destroy the process heap at %p, xrefs: 01A63561
HEAP[%wZ]: , xrefs: 01A63548
HEAP: , xrefs: 01A63555

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $May not destroy the process heap at %p$RtlDestroyHeap
API String ID: 0-4256168463
Opcode ID: a32c86c4baa00f21ea8aa72efa2af0a85c737d20b0040031af7fa519019d289a
Instruction ID: abd709202823afc368bc7860699be15c77c83119327eacc73351aa5d517c5e56
Opcode Fuzzy Hash: a32c86c4baa00f21ea8aa72efa2af0a85c737d20b0040031af7fa519019d289a
Instruction Fuzzy Hash: BE0145321102009FCF21EF7D8444BAAB7ECFF81A20F048499E40E9B341DA71E845CA90

Uniqueness

Uniqueness Score: -1.00%

Function 019C99BF, Relevance: 4.3, Strings: 3, Instructions: 572COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01A11550, 01A11617, 01A117BC, 01A11905
HEAP: , xrefs: 01A1155D, 01A11624, 01A117C9, 01A11912
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01A11572, 01A11639, 01A117DE, 01A11927

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 3acae6965eacc464d2b7d8b64b5de1676ee07e6cf676da4a014bdf1b3f946055
Instruction ID: e636f4a27e9963ff781bf41d67adeb6d21b46a16d450688f69347480871d10b8
Opcode Fuzzy Hash: 3acae6965eacc464d2b7d8b64b5de1676ee07e6cf676da4a014bdf1b3f946055
Instruction Fuzzy Hash: 722223706002469FEB25DF2DC484B7ABBF5EF45704F18856DEA8A8B34AE731D881CB51

Uniqueness

Uniqueness Score: -1.00%

Function 019CB477, Relevance: 4.2, Strings: 3, Instructions: 405COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01A12973
HEAP: , xrefs: 01A12980
(UCRBlock->Size >= *Size), xrefs: 01A1298B

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: ec332fcda15e670826c6b81beb37ad06bbf540d77f4ec60da3125cacf00f2e71
Instruction ID: 80caf3bfcd347ae98170dfdf6316f4d5031d431f5df8feaa4e437f81e1b73b8b
Opcode Fuzzy Hash: ec332fcda15e670826c6b81beb37ad06bbf540d77f4ec60da3125cacf00f2e71
Instruction Fuzzy Hash: F1E1CC706002469FDB19CF68C985FBABBB5FF44B40F2481A9E54A9B381D730E941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019B62A0, Relevance: 4.0, Strings: 3, Instructions: 291COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 019B62E2
MUI, xrefs: 019B62B8, 019B63B7
LdrResGetRCConfig Exit, xrefs: 019B62F4

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: 59992d2bef0acd43d3125ee8c36f4fbb0dd2c73675414a7c7846771837a1bba3
Instruction ID: 5a4be073b5ae125f364db53697994c1ed807fccc18b54e5da0dc24bc01f2dbe1
Opcode Fuzzy Hash: 59992d2bef0acd43d3125ee8c36f4fbb0dd2c73675414a7c7846771837a1bba3
Instruction Fuzzy Hash: D4B1C371A0161A9BDB15CF68DAC0BEDBB79BF44314F144029E919EB395D770F8A0CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004162F6, Relevance: 4.0, Strings: 3, Instructions: 279
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004162F6(char __eax, void* __edi) {
				signed char _t122;
				signed char _t126;
				void* _t129;
				signed int _t134;
				void* _t138;
				void* _t146;
				intOrPtr _t149;
				void* _t153;
				intOrPtr _t190;
				char _t194;
				void* _t220;
				void* _t249;
				char _t252;
				intOrPtr _t253;
				void* _t256;
				void* _t259;
				void* _t262;

				_t119 = __eax;
				if(__edi != 1) {
					while(1) {
						L7:
						__eflags = _t119;
						if(_t119 != 0) {
							 *((char*)(_t256 + _t252 - 0x10)) = _t119;
							_t252 = _t252 + 1;
							__eflags = _t252;
						}
						while(1) {
							L9:
							__eflags = _t252 - 8;
							if(__eflags >= 0) {
								break;
							}
							_push(0x92);
							 *((intOrPtr*)(_t220 + 0x53)) =  *((intOrPtr*)(_t220 + 0x53)) + _t194;
							_t119 = E004092B0(__eflags);
							_t259 = _t259 + 8;
							_t194 = 0;
							__eflags = 0;
							while(1) {
								__eflags = _t119 -  *((intOrPtr*)(_t256 + _t194 - 0x10));
								if(_t119 ==  *((intOrPtr*)(_t256 + _t194 - 0x10))) {
									goto L9;
								}
								_t194 = _t194 + 1;
								__eflags = _t194 - _t252;
								if(_t194 <= _t252) {
									continue;
								} else {
									goto L7;
								}
								goto L9;
							}
						}
						_t7 = _t256 - 0x97; // 0x71f7e8fe
						 *((intOrPtr*)(_t256 - 8)) = 0x2e777777;
						 *((char*)(_t256 - 4)) = 0;
						 *((short*)(_t256 - 3)) = 0;
						 *((char*)(_t256 - 1)) = 0;
						 *((char*)(_t256 - 0x98)) = 0;
						E0041A160(_t7, 0, 0x3f);
						_t122 = E004092B0(__eflags, 2, 5);
						_t13 = _t256 - 0x98; // 0x71f7e8fd
						E0041AA50(_t13, _t122 & 0x000000ff);
						_t14 = _t256 - 0x98; // 0x71f7e8fd
						 *((char*)(_t256 + E0041A3B0(_t14) - 0x98)) = 0x3d;
						_t126 = E004092B0(__eflags, 4, 0x10);
						_t17 = _t256 - 0x98; // 0x71f7e8fd
						_t19 = E0041A3B0(_t17) - 0x98; // 0x71f7e8fd
						_t129 = E0041AA50(_t256 + _t19, _t126 & 0x000000ff);
						_t20 = _t256 + 8; // 0x2e777777
						_t253 =  *_t20;
						_t190 = 0;
						_t262 = _t259 + 0x34;
						 *((intOrPtr*)(_t256 - 0x14)) = 0;
						_t249 = 0;
						do {
							__eflags =  *((intOrPtr*)(_t253 + 0x1170)) - _t190;
							if( *((intOrPtr*)(_t253 + 0x1170)) != _t190) {
								_t23 = _t256 - 0x58; // 0x71f7e93d
								E0041A110(_t23, 0x2e);
								_t24 = _t256 - 0x306; // 0x71f7e68f
								 *((short*)(_t256 - 0x308)) = 0;
								E0041A160(_t24, 0, 0x206);
								E0041A110( *((intOrPtr*)(_t253 + 0x14a4)) + _t249, 0x388);
								_t134 = E0041A6D0();
								_t28 = _t190 - 1; // -1
								 *( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x40) = _t134 * _t28 & 0x00000001;
								_t31 = _t256 - 0x98; // 0x71f7e8fd
								_t138 = E0041A3B0(_t31);
								_t33 = _t256 - 0x98; // 0x71f7e8fd
								E0041A0E0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x87, _t33, _t138);
								_t36 = _t256 - 8; // 0x2e777777
								_t37 = _t256 - 0x58; // 0x71f7e93d
								E0041A0E0(_t37, _t36, 4);
								_t40 = _t256 - 0x58; // 0x71f7e93d
								_t42 = E0041A3B0(_t40) - 0x58; // 0x71f7e93d
								E00409E10(_t190, _t253, __eflags, _t253, _t256 + _t42,  *(_t256 + _t190 - 0x10) & 0x000000ff);
								_t43 = _t256 - 0x58; // 0x71f7e93d
								_t146 = E0041A3B0(_t43);
								_t45 = _t256 - 0x58; // 0x71f7e93d
								E0041A0E0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249, _t45, _t146);
								_t46 = _t256 - 0x58; // 0x71f7e93d
								_t149 = E0041A3B0(_t46);
								_t192 = _t253 + 0xe90;
								_t48 = _t256 - 0x58; // 0x71f7e93d
								 *((intOrPtr*)(_t256 - 0x18)) = _t149;
								E0041A4E0(_t48, _t253 + 0xe90, 0);
								_t50 = _t256 - 0x100; // 0x71f7e895
								E00408C50(_t50);
								_t51 = _t256 - 0x58; // 0x71f7e93d
								_t153 = E0041A3B0(_t51);
								_t52 = _t256 - 0x58; // 0x71f7e93d
								_t53 = _t256 - 0x100; // 0x71f7e895
								E004099D0(_t53, _t52, _t153);
								_t54 = _t256 - 0x100; // 0x71f7e895
								E004099A0(_t54);
								_t56 = _t256 - 0x100; // 0x71f7e895
								E0041A0E0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x72, _t56, 0x14);
								 *((char*)(_t256 +  *((intOrPtr*)(_t256 - 0x18)) - 0x58)) = 0;
								_t63 = _t256 - 0x308; // 0x71f7e68d
								 *((intOrPtr*)( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x4c)) = 2;
								 *((intOrPtr*)( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x50)) = 1;
								E00409EA0(_t253 + 0xe90, _t253, _t253, _t63, 0x46, 1, 4);
								_t70 = _t256 - 0x308; // 0x71f7e68d
								E0041A780( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0xc7, _t70);
								_push(1);
								_t73 = _t256 - 0x308; // 0x71f7e68d
								E00409EA0(_t253 + 0xe90, _t253);
								_t75 = _t256 - 0x308; // 0x71f7e68d
								E0041A780(E0041A3B0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0xc7) +  *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0xc7, _t75);
								_t82 = _t256 - 0x58; // 0x71f7e93d
								E0041A4E0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0xc7, _t82, 0);
								_t85 = _t256 - 0x308; // 0x71f7e68d
								E00409EA0(_t192, _t253, _t253, _t85, 0x4a, 1, _t253);
								_t87 = _t256 - 0x308; // 0x71f7e68d
								E0041A780( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x167, _t87);
								_t90 = _t256 - 0x308; // 0x71f7e68d
								E00409EA0(_t192, _t253, _t253, _t90, 0x4b, 1, _t73);
								_t92 = _t256 - 0x308; // 0x71f7e68d
								E0041A780(E0041A3B0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x167) +  *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x167, _t92);
								_t99 = _t256 - 0x58; // 0x71f7e93d
								E0041A4E0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x167, _t99, 0);
								_t102 = _t256 - 0x308; // 0x71f7e68d
								E00409EA0(_t192, _t253, _t253, _t102, 0x4f, 1, 0x47);
								_t104 = _t256 - 0x308; // 0x71f7e68d
								__eflags = E0041A3B0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x287) +  *((intOrPtr*)(_t253 + 0x14a4));
								E0041A780(E0041A3B0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x287) +  *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x287, _t104);
								_t111 = _t256 - 0x58; // 0x71f7e93d
								E0041A4E0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x287, _t111, 0);
								_t129 = E0041A4E0( *((intOrPtr*)(_t253 + 0x14a4)) + _t249 + 0x287, _t192, 0);
								_t190 =  *((intOrPtr*)(_t256 - 0x14));
								_t262 = _t262 + 0x144;
							}
							_t190 = _t190 + 1;
							_t249 = _t249 + 0x388;
							 *((intOrPtr*)(_t256 - 0x14)) = _t190;
							__eflags = _t249 - 0x1c40;
						} while (_t249 < 0x1c40);
						return _t129;
						goto L15;
					}
				} else {
					return __eax;
				}
				L15:
			}

0x004162f6
0x004162f7
0x0041635e
0x0041635e
0x0041635e
0x00416360
0x00416362
0x00416366
0x00416366
0x00416366
0x00416367
0x00416367
0x00416367
0x0041636a
0x00000000
0x00000000
0x00416342
0x00416346
0x00416349
0x0041634e
0x00416351
0x00416351
0x00416353
0x00416353
0x00416357
0x00000000
0x00000000
0x00416359
0x0041635a
0x0041635c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041635c
0x00416353
0x00416371
0x00416378
0x0041637f
0x00416383
0x00416387
0x0041638a
0x00416390
0x00416399
0x004163a2
0x004163a9
0x004163ae
0x004163be
0x004163c6
0x004163d2
0x004163de
0x004163e9
0x004163ee
0x004163ee
0x004163f1
0x004163f3
0x004163f6
0x004163f9
0x00416400
0x00416400
0x00416406
0x0041640c
0x00416412
0x0041641f
0x00416426
0x0041642d
0x00416440
0x00416445
0x00416450
0x00416459
0x0041645d
0x00416464
0x00416470
0x0041647f
0x00416486
0x0041648a
0x0041648e
0x0041649e
0x004164aa
0x004164b0
0x004164b5
0x004164b9
0x004164c5
0x004164cc
0x004164d1
0x004164d5
0x004164dc
0x004164e2
0x004164e7
0x004164ea
0x004164ef
0x004164f6
0x004164fb
0x004164ff
0x00416505
0x00416509
0x00416510
0x00416515
0x0041651f
0x0041652c
0x00416538
0x00416546
0x0041654f
0x00416555
0x00416565
0x0041656d
0x00416578
0x00416587
0x0041658c
0x00416590
0x00416598
0x004165a6
0x004165cb
0x004165d8
0x004165e4
0x004165ed
0x004165f5
0x00416600
0x0041660f
0x00416618
0x00416620
0x0041662e
0x00416653
0x00416660
0x0041666c
0x00416675
0x0041667d
0x0041668b
0x0041669f
0x004166b0
0x004166bd
0x004166c9
0x004166df
0x004166e4
0x004166e7
0x004166e7
0x004166ea
0x004166eb
0x004166f1
0x004166f4
0x004166f4
0x00416706
0x00000000
0x00416706
0x004162fd
0x00416303
0x00416303
0x00000000

Strings

www., xrefs: 004163EE, 004164AF, 00416564, 00416597, 004165F4, 0041661F, 0041667C
=, xrefs: 004163BE
www., xrefs: 00416486, 00416489

Memory Dump Source

Source File: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: =$www.$www.
API String ID: 0-3343787489
Opcode ID: 8a69f24caac826e16a5dad2e681daa35f24bcc84a2534cafaee34269a6a1ef26
Instruction ID: 4370f1302d9e974ba5174e44d7d420472bb9dad722ef38a7a88f5ffe9938ecc1
Opcode Fuzzy Hash: 8a69f24caac826e16a5dad2e681daa35f24bcc84a2534cafaee34269a6a1ef26
Instruction Fuzzy Hash: 18A1DA71941204ABCB15DBB0CC82FDFB37DAF44318F04455EB6195B183DA78B688CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 019B8794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01A09C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01A09C18
LdrpDoPostSnapWork, xrefs: 01A09C1E

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: 315304d7e61e672a760727c44f654cf1ed225859ac2c54eada891121c9c06153
Instruction ID: 06fd26f7bc724b7a23a8830653386c56697d299a8280f7873746ccc9c25e7588
Opcode Fuzzy Hash: 315304d7e61e672a760727c44f654cf1ed225859ac2c54eada891121c9c06153
Instruction Fuzzy Hash: 4A91F171A0020AEFDF19DF59D6C1AFAB7BDFF88315B044069DA0DAB241DB30A941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019A8239, Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

\??\, xrefs: 01A02E2A
UseFilter, xrefs: 019A8263
FilterFullPath, xrefs: 01A02F2C

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 9ed22d00d8b85cc6f0e2aeaf7c4c67614534d9d50809e3a847ed4b435e3cb10a
Instruction ID: 56a7db63d69da26dd75d95823e3b47474878ebbd3aae297ee7d45936a552f918
Opcode Fuzzy Hash: 9ed22d00d8b85cc6f0e2aeaf7c4c67614534d9d50809e3a847ed4b435e3cb10a
Instruction Fuzzy Hash: 4FA14C719116299BDF32DF68DC88BAAB7B8EF44715F1001EAE90CA7250D7359E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019CB73D, Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01A12BDB
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 01A12BF3
HEAP: , xrefs: 01A12BE8

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 0835655dd4a2e5e7d4178393d8a7f1723d8785dbc816ecc8f356d8e96d819235
Instruction ID: d544c731474008f85692a19a1d6c86e80fc20d09f7281941c13027862ae80d91
Opcode Fuzzy Hash: 0835655dd4a2e5e7d4178393d8a7f1723d8785dbc816ecc8f356d8e96d819235
Instruction Fuzzy Hash: C9610770600241DFDB19CF28C482B6ABBE5FF44B45F18855EE88E8F645D730E881CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A523E3, Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01A5254F
Heap block at %p modified at %p past requested size of %Ix, xrefs: 01A5256F
HEAP: , xrefs: 01A5255C

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 01433b56eddaf9b71cc55b34206ad0e944d4b1e6d29cee7ba0d34db88db6dd51
Instruction ID: c89edb4dbd4f8affb63148a585f3a5f66100648f9ddbc75a5a34dfd5c1f41597
Opcode Fuzzy Hash: 01433b56eddaf9b71cc55b34206ad0e944d4b1e6d29cee7ba0d34db88db6dd51
Instruction Fuzzy Hash: B151E335118250CAE7B4CF2EC8447727FF1EB88644F58485BEDC68B286D63AE847DB61

Uniqueness

Uniqueness Score: -1.00%

Function 019AE620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON

Download Yara Rule

Strings

@, xrefs: 019AE6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 019AE68C
InstallLanguageFallback, xrefs: 019AE6DB

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 88e657892ad50c1457fec78d583e05e4f5b8585acda8a7b7b605dee28cb1bfa2
Instruction ID: 4eb7051de84ddb77fe6bce5b96de58b19480d6a1edf3676fa9e91aa41818cb93
Opcode Fuzzy Hash: 88e657892ad50c1457fec78d583e05e4f5b8585acda8a7b7b605dee28cb1bfa2
Instruction Fuzzy Hash: 785104729043069BD716DF28D440ABBB7E8BF88714F45092EF989D7291F731D908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019BB62E, Relevance: 2.8, Strings: 2, Instructions: 349COMMON

Download Yara Rule

Strings

LdrpLoadResourceFromAlternativeModule, xrefs: 01A0A937
'LDR: %s(), invalid image format of MUI file , xrefs: 01A0A93C

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 'LDR: %s(), invalid image format of MUI file $LdrpLoadResourceFromAlternativeModule
API String ID: 0-411237641
Opcode ID: 8b1661fdee1132bd7ea17b64cb21831f91def8e7c16dc325eb8a3b0e9e0ed65e
Instruction ID: 9445a87c3035a0bea0b5cef2835507fc3fa670946b9cefec4f5ade6d36a42ba1
Opcode Fuzzy Hash: 8b1661fdee1132bd7ea17b64cb21831f91def8e7c16dc325eb8a3b0e9e0ed65e
Instruction Fuzzy Hash: F2D1AB356083418FD726CF28C6C0BAABBE5BB88754F08492DF99E9B2D1D770D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 019B99C7, Relevance: 2.8, Strings: 2, Instructions: 294COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 019B99F2
LdrResFallbackLangList Exit, xrefs: 019B9A04

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-1720564570
Opcode ID: 3246aba76f237daa1871b2fef09150e437933e6a90863b83450e2e6c9f9a4d6d
Instruction ID: cace24b51fda8119b49747d9fa79282f785a264d520a45ab172112adb0cefe7f
Opcode Fuzzy Hash: 3246aba76f237daa1871b2fef09150e437933e6a90863b83450e2e6c9f9a4d6d
Instruction Fuzzy Hash: 53B1D0B2618386CBD715CF18C680BAAB7E4FF85758F04492DFA8D9B281D334D944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01A6E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

`, xrefs: 01A6E5D7
`, xrefs: 01A6E670

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: f428d3a8e6cb437df35a30733cecce1255d307cab1972b5c3eb36d2d125e0156
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 109180752043429FE725CF29C945B1BBBE9AF84714F18892DF699CB280E774E904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01A251BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

UEFI, xrefs: 01A2521D
Legacy, xrefs: 01A25226

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: be75e2dbb68fa072682fb086df96a7ea45e080a10cadbfc0e6e879ecdc4d9aad
Instruction ID: 3f03d132364d7d231243ad544353ba082baffe95f51a133a16e4b26c5fec3640
Opcode Fuzzy Hash: be75e2dbb68fa072682fb086df96a7ea45e080a10cadbfc0e6e879ecdc4d9aad
Instruction Fuzzy Hash: A55149B1E006299FDB25DFA9C990AEEBBF9BF48700F14402DE649EB291D6719900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019D84E0, Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

LdrpResGetMappingSize Exit, xrefs: 019D850C
LdrpResGetMappingSize Enter, xrefs: 019D84FA

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LdrpResGetMappingSize Enter$LdrpResGetMappingSize Exit
API String ID: 0-1497657909
Opcode ID: 5945058fec6cdf5aaa201c2773cdcc3442c7dba46116d8a449c4cca0c16622cf
Instruction ID: cba54e776c95fe64b77c1d9417073a5ccc1c449b7becfabfb26c9b9f9b56eb5c
Opcode Fuzzy Hash: 5945058fec6cdf5aaa201c2773cdcc3442c7dba46116d8a449c4cca0c16622cf
Instruction Fuzzy Hash: 06512871A00249DFEB12CFA8C940BAD7BB9FF44754F448459E909EB296E738D940CB24

Uniqueness

Uniqueness Score: -1.00%

Function 019A4439, Relevance: 2.6, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

0, xrefs: 019A44A3
Flst, xrefs: 019A4476

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 7ec526ad48656b81a0bab31e515de9c143c4b5b90aa7fccb19a5378ead243df3
Instruction ID: 0bbc9affb75684fefbec42af79387e7878f60926f1479624461bba565c8b80c0
Opcode Fuzzy Hash: 7ec526ad48656b81a0bab31e515de9c143c4b5b90aa7fccb19a5378ead243df3
Instruction Fuzzy Hash: D141ACB1A00248CFDB26CF99D5847ADFBF9FF84714F58802ED14A9B241D770994ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 019B61A7, Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 019B61CE
RtlpResUltimateFallbackInfo Exit, xrefs: 019B61DD

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 9f139147f2a620a121cc761efd60c0514aafb1ecf80f1126c634255aac9deee9
Instruction ID: ff8e112b46590369922e79e687461ea794c25b6aec5ecf18e13d8b00abf316b8
Opcode Fuzzy Hash: 9f139147f2a620a121cc761efd60c0514aafb1ecf80f1126c634255aac9deee9
Instruction Fuzzy Hash: F1410171A00205DBEB16CFA9D984FAA7BB4FF81714F144069EA08DB3D1EB35E900CB51

Uniqueness

Uniqueness Score: -1.00%

Function 019DD4B0, Relevance: 2.6, Strings: 2, Instructions: 67COMMON

Download Yara Rule

Strings

RtlpInitializeAssemblyStorageMap, xrefs: 01A1B0B2
SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 01A1B0B7

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: c1f81352b3b9a7bb5e22e7350d5fafc87be9105ee454af1f69b833dda1e7d9f3
Instruction ID: 12a06ec5187dc8ea1cf7394f5d91ce7088de7e1af83dbd1224ef427426f87362
Opcode Fuzzy Hash: c1f81352b3b9a7bb5e22e7350d5fafc87be9105ee454af1f69b833dda1e7d9f3
Instruction Fuzzy Hash: A211CA71B00205FBF725CB9D9D41FAB76E99BD4B64F14C069BA089B2C4D671DD0082A4

Uniqueness

Uniqueness Score: -1.00%

Function 019BC1C0, Relevance: 2.1, Strings: 1, Instructions: 876COMMON

Download Yara Rule

Strings

MUI, xrefs: 019BC2EE, 019BCB6D, 019BCE47

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: b8fe69453d9ed7e5d8e30dec8b2bccc1e54d7ac4170561b6a2d27400b7881131
Instruction ID: 2e9e78281127f098a3a610c0310170db01f2ff5f1c52b1976085f165df72386d
Opcode Fuzzy Hash: b8fe69453d9ed7e5d8e30dec8b2bccc1e54d7ac4170561b6a2d27400b7881131
Instruction Fuzzy Hash: 1C727C75E00219CBDB21CFA8CAC0BEDBBB5BF48714F14856AE95DAB241D730A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019CB944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019CB9A5

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: e02c58eeb6548efd728cf00742407970fe3f2e757a768f19f71f1db9259d3a53
Instruction ID: 7a73761b31897ae83a7279ac0183b3229c038c64ea99c9f83fe78f8f28be45c2
Opcode Fuzzy Hash: e02c58eeb6548efd728cf00742407970fe3f2e757a768f19f71f1db9259d3a53
Instruction Fuzzy Hash: 30515C71608341CFC721CF6DC48192AFBE9FB88A94F14496EE6CA87355D731E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019D65A0, Relevance: 1.6, Strings: 1, Instructions: 368COMMON

Download Yara Rule

Strings

+/o, xrefs: 019D67FE, 019D6818, 019D6822, 019D6834, 01A17D34, 01A17DA2, 01A17DB0, 01A17E21

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: +/o
API String ID: 0-3495357651
Opcode ID: 739c75ee13a1dfd2f085b9c9cf6407c7d381332ae75b95b8a7ad62b6a45da51d
Instruction ID: bc3e00fd32426aac6f135042c306e66f038af807cb5880c250a2d654a1b9c697
Opcode Fuzzy Hash: 739c75ee13a1dfd2f085b9c9cf6407c7d381332ae75b95b8a7ad62b6a45da51d
Instruction Fuzzy Hash: 18E1B475A00209CFCB18CF59C480AADBBF5FF88310F588159E959EB395D734E985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019D2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

PATH, xrefs: 019D2642, 019D2691

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: d5484aff0b124e1fb439e9aaa042bd3e16ffcff64d80035aaa8bb3608947dceb
Instruction ID: b175d3d99db3830725ebc70aa5d8c925daab5e605951eeba29c01336136899d0
Opcode Fuzzy Hash: d5484aff0b124e1fb439e9aaa042bd3e16ffcff64d80035aaa8bb3608947dceb
Instruction Fuzzy Hash: 6DC1B075E00219DFDB25DF99D880BAEBBF5FF88740F45802AE509BB250E734A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019DD7CA, Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

@, xrefs: 019DD883

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: f9e51fa7ed1cb36f85b7a86adbf40520465290fbffd2fdb35cf32ec65272afcf
Instruction ID: 3409d3a92e80dbe89ad6dc1a614a3924d81d9c23c9b1989c3a175a77c49e9956
Opcode Fuzzy Hash: f9e51fa7ed1cb36f85b7a86adbf40520465290fbffd2fdb35cf32ec65272afcf
Instruction Fuzzy Hash: 4C617E71D0121AAFDF21DFE8C844BAEBBF9FF94710F108169E918A7294D7759A01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019DF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 019DF124

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: e502630b576cb03ed46b6cd8d01a24dfdd64b09bc6f974d37fe60ddca89e7b9e
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: F7518F726047119FC321DF29C841A67BBF8FF88710F00892DFA9A87650E774E904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A23540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 01A2358F

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: b8868a55fb113a4392c53ae5330c95799cffda5a70e446945cd4ca407354d888
Instruction ID: df84da227754672b28babc3d0abeb1b63cb28495e65e6fd0a10efd1f924a6fec
Opcode Fuzzy Hash: b8868a55fb113a4392c53ae5330c95799cffda5a70e446945cd4ca407354d888
Instruction Fuzzy Hash: 8C4131B1D0052DAADF21DA54CC84FAEB77CAF45714F0045A5EA09AB240DB749E888FA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A705AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 01A70633

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 1a11265857370573c6abcf3fd1f9771d24e65c003933293984cfa7bb6697f708
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: CB31D3726043466BE710DF28CE45F977BD9EBC5754F144229FA58EB280E6B0EA04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019B14A9, Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

#, xrefs: 01A0695C

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 7214fd34cf6f3db3f10b96e9e4271c303fd579c4ef9ef36f97b02541178c6b54
Instruction ID: b21a018e8001b9785578f63fa40bc04fa93ae3afd9a4ea16d8a637fa204b3a82
Opcode Fuzzy Hash: 7214fd34cf6f3db3f10b96e9e4271c303fd579c4ef9ef36f97b02541178c6b54
Instruction Fuzzy Hash: EA41EF71A0021ADBCF22CF48DAA0BFEB7B9EF80701F04012AE95AA7240D770D951C791

Uniqueness

Uniqueness Score: -1.00%

Function 019D4020, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 019D40E8

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
API String ID: 0-996340685
Opcode ID: 7a7298500decf5bb444350c3c6e4a4dbc4ef0a0b72732c40b399872ae92938f8
Instruction ID: 523bdce28fc6f75e8d0411cb252a5bbe2982a3176846441a88ee39305756ecf2
Opcode Fuzzy Hash: 7a7298500decf5bb444350c3c6e4a4dbc4ef0a0b72732c40b399872ae92938f8
Instruction Fuzzy Hash: 2C417375A0074A9AD725DFB8C4416E6F7F8FF69300F00892ED6AEC7640E330A545CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A23884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 01A238B4

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: d8bc4f3fe21a42c6768df75c6aa6a1ac7abb511e7777192004243eb7c59176a8
Instruction ID: 0a4c158a2a04df3d7ebe22bc9b0f28fc5e576cbc6156d9d185a87e705a8099bd
Opcode Fuzzy Hash: d8bc4f3fe21a42c6768df75c6aa6a1ac7abb511e7777192004243eb7c59176a8
Instruction Fuzzy Hash: A4312632A0152AAFDF16DB5DC955D6BB7B4FF86B20F014129E918A7240D6349E00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019DD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 019DD303

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: aed96787c1cbb2095348e760a0d45353a41d09d03ae913c7a9b5b02dbc7bae5d
Instruction ID: d7ded9efba870d4fd19783e6765a574193166237315cb2fcb8b5da1cab649339
Opcode Fuzzy Hash: aed96787c1cbb2095348e760a0d45353a41d09d03ae913c7a9b5b02dbc7bae5d
Instruction Fuzzy Hash: 4B318FB5508305AFC721DF68C984A6BFBE8EBD5658F40492EF99983290DA34DD04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019CF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 019CF73F

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 4ea59732c4bdf6469221729b1ad2d8fa4f2930825466ba3c6b6de76e4ae2907f
Instruction ID: eae6d0016bb5cdc3503ed1ede6f54714f39526976b46f19c0a48a30a3a8b5179
Opcode Fuzzy Hash: 4ea59732c4bdf6469221729b1ad2d8fa4f2930825466ba3c6b6de76e4ae2907f
Instruction Fuzzy Hash: FE119035304B028BEB254F1D8490B36769BEB85F25F25492EE5EDCB791DB70C8418343

Uniqueness

Uniqueness Score: -1.00%

Function 01A660F5, Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182de7a0cf7067d0b85e45aefe27e8dd6e8e81a9913f757ecbcf28a7b3f3910a
Instruction ID: 06226b73fe186ef844336cf911a731ba7c5da352f1ac9963c7715e30f48bf214
Opcode Fuzzy Hash: 182de7a0cf7067d0b85e45aefe27e8dd6e8e81a9913f757ecbcf28a7b3f3910a
Instruction Fuzzy Hash: 502293756043118FD719CF29C490A2AB7E6FFC8314F184A6DE99ACB395DB30E846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019B1915, Relevance: .5, Instructions: 547COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3677dfae53eb5695234de58e4482ff9f68321094a3a95add7d6dcb53d8331e96
Instruction ID: 17ca9cf4113c248c8c80dfea2b87cf4f2046c39c9a73bcb3b65851524e92cc8f
Opcode Fuzzy Hash: 3677dfae53eb5695234de58e4482ff9f68321094a3a95add7d6dcb53d8331e96
Instruction Fuzzy Hash: 44226170E0021ADBCB1ACF99D5909FEBBF6FF44304B15806AE949AB241E734DD91CB64

Uniqueness

Uniqueness Score: -1.00%

Function 019C4120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a305bd9d9187dedd6cc07f2686adbfb92caf453a034a37a6436fd25f1041c998
Instruction ID: bcad07e8406a3aa988b96ba94814991f76544c159949e4ad5acbc29d0c7891ce
Opcode Fuzzy Hash: a305bd9d9187dedd6cc07f2686adbfb92caf453a034a37a6436fd25f1041c998
Instruction Fuzzy Hash: 7BF17A706083518FD725CF19C4A0A7ABBE5BF98B14F54492EF9CACB290E734D891CB52

Uniqueness

Uniqueness Score: -1.00%

Function 019B34B1, Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c2f874d3dc5b4d9421a7b36a81a3dd36c3f429a932a27a4c5ea318a08f9dc6
Instruction ID: c4542b31a6348ef6e91315b03ded9b545845678d6c7cd31c9dc45b1fde6b80ee
Opcode Fuzzy Hash: 96c2f874d3dc5b4d9421a7b36a81a3dd36c3f429a932a27a4c5ea318a08f9dc6
Instruction Fuzzy Hash: 3DF18171E1021A9BDB15CF99DAC0AEEBBF5BF48710F048129E949AB341E774ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019D20A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4fce1b39984ae3bf2c20d0df2edb31815c399eb86de97233cbcb4452f59a5dd
Instruction ID: 7f981b5b22eb1295405fc31c26f5401f186af0c2f720f8abece7aa365d203a70
Opcode Fuzzy Hash: d4fce1b39984ae3bf2c20d0df2edb31815c399eb86de97233cbcb4452f59a5dd
Instruction Fuzzy Hash: 14F1A375A083419FDB26CF2CC440B6ABBE6BFC6714F08C91DEA999B245D734D841CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019C4670, Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e83e608057487198b71ea401d6ace523d143e1d6e01b312a2b99aeb19b0833
Instruction ID: 3c6da9d5681acf1b10e1f3a3a663cc83ac3e7b3c8aad6127e192aca2e24b487e
Opcode Fuzzy Hash: a7e83e608057487198b71ea401d6ace523d143e1d6e01b312a2b99aeb19b0833
Instruction Fuzzy Hash: 41E1CD70F002499FDB16CF68C9A4BAEBBF6EF85700F18846DD449AB281D735A941CB52

Uniqueness

Uniqueness Score: -1.00%

Function 019BD5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b893a6e6943f482ef63d331db874b5a178002c4dd596b2b7b60983a420a8d4a4
Instruction ID: 48464b7dc176b57a999ac23910d610f3c6a4ff2b9117b3331b82bae471717ed0
Opcode Fuzzy Hash: b893a6e6943f482ef63d331db874b5a178002c4dd596b2b7b60983a420a8d4a4
Instruction Fuzzy Hash: C1E1C074A0025ACFEB25CB58CAC4BE9BBF5BF85318F0501A9D90D97291DB34A981CF52

Uniqueness

Uniqueness Score: -1.00%

Function 019CB236, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction ID: 3d492fdd71ba91be171da3cff1cfe7973c8667cd0a10d484e5e2b8980db7f916
Opcode Fuzzy Hash: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction Fuzzy Hash: 51B1E4317046069FDB15CBA9C891B7EBBFAEF84A40F24456DEA8AD7385D730D900CB52

Uniqueness

Uniqueness Score: -1.00%

Function 019B849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2709d3261749d469d8ad25ed50b8f4ce94f893c31854921c7f0b2b3fcc79de7e
Instruction ID: 10a55c1d07cebad2f9cc55c6f054357ff77aa916488262b9d4b7758cf85deeac
Opcode Fuzzy Hash: 2709d3261749d469d8ad25ed50b8f4ce94f893c31854921c7f0b2b3fcc79de7e
Instruction Fuzzy Hash: E9B17E74E00209DFDB15DFE9CAC4AEEBBB9BF89704F104529E509AB245DB70A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019B161A, Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efa39b63aa5f48d85c7fca658f9b291c5fec05367856c295d1d411856b28c22d
Instruction ID: c098ded61996299b8372c918e1867b4b86f6cdc61299115995518c72e882c2b1
Opcode Fuzzy Hash: efa39b63aa5f48d85c7fca658f9b291c5fec05367856c295d1d411856b28c22d
Instruction Fuzzy Hash: C4A17E7190021AAFEB23DF68DC95FAE7BB9EF45714F004464FA08AB290D7759C51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019D37EB, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0b8940b185e760e90888364d8af79e63dd0dd2e19735d5b00ab0f6f31103c3
Instruction ID: 9c38931a477117f6941bf37c1368318e0f239d659ed375e2c56daf6fdc8ba875
Opcode Fuzzy Hash: da0b8940b185e760e90888364d8af79e63dd0dd2e19735d5b00ab0f6f31103c3
Instruction Fuzzy Hash: F8B145B1A00609DFCB15DFA9C940BAEBBF5FB88701F14852EE51AAB351D734AA01CF51

Uniqueness

Uniqueness Score: -1.00%

Function 019D513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd2da753498b38cef29c407d1dcd0f7da1297ed6821542cc17ada1470f4400a
Instruction ID: 92cae557885f9c6226c672b88cf3b90f8d9f4f4b54b4ccbc48cd8de5b8788009
Opcode Fuzzy Hash: 5fd2da753498b38cef29c407d1dcd0f7da1297ed6821542cc17ada1470f4400a
Instruction Fuzzy Hash: 5DC114755093818FE355CF28C580A5AFBF1BF88304F188A6EF9998B392D771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 019D03E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff3777643020f588d8d05ca6f2059bfa1608916ea8c87c56af4dfc60253c496
Instruction ID: f87c825b597f0ab4afdbeba415a83979e13961257f4ca9bfad4c1154517dda79
Opcode Fuzzy Hash: 1ff3777643020f588d8d05ca6f2059bfa1608916ea8c87c56af4dfc60253c496
Instruction Fuzzy Hash: 78914731E00215AFEF329BACC844FBD7BE4AB05B24F094265FA15AB2D1EB749C40C781

Uniqueness

Uniqueness Score: -1.00%

Function 019AC600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac24d96315c0d86c22c0ec1ff4372bdd4df86fdb8719b73c0e70fc9e3f53203
Instruction ID: 5699bc896b54e26d6ff848ef37ed61792cad67b3e6b06a6416c9945d51ae19d1
Opcode Fuzzy Hash: 4ac24d96315c0d86c22c0ec1ff4372bdd4df86fdb8719b73c0e70fc9e3f53203
Instruction Fuzzy Hash: 2B81B8766082028FDB26CF98C880A7B77E5FB84354F58581EEE45DB249D730ED45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019D138B, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction ID: 63b7245fba1b43d63eb82faff265f14e5c635f2705435e72946df76e4d9b6f4c
Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction Fuzzy Hash: DD818B75A007459FCB25CF68C540BAABBF9FF89310F14856AE99AC7751D330EA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A6B2E8, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767ca85383b903ba579ad487abbc1c462eed191f65fbf26f5dfc3fcdba65cc2a
Instruction ID: edb17ec59d58960e7fbf3525ff50fa1877df82bec160bdb5065784da065711e4
Opcode Fuzzy Hash: 767ca85383b903ba579ad487abbc1c462eed191f65fbf26f5dfc3fcdba65cc2a
Instruction Fuzzy Hash: EE71E072204351AFD711DFA9C984A6BBBECFF88750F044529FD99CB215DA30D908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019C97ED, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 891e6c391060cbe0e4c25dced13c30ecc6ecfe9319f1e8fcc3a6e1c3ae2b7bb7
Instruction ID: 35262e486cf65e02b286fd1aeff3d0eb1426665eb784b47051975d79a7abc667
Opcode Fuzzy Hash: 891e6c391060cbe0e4c25dced13c30ecc6ecfe9319f1e8fcc3a6e1c3ae2b7bb7
Instruction Fuzzy Hash: A071E076604652CFD312DF28C480B6AF7E8FF84B14F058569E89ACB352D734E941CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019BF370, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7787a70d2a6a6459d8cb0c30ef6f66f9e800aa6f183760b09f158cad2ffa0046
Instruction ID: dd1e4496fdae7a148b730ae7e77eb1aabd27d9ef36f6b38a4f15d6f5053b7fcb
Opcode Fuzzy Hash: 7787a70d2a6a6459d8cb0c30ef6f66f9e800aa6f183760b09f158cad2ffa0046
Instruction Fuzzy Hash: 7B611436A001158FCB16CF5CC9C46BEBBB2EF85B00B1884A9E859DB385DB38C946C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 01A656B6, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3dca50f741ff6f4deb01f56d802c625a19444c9211d769d898219b5c4d8cc9
Instruction ID: 20d171d8ece01942c3bf4edbc36727f27339baa6c1fb4cd6ff9f357181fcdc33
Opcode Fuzzy Hash: 4c3dca50f741ff6f4deb01f56d802c625a19444c9211d769d898219b5c4d8cc9
Instruction Fuzzy Hash: C6816D75E0060ADFCB09CF68C890AAABBF5FF98310F188669D855DB345D734EA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019A395E, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15499248d09edc7a5e18c4ddced9cabad3cfef79126a989819354ae9f79b6ade
Instruction ID: a0efae7ee89b298242811e87fcd399946060db1f9f784d3b691e8c15d25fd4a6
Opcode Fuzzy Hash: 15499248d09edc7a5e18c4ddced9cabad3cfef79126a989819354ae9f79b6ade
Instruction Fuzzy Hash: A251C171A00705DFDB21DF99C894F6BB7A9FF90319F50482DE14A87651CB74E948CB80

Uniqueness

Uniqueness Score: -1.00%

Function 019AB171, Relevance: .2, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8ca39f4c45bf0120e22dad74dd4e9f3a205d41ff879691d0f72b8e047f3ba8
Instruction ID: 45e1ab8fbd8eed0841ac6e7f0aea52742abde9724adf59eb7f5e0505b5a000fb
Opcode Fuzzy Hash: 1b8ca39f4c45bf0120e22dad74dd4e9f3a205d41ff879691d0f72b8e047f3ba8
Instruction Fuzzy Hash: 1951D071D0025A8EEB33CF68D844BAEBBF0BF48710F1445ADDA59AB2C2D7704A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019D95EC, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a561183eda026ccf34b16df6c255c8aab0e847e38f997159abf742ed3593dc
Instruction ID: 3eca7fc84f62c0f80694ebf0061a8f31eef72265d99e5d383a6aee7c9eabaf4b
Opcode Fuzzy Hash: 44a561183eda026ccf34b16df6c255c8aab0e847e38f997159abf742ed3593dc
Instruction Fuzzy Hash: 0A511370A0060AEFDB16EF68C858BBEBBB4FF54319F108569D41A97290DB749911CF90

Uniqueness

Uniqueness Score: -1.00%

Function 019A8760, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e071a218df035798d556e04d7a041afcbba84b84a005531a9e7e5ff35d1ae27d
Instruction ID: 4fe12fa4b3797692ba215653d880a3fede666d616c505ba9e1efcbef4f4eed8e
Opcode Fuzzy Hash: e071a218df035798d556e04d7a041afcbba84b84a005531a9e7e5ff35d1ae27d
Instruction Fuzzy Hash: 7E515432A01601DFDB269F5DDD80F6A77B9FFA4752F084469E91A8B2A1CA34DC01CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 01A6B581, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa45c893f88a03bd59db2ed9fc5a2f3758c7d1eb542d263fa796e1d70173606
Instruction ID: fcfcb78710cee43509f4872e2caf49dc82b9fe7e57362cae818591ca7f78542f
Opcode Fuzzy Hash: 9aa45c893f88a03bd59db2ed9fc5a2f3758c7d1eb542d263fa796e1d70173606
Instruction Fuzzy Hash: 2251E3717057428FE315DF68C954BA6BBE8BF90714F18046DE986CB291EB34E805CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 019A52A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda1a332de073dfc859bbe51a145baa1aa80de00176b893b8e510ecfbc0d4d0b
Instruction ID: 564125d263811483f3c00389eb894866c68084785104975c7dd27d0f402382d5
Opcode Fuzzy Hash: dda1a332de073dfc859bbe51a145baa1aa80de00176b893b8e510ecfbc0d4d0b
Instruction Fuzzy Hash: 7051EF70205342AFE722DF68C944B67BBE8FF94714F14491EF89987691E770E844CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019AC9FF, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2d230ff832fc7479c003258312aab60ec1f44473d311bb470699d5d8a74f64
Instruction ID: 2bbf9003a2f75539ada2d85121867c6af8be173c776b6c9e02ffd11429a9fce5
Opcode Fuzzy Hash: 1e2d230ff832fc7479c003258312aab60ec1f44473d311bb470699d5d8a74f64
Instruction Fuzzy Hash: FA617671E1161ADFDB16CF68C540BADBBF0BF48720F14825AE858AB341D734AA45DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01A6B0C7, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04f86ce16093e264387db99b5d04a33cced65ef80ee6b6290f022c67b8b52846
Instruction ID: f256072cd2224a39042ece69ac201d065f2024480c049ca0882256b1aaafa259
Opcode Fuzzy Hash: 04f86ce16093e264387db99b5d04a33cced65ef80ee6b6290f022c67b8b52846
Instruction Fuzzy Hash: 3651B972A00704EFDB26CF68CD40BAEB7F9EF44310F058569E916EB190D7749A45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A7740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 5ca62ee17dbe570f0792d938fd33839cad64efcb54239608e472347df50dd734
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: D2519D71600646EFDB16CF68C984A56BBF5FF45704F1480BAE9089F212E371EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019D2990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9a7410a26770b45eff0c8fb0c5f97bc4eb368edb3224348dee8c5df69b5385
Instruction ID: ee35d2d581c11e0d95a955987dcf8bfdcc49e31a5752c35ac468f0b7fb12164b
Opcode Fuzzy Hash: ab9a7410a26770b45eff0c8fb0c5f97bc4eb368edb3224348dee8c5df69b5385
Instruction Fuzzy Hash: 8F517B71A0021ADFDF25DF99C980AEEBBB5FF98350F148165E918AB250D3319D52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 019A5050, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd5385e9cb6ab0dbc397b685bce2f71e94942f2de43c339695eb5ddae8c55d5
Instruction ID: fdbd510ee320f48f9aa899dae773d29fba17758671e390ce995d3f4cfb346164
Opcode Fuzzy Hash: 9bd5385e9cb6ab0dbc397b685bce2f71e94942f2de43c339695eb5ddae8c55d5
Instruction Fuzzy Hash: 3541F2366043129BD325EF28C980B7ABBA4BF94750F010929F99987281D630EC45C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 019A1618, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3649dc82e84df9e3e56a65ff94c9f85dc75fe76d9b57048bd2b6e92ba8e1a23
Instruction ID: 33254daf68f5cf9b084c1c4bbee3d3c1e148014c9b99c67d42b05e6e62c9836e
Opcode Fuzzy Hash: a3649dc82e84df9e3e56a65ff94c9f85dc75fe76d9b57048bd2b6e92ba8e1a23
Instruction Fuzzy Hash: 1A41E139900216DBCF14DFA8C440AEDBBB9BF48600F59516AE909E7350D7308D49CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 01A36365, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3b4a51cfa3edcff81842d127ee4f292402115a8f3185dbd1a32f25bb9fad36
Instruction ID: ec7aa60980267c873a23859c479af6ac5a7b49dc80a71469c5a606bb8b508038
Opcode Fuzzy Hash: be3b4a51cfa3edcff81842d127ee4f292402115a8f3185dbd1a32f25bb9fad36
Instruction Fuzzy Hash: F241B136A00505FBDB25DF68C950BAF7B79EFC4B10F194069FA0A9B251D671DE01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 019A649B, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3854da626126aa081629a2a0be3d2ab9fd5049d238e370e99014962a316301fa
Instruction ID: 9a574579c2a9fea27b6d0f5b2f0d966bb7a9831864bfeda504b51f6c8d6e9e20
Opcode Fuzzy Hash: 3854da626126aa081629a2a0be3d2ab9fd5049d238e370e99014962a316301fa
Instruction Fuzzy Hash: F9415E325083069ED312DF64D980AABB6E9EF84B54F45092EF999D7250E730DE18CBD3

Uniqueness

Uniqueness Score: -1.00%

Function 019A9450, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fdd712a2fa0cfcb15263e76a605d83d9ed9224d7ed9c5f299158a8fb8885060
Instruction ID: 0dac6227d124d3008e9af8d5a3131ff927dd4136a8cd2a2855d4455a0af59a1c
Opcode Fuzzy Hash: 3fdd712a2fa0cfcb15263e76a605d83d9ed9224d7ed9c5f299158a8fb8885060
Instruction Fuzzy Hash: FB413A31E002259FDF27DF5D9480BBA7BB0FF95B18F9580AADA495B280D6359E48C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 019B0100, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adaec72c7252d6170edf75b55ad8fb529a8ea8c699ff4332920b1817a5d45325
Instruction ID: cd9c1fbae19b2d687cec66ac50a02135f3fa76d73c28826a276f820441df8e1b
Opcode Fuzzy Hash: adaec72c7252d6170edf75b55ad8fb529a8ea8c699ff4332920b1817a5d45325
Instruction Fuzzy Hash: CD41EF31944305DFCF26DF68CA80BEF7BB4BF54758F080519E429AB292D7308995CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019D99BC, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee01b58493699b361dd64c4a8e1469a735f965e7424efda672029b4d96a6989
Instruction ID: bae7b03f45adfa62349cf69b750515238a2f86c9849ddb1dc07401ee9d236465
Opcode Fuzzy Hash: eee01b58493699b361dd64c4a8e1469a735f965e7424efda672029b4d96a6989
Instruction Fuzzy Hash: D741CC71501705CFCB25EF28C940B59B7FABF95318F15C6ADD14E8B2A1DB34AA81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 019BB433, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce7baec8dd61d033a2283f6c29e1c0cbcb02c42f85a1c7a17e92119e31cdb3b
Instruction ID: 84e25232b1fcf50bde1a64ee38e668a3e33aa1d2226905a915d55263d5d127c3
Opcode Fuzzy Hash: 9ce7baec8dd61d033a2283f6c29e1c0cbcb02c42f85a1c7a17e92119e31cdb3b
Instruction Fuzzy Hash: 1A411731600645AFDB22CBA8CD84FDABBB9EF50740F0485A5E45A97392C678A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A269A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078f4631f9e877d2fef9312e3011892e1678b958652f9c02d201871e28769a5e
Instruction ID: 69873276c5e3b5c6b80a19c4d972b675864b407e63ab532f3ea10174f9c1baf7
Opcode Fuzzy Hash: 078f4631f9e877d2fef9312e3011892e1678b958652f9c02d201871e28769a5e
Instruction Fuzzy Hash: 37419DB1D01219AFDB24DFA9D940BFEBBF4FF88714F14812AE919A3240DB749905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019A5210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22c3947900f484be269ea26761f3411ae466e6106841afcf6215c8134d471e8
Instruction ID: 97cc8fdb10391cde40586fd19800a3a2d3a31d222240997151b4ac482fa72540
Opcode Fuzzy Hash: f22c3947900f484be269ea26761f3411ae466e6106841afcf6215c8134d471e8
Instruction Fuzzy Hash: 38313931651711EFD7279B18D980F6A77A5FF607A0F514A19F85D4B1E0EB30E804CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 019B17B5, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd6a450d93a826057757ef78367007fed2343683e16492fc09c60c713cd61c8
Instruction ID: bf6b7dd5a076f1a2ee5865872b42cf75c38bc6ed8f9bf4a6ea420d2f64b7208c
Opcode Fuzzy Hash: 9fd6a450d93a826057757ef78367007fed2343683e16492fc09c60c713cd61c8
Instruction Fuzzy Hash: BA418175A0022DAFDB22DB58DD90BDABBB9FF85710F1101E9A54CA7240DB319D848F52

Uniqueness

Uniqueness Score: -1.00%

Function 019DA61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e2bf7769fbd51f26b65091f987f40f36465bb955b5c1ea489c0a4b8ae9540a
Instruction ID: 26cf4dc8f84ed93c22dfe43680143c8f70307f583de8271c01d3089591e747f4
Opcode Fuzzy Hash: 04e2bf7769fbd51f26b65091f987f40f36465bb955b5c1ea489c0a4b8ae9540a
Instruction Fuzzy Hash: 404158B5A05209DFCF15CFA8C590B9ABBF1BF89304F19C0A9E909AB348C774A951CF54

Uniqueness

Uniqueness Score: -1.00%

Function 019CC182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 3be41f50cd5f3f7bdeb8ae8964ee3dee3e2927bb0f0599a386eaa26d2755a575
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 94314672A01547BED705EBB8C8C0BE9FF59BF92604F14415ED45C47202DB38AA09CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 01A27016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10298eaeeced3fb95a0cf4c8ef57bb9aeb01bacf2f833cfa171f430f8ba584bf
Instruction ID: 6e31f2925d1c70042ddbb7cc39933c49d67ba7d04b99a043aa562f35bc169655
Opcode Fuzzy Hash: 10298eaeeced3fb95a0cf4c8ef57bb9aeb01bacf2f833cfa171f430f8ba584bf
Instruction Fuzzy Hash: FE31C6726047519BC321DF6CC940A6AB7E5BFD8700F144A2DF99987690E730E904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 019A8466, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933cdc560891fdbe1bc6850987df0e3b90d1e1fa653987f549d444d4962c9ed9
Instruction ID: 48fd1a2dfad3ca0269505c7c17430272b075d42a142763fc2e37afaf54e75880
Opcode Fuzzy Hash: 933cdc560891fdbe1bc6850987df0e3b90d1e1fa653987f549d444d4962c9ed9
Instruction Fuzzy Hash: F531C2B0640202DFDB26DF29C944B5AFBF8EF95742F5184A9E98D8B251DBB0D844CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01A25623, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a646c22e84ee9f63bef6aa22fcab9581e90620e05cfbc00c944612be2377bc04
Instruction ID: fd79b10b7661d248eca3ca14534feb692fbf2ab4670bcdfa7ac5a04baf4ec9d9
Opcode Fuzzy Hash: a646c22e84ee9f63bef6aa22fcab9581e90620e05cfbc00c944612be2377bc04
Instruction Fuzzy Hash: 8831C671E457A19BF736976CCE48FA43BD5BF41B70F2C07A0EA218B6E2D7689400C611

Uniqueness

Uniqueness Score: -1.00%

Function 019D53C5, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582c0dedeba8735afa5b7a045f61bb54845f6dafe800a8dd5c816281008a19fc
Instruction ID: 30401e777d6542747c1958d50c642ed5fecbb496946914df8a19d8671a61bf6f
Opcode Fuzzy Hash: 582c0dedeba8735afa5b7a045f61bb54845f6dafe800a8dd5c816281008a19fc
Instruction Fuzzy Hash: 9C410034A047468FEB22DFB8C5407EFBAF2AF51314F14452EC08AAB345DB355905CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 019AB080, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1d4464dcf675440abfaae0d6aab073001d77295e59b9c11b71b3e00d3d1869
Instruction ID: 2e382023c4614a114bf49a07f4842043ae246e6ab0de43b588a450251e70b447
Opcode Fuzzy Hash: 6d1d4464dcf675440abfaae0d6aab073001d77295e59b9c11b71b3e00d3d1869
Instruction Fuzzy Hash: 0131B1B26002059FC712DF28D980E56BBE9FF89710F60466EF95A8B285DB31E905CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 019A3880, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1272924e030b4df7d0c6c3938168609d294bdb0edc46191e74c8c65e6d32ff
Instruction ID: 1328f479d68b1f2fd0aa3c6fc4ac93b5632d533e51ef7ae0e1d73aec78f28714
Opcode Fuzzy Hash: cb1272924e030b4df7d0c6c3938168609d294bdb0edc46191e74c8c65e6d32ff
Instruction Fuzzy Hash: 0231A132E01219FFDB21DEA9C840AAEBBF8FB88750F014529F959E7250D6709E048BD1

Uniqueness

Uniqueness Score: -1.00%

Function 01A6A189, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52031652ff233bff3d2c78a6b17afbbafb0ef4236a297753a9b1e93e06a281b6
Instruction ID: 6e9d894785844a90418559db6f1d6a585d0329bcc5195d140faad4dc68c83059
Opcode Fuzzy Hash: 52031652ff233bff3d2c78a6b17afbbafb0ef4236a297753a9b1e93e06a281b6
Instruction Fuzzy Hash: 1B310371B40216EBCB269FA9C850B6FBBFCEF84750F100069E509EB351EA71DD418B90

Uniqueness

Uniqueness Score: -1.00%

Function 019DA70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac623f82e185319c74df136be9185785a1f8e387c45bff2fe8721a4cf39067fc
Instruction ID: 12b857cfa96d3591f22d362312f095dfc03ff0c0b4f78c06d69d81eb18d9d5ef
Opcode Fuzzy Hash: ac623f82e185319c74df136be9185785a1f8e387c45bff2fe8721a4cf39067fc
Instruction Fuzzy Hash: 5D31E4B56242059FC721CF88D8C0F697BF9FB85710F15895AE20BC7244DBB09992CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019D61A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec0c7c33bc3e0a463be14b2790b6ca636c5d0d487631d5bbd56113ade53c7f7
Instruction ID: d7c8734842825a271b90c5d0641026294f6b76d4d1539944ebcb96f75f716d24
Opcode Fuzzy Hash: cec0c7c33bc3e0a463be14b2790b6ca636c5d0d487631d5bbd56113ade53c7f7
Instruction Fuzzy Hash: 62318F726053018FE360DF5DC900B2ABBE4FB98B00F05896DE998DB355E770E944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019A6730, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f466a2a71f6c5ee97e0e7e4e2ff26946fc5f3872ac16fbd6e559c7c1ea2ac4
Instruction ID: a68c84c709e46ee060d0db91bc41dcb5bf5a639192a21d911483106da16f1ec5
Opcode Fuzzy Hash: b6f466a2a71f6c5ee97e0e7e4e2ff26946fc5f3872ac16fbd6e559c7c1ea2ac4
Instruction Fuzzy Hash: 0331C135611A06BFCB12AF64DA84EAABFA1FF84710F445425E80547AA1DB31E874CFC1

Uniqueness

Uniqueness Score: -1.00%

Function 019DD715, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446c9dedb9c1a9153563e5c51f0489f9a265362357ab40cd9362941a3b1148d9
Instruction ID: c296c82988ad53092e7bedc074e232f9238055e05e4db3c4333c4d9dd9b9505b
Opcode Fuzzy Hash: 446c9dedb9c1a9153563e5c51f0489f9a265362357ab40cd9362941a3b1148d9
Instruction Fuzzy Hash: 5C31AFB16083458FC715DF58D880A5A7BE9EF98750F0505A9FC59D73A0D731DC04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019DE730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c6b08333402769cf6e5923c3a08f6f1a13030ebe3b0e714c1075f88e900e273
Instruction ID: b00b5333c37b33bc940ccf0347bedc951431db7141dd4edbddfc4b1ccbfd5641
Opcode Fuzzy Hash: 4c6b08333402769cf6e5923c3a08f6f1a13030ebe3b0e714c1075f88e900e273
Instruction Fuzzy Hash: E631A075A14249EFD744CF58C841F9ABBE8FB08314F15865AFA08CB341D631EC80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 019A9100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dfea7a046a75a7d7dac82939ac7a747e0f1fa32acec740aad07a55fab439c10
Instruction ID: 8e71d4dae2887d1a91ca63da6e6d88b3f638a800e763883a46306e8e0cd458aa
Opcode Fuzzy Hash: 3dfea7a046a75a7d7dac82939ac7a747e0f1fa32acec740aad07a55fab439c10
Instruction Fuzzy Hash: BC31D275A00285DFDB26DB6CC488BADBBF5BF89318F98814DC6096B241C334B984CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 019DF527, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction ID: 854f0fdfa89d63a87d85a45ff2a5d964fdd7322b59b5f120ba9d7458c9ded731
Opcode Fuzzy Hash: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction Fuzzy Hash: E9319A31600648EFD721CF68C880F6AB7F8EF84354F1445A9E91A8B290E730EE02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019AB233, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a25f080e4b272b806e79c41e0480e49c252fc951b07d7ea7f66a1b06a00f32
Instruction ID: 07b43417edf913d54ee233df3035963a8d3cc027a71ab7334a4f1a73ab7f3984
Opcode Fuzzy Hash: 96a25f080e4b272b806e79c41e0480e49c252fc951b07d7ea7f66a1b06a00f32
Instruction Fuzzy Hash: D4213832240242AFDB2BAF79D8C0A6EBBA9EF55744F40447DEA1E87251DB31AC40C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 019C0050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8564a31288270aca3962dbf6346d745b62b2c96f46a0d2db12bd263d39f330bd
Instruction ID: fae55f07ece7b5ae81700dd793bd3ff886d1db4a832a3221057a99d4fc5678a7
Opcode Fuzzy Hash: 8564a31288270aca3962dbf6346d745b62b2c96f46a0d2db12bd263d39f330bd
Instruction Fuzzy Hash: 1F31D235201B04CFD722CF28C944B56B3E5FF88B24F19456DE59A87790DB35AC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A2714D, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a883f58677dd785ab4d227354cab659f1eb5cbd1d39ec7099bd804454131e4af
Instruction ID: 2400c0c0de7cd537c5dfcb24d4862eac55f3013fcb169a9762733503f40bfe97
Opcode Fuzzy Hash: a883f58677dd785ab4d227354cab659f1eb5cbd1d39ec7099bd804454131e4af
Instruction Fuzzy Hash: 4021DE71900229EBCF25DF99C881ABEB7F5FF58700F14006AF945AB244D738AE51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A7F1B5, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c7948970c8c2fc7a7afad7519b9e1f96e1be4d219a5148e911067b724df829
Instruction ID: 41fbd561bd4a72db5900be7c2d2e7a2537340486d77d88a85728c9cad8d16261
Opcode Fuzzy Hash: 55c7948970c8c2fc7a7afad7519b9e1f96e1be4d219a5148e911067b724df829
Instruction Fuzzy Hash: 5721BD7AA00615BFDB228F49DC84F5ABBB4FB85750F054065EA249B210D630AF00CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 019E90AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: f8eb97c8db7e6749e29342c94d4f6d325b359746c4a8858b5e16d81190c45cf2
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 8C217FB1A00215EFDB22DF59C848EAABBF8EB54754F15886EE949A7201D230ED008B90

Uniqueness

Uniqueness Score: -1.00%

Function 01A36652, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8413f406f7ced97e3a6457fb7a64babd2e43c94677802780a2acfafde466831d
Instruction ID: 7755010b630308ad46a1f35c2a0b42124f2cfe004fa2463e7894c682ceb3e10e
Opcode Fuzzy Hash: 8413f406f7ced97e3a6457fb7a64babd2e43c94677802780a2acfafde466831d
Instruction Fuzzy Hash: CB21C671600B12BBE6265F2C9844711FB74BF92378F040315FD2893691D7B2EA95C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 019B28AE, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95be559ee2c4ab41945b5b5582ce84ff398d29a556cc60ebceb09e72b8ca08e
Instruction ID: 5f71b1d7fc5e55dfd8c56b467a2ca90be0c296ea152f3c550b8b83a7ff92f941
Opcode Fuzzy Hash: c95be559ee2c4ab41945b5b5582ce84ff398d29a556cc60ebceb09e72b8ca08e
Instruction Fuzzy Hash: 672107726056819BF72357AC8D48F743BD4EB41B74F180764FA699B6E2DB6CB8408212

Uniqueness

Uniqueness Score: -1.00%

Function 01A7070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: fb2cc45e25532b88f044c7be370f291fdb289380f4dd6bd38267f956bd21a8c9
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 65213176204600AFD705DF2CCD80B6ABBE9EFD1710F048629F9959B381DB30DA09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019A519E, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94894b33b9762905a597f42ab956b09b6e03e6625e1c8a562459195946b7f20f
Instruction ID: 2273f36956c9fd2c8da71c06b371c9ffa6fc90090214cd39351cc736d9bd9494
Opcode Fuzzy Hash: 94894b33b9762905a597f42ab956b09b6e03e6625e1c8a562459195946b7f20f
Instruction Fuzzy Hash: 60113370A01301ABDB21AF6CC640FBABBF5FF64750F55052AF84A93680EA31E845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A3D1F9, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e6d3e10d19d6cc3fac0a952f31e7f00204c39b4d471431d557cb4fe4f0dd64c
Instruction ID: 9d6e114a2498ba3c27462754d1abcc9532a5137eddf5508e8f85dfe12a56150e
Opcode Fuzzy Hash: 7e6d3e10d19d6cc3fac0a952f31e7f00204c39b4d471431d557cb4fe4f0dd64c
Instruction Fuzzy Hash: 6B216DB2A00209EFDF229FD9CC40BAEBBB9EF88321F200459F944A7251D734D961DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A27794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01dfd0fd93e42395024ea905162379f1b20575fda5e2a45a6e5e61726ed3d054
Instruction ID: 01f498316a755a5f6fca782ce0113bc677dd20a012049b5ee66564fb4dc3bd95
Opcode Fuzzy Hash: 01dfd0fd93e42395024ea905162379f1b20575fda5e2a45a6e5e61726ed3d054
Instruction Fuzzy Hash: 1821A172900614ABC725DFA9D894E6BBBB8EF98740F10056DF60AD7750D634EA00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 019A12D4, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37527cf3eb25ade65d622f20ccdd91ad303ae4a54bb64dfc0495212d1a2f266d
Instruction ID: e46a2124f37e582a3908b27165930e497ec4106a788a8cfd09be1e9614d98f39
Opcode Fuzzy Hash: 37527cf3eb25ade65d622f20ccdd91ad303ae4a54bb64dfc0495212d1a2f266d
Instruction Fuzzy Hash: C911E672600609FFE722DE54CC45F9ABBBCEB84750F104039EA098F540EA71ED48C794

Uniqueness

Uniqueness Score: -1.00%

Function 019D12BD, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e80697f1f45757d4bf8a48610e55bff705dc5d996e6ead4c2a1195ee7a7bceb
Instruction ID: 14b164bd6d84be7591425c52482063faf69502d8f6fd16a59c6e37a9b77afc71
Opcode Fuzzy Hash: 8e80697f1f45757d4bf8a48610e55bff705dc5d996e6ead4c2a1195ee7a7bceb
Instruction Fuzzy Hash: 08214A76600A00DFD739CF69C880F6AB7E9FF84650F10882DE59EC7651DE31A840CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019DB390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4f93857420c81a718a8a779cdcba3630c2d75b6bbde605062cd85dbc6fcdb6
Instruction ID: 22cff68ebe6d7783b9fdbea447aceb3352673874404110bc9fdcc5856ce15831
Opcode Fuzzy Hash: 6b4f93857420c81a718a8a779cdcba3630c2d75b6bbde605062cd85dbc6fcdb6
Instruction Fuzzy Hash: DA116B377031149BCB199E19CD81A6BB29BEBC6730B29412DDE1BCB380CD359C02C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 019A9240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f4bef4600bce5c2a8eccb2933ec34934da0e99b6790e74e502950130a5a024
Instruction ID: 0049cf86c14e9662411492892951fb25ca754cd3f676255a8a3da23636479ba8
Opcode Fuzzy Hash: 79f4bef4600bce5c2a8eccb2933ec34934da0e99b6790e74e502950130a5a024
Instruction Fuzzy Hash: C5215972041602EFC726EF68CA04F5AB7F9FF68708F05496CE14D866A2CB34E941CB84

Uniqueness

Uniqueness Score: -1.00%

Function 019A3138, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4aeeff4ef93e10868052b9739ddbb58bbde280f33870a99f1aaca30df05f52d
Instruction ID: 0d6dd7083359b0a07ff00b660b6249abae3ab5b83981bf786333a9d0febcbfe6
Opcode Fuzzy Hash: d4aeeff4ef93e10868052b9739ddbb58bbde280f33870a99f1aaca30df05f52d
Instruction Fuzzy Hash: E911B272A04304EFDB26CF64C844F6AB7F9FB85315F14859DE5099B281EB71AD06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A6E962, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7107f8a9a6e1912d5495caaf0dffdb465e6b2ac924055a9a8be1b481ae2b641
Instruction ID: e41072fc6be1ad823af61d2aad2a50afdc901b8c10777d7c79be60f2da45c2bd
Opcode Fuzzy Hash: f7107f8a9a6e1912d5495caaf0dffdb465e6b2ac924055a9a8be1b481ae2b641
Instruction Fuzzy Hash: 6211C437600919AFDB19CB68CC05AADFBF9EF84310F088269EC45D7350DA31AE51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A34257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ac921703134f5c4dbf22b2280bf8be25afe5e99a9753be167a35c83d8314c1
Instruction ID: 5ed8b0a52e7c53084cc9c5888000b52e43591a05e08f1f11937b6b40574b8278
Opcode Fuzzy Hash: 46ac921703134f5c4dbf22b2280bf8be25afe5e99a9753be167a35c83d8314c1
Instruction Fuzzy Hash: 6A216D74502B05DFC725DFA8D100758BBF1FBCA314B54826EE119DB266DB359492CB40

Uniqueness

Uniqueness Score: -1.00%

Function 019D2397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a431b2ce62a732098c308c6d11b22bc2116b0cadf14653a23e22ad4e3fb19a4
Instruction ID: 2105b54f5746682cc62a496cf9cda320c97c3205bec9c827e6c6ed247752d990
Opcode Fuzzy Hash: 5a431b2ce62a732098c308c6d11b22bc2116b0cadf14653a23e22ad4e3fb19a4
Instruction Fuzzy Hash: 3F11263274430167E730AB2EAC80F15F6DDFBE1B10F54842AF60E9B291DEB4E8428795

Uniqueness

Uniqueness Score: -1.00%

Function 01A246A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 4cbf57d11a5f5f82357177a5c5354a2743c55e0863fa0765203b6fff322607e8
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 4211E572604208BBC7159F6CD8808BEB7B9EFD9750F10806EF988CB351DA318D55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 019AA63B, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec52c4dbc3ee9fefdf6a691e56426cf33caeb6a9c31ee5e9f24d79c8a4f8bcd
Instruction ID: 0df3766da55638b33ddc9c992880746101dcd14c5f712b0ecf6a606593d3068f
Opcode Fuzzy Hash: aec52c4dbc3ee9fefdf6a691e56426cf33caeb6a9c31ee5e9f24d79c8a4f8bcd
Instruction Fuzzy Hash: 9611E73F910181DAD3378F5AE941A3133A4FFC4B50B54052AEA08D7295DF3588C2C761

Uniqueness

Uniqueness Score: -1.00%

Function 019AC962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d415aabc80825e213dc72e4a745d9effd87354a3678089e29f3ef9323e337d8f
Instruction ID: df2b5710d95c6d4ef1a8977c8eb5871ac2441466ddf96a8ffc3ed4b8e8ba0d7e
Opcode Fuzzy Hash: d415aabc80825e213dc72e4a745d9effd87354a3678089e29f3ef9323e337d8f
Instruction Fuzzy Hash: 161125313107029BCB20AFACCD8596B7BF5FB84620B500528E94687654DF20EC50CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 019E37F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af451b8228691a1c7f919de18f617674dcfc0c7d81a29afe8d99304c16307a0
Instruction ID: b6b6d39cca84477f0d65e7068d29b537d83a80c9a91cb9a156d6ad3e11ba4e58
Opcode Fuzzy Hash: 3af451b8228691a1c7f919de18f617674dcfc0c7d81a29afe8d99304c16307a0
Instruction Fuzzy Hash: 8B0126729016119BC3378B1DD948E26BBEAFFC2B51715806DE94DCB201CB30CA01C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 019D002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: bd9afdfb5941be9c568976cb047dd71daf2d0af4e9dd5d894d056849bf3ec218
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 811126726096819FE7239B6CC944B353BE8FF88B94F0D00A0ED4D8B693D328C841C661

Uniqueness

Uniqueness Score: -1.00%

Function 019AA745, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2f6052a6c0d81c5da09c6ae29b906daeaf33e561f0f97f4b631be9688e4916
Instruction ID: e781ca24cc72d0784de94a846cf8aac7735fa055ab249819b6f596bc30a0c624
Opcode Fuzzy Hash: 2e2f6052a6c0d81c5da09c6ae29b906daeaf33e561f0f97f4b631be9688e4916
Instruction Fuzzy Hash: 6E01D6722411059BC321EB6DEC40E66B7A9FF86320B05466EE5098B282CE35D845CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 019A86A0, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2838a12bfa7fb0c301611d14f3f4a56a391a4934558db612db6c0909e9ac3aae
Instruction ID: 7ad9d189ab07fe3819a607fbd62166ebf5f2de9b9c68c904f1c14034dc0bfdcf
Opcode Fuzzy Hash: 2838a12bfa7fb0c301611d14f3f4a56a391a4934558db612db6c0909e9ac3aae
Instruction Fuzzy Hash: FE11C4725057129BCB319F19D840922BFF8FF95B62780892DF89D9B691D730D528CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019B766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 91ffe57e220932302d3d87cfbcffdc58863a0e8767a40ad16fad1d319d862572
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 6F01D832300119EFC724DE9ECE81E9B7BADFBC4660B140624BA0DCB280DA30DC0183A1

Uniqueness

Uniqueness Score: -1.00%

Function 019A9080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a322665a26f257212c1a4dbc29f8c92947039d9404315d66af4e8f2f79daa9d
Instruction ID: 22d0a1459c49dd7d659430886fac7d6f8302efa3794cf74f11f0a878ff986708
Opcode Fuzzy Hash: 8a322665a26f257212c1a4dbc29f8c92947039d9404315d66af4e8f2f79daa9d
Instruction Fuzzy Hash: BE01F4729012148FC32A8F18D840B12BBE9FB81369F214026E2098F692C774DC81CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01A3C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 9560845a020620fcc0d46b54c19f883490635dbf584f35d1a9c2c15d90ff13eb
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 5E019672140606BFE725AF69CC88F62FB6DFF94764F004525F25852560CB21ECA0CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 019A8190, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4630eb61f6970ada2d0e3d0c1953c46c88b571a5482fdcdc9c8fe3c2292880a9
Instruction ID: 10d3d4a3fa6f0f78bcffee11c44edc540229c6644a8fa710269a5b9320cd213b
Opcode Fuzzy Hash: 4630eb61f6970ada2d0e3d0c1953c46c88b571a5482fdcdc9c8fe3c2292880a9
Instruction Fuzzy Hash: 5D012872101605ABD3229B64CC44E73B7BDFB817A2F514429E52E4B241CB30EC05C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 019A31E0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd41840913fde36b44aca51169ed52aaca1c3c379bf37e85e3a76e03a02823ec
Instruction ID: 5ef0adaa3feb3cfbdfe4d989db53f23a57b19d1af199919c2f4c3b6c0d8dd42e
Opcode Fuzzy Hash: cd41840913fde36b44aca51169ed52aaca1c3c379bf37e85e3a76e03a02823ec
Instruction Fuzzy Hash: 4201B532240701AFEB229A6AD940E6777EDFFC1B10F54481DAA5E87551DA30F905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A74015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec10a6ae552dc6b7e358934bcc60eba31e4a12df03cdd5a93325190ee168fa9
Instruction ID: 75bc7617d8f44497363570e1c5b2628724b06a1d6b8af7b51faf5c95cd81f386
Opcode Fuzzy Hash: aec10a6ae552dc6b7e358934bcc60eba31e4a12df03cdd5a93325190ee168fa9
Instruction Fuzzy Hash: 1901847220154A7FD715AB69CD84E57B7ACFB99B60B000229B50C87A11CB24EC51CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 01A619D8, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce03a7d7cb3ac9007c3b869e980e04f966db7c1b2a533b317f263ae85cccf0c
Instruction ID: 2428678956ee5163e1e424bf504d6a40e0022dbbaf6d883b8faac26b0ccd2c52
Opcode Fuzzy Hash: 4ce03a7d7cb3ac9007c3b869e980e04f966db7c1b2a533b317f263ae85cccf0c
Instruction Fuzzy Hash: 8F019271A01219ABCB14DFA9D845EAFBBF8EF94710F404056B905EB380DA749A41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A61951, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8c93274385b8a29a0802c51978a3d609d4843863f7f250cacfec86ffcb1036
Instruction ID: ea61a8b15bd83ad695caacd504d2a86d8cb3d52546b840d217f9f88c089bda4e
Opcode Fuzzy Hash: 1a8c93274385b8a29a0802c51978a3d609d4843863f7f250cacfec86ffcb1036
Instruction Fuzzy Hash: 98017571A01219AFDB14DFA9D845EAFBBF8EF84710F004056F945EB380DA74DA41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019A70C0, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d75836c9573aa0e55f1f59fba811012c8e74f5e68e5d7ca759bd447d74ee88
Instruction ID: f30f5a72a9ddf0fe30cce950d8033174c7e6e118292c2d3a701df92c40168ea0
Opcode Fuzzy Hash: 06d75836c9573aa0e55f1f59fba811012c8e74f5e68e5d7ca759bd447d74ee88
Instruction Fuzzy Hash: B011E132450B12CFD7329F48C880B22B7E5FF50722F05C86CD48D4A552C739E880CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01A33019, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1ee7f1d5e9ca0f43eb0bc0ef7a7040c56c2a56f0aa66a9a4f553b7ee856068
Instruction ID: ea940bf2bed69317cc83c1e58f95ef87b2e9cd91151d0bbbb6cb7d6193cee3d9
Opcode Fuzzy Hash: 2f1ee7f1d5e9ca0f43eb0bc0ef7a7040c56c2a56f0aa66a9a4f553b7ee856068
Instruction Fuzzy Hash: C51157B16083089FC700DF69C441A5BBBE4AF99710F00851EB998D7390E670E900CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A6138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710468305afba7d08e5c7ec86f3966a3622bda4a099466b48b19a145061c63bd
Instruction ID: 3e18e10870c569e49bed21f8b04aaaef809cf9b8685a1d3a6f4cf1735719a40b
Opcode Fuzzy Hash: 710468305afba7d08e5c7ec86f3966a3622bda4a099466b48b19a145061c63bd
Instruction Fuzzy Hash: A8015271A00259AFDB14DFA9D845EAEBBF8EF84710F404056B905EB280DA749A41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01A614FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e474f58a352f5aa5062b8eeb7812be2473f03b7914d1da8fb53240f07e0c1833
Instruction ID: a88d31c85c0a17955cfacf889f24106750a313c9a6dfc04234b050672f9fbe25
Opcode Fuzzy Hash: e474f58a352f5aa5062b8eeb7812be2473f03b7914d1da8fb53240f07e0c1833
Instruction Fuzzy Hash: 7101B571A00249AFCB14DFA8D845EAEBBF8EF84710F444056F905EB380DA70DE40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01A78450, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab0c485f60ad926169880dc8cf1c2acbb4a6bb70ced4fcaa2074de596fe31cb
Instruction ID: e024b8f5a2888107c48d1a477668ee6a1909c4af9ec1fd2cd23860bf89a9fec8
Opcode Fuzzy Hash: fab0c485f60ad926169880dc8cf1c2acbb4a6bb70ced4fcaa2074de596fe31cb
Instruction Fuzzy Hash: 860184332006019FE7259B69DD48F57B7EAFFC5610F08481DE6468B651DAB8F980CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019A95F0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6948c75bfbf2bc5c778d5157e0ae55309ade48056c3ff4605d40d8be4a702b4
Instruction ID: 64a211197914b266888c360b2d3a04aeeeda304b8972f2bcc4032da1b75cc08a
Opcode Fuzzy Hash: d6948c75bfbf2bc5c778d5157e0ae55309ade48056c3ff4605d40d8be4a702b4
Instruction Fuzzy Hash: 4201F772A01144DFDB129B98CA04F2577A9BFD1B28F104159EE198B290DB34ED44C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 01A78966, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 406ae76d5fbd6ce1a2a88e1bb55d36af64611edd760f993e15176fcd072aafc2
Instruction ID: 6efd5b0480bbd40baaefb851b4ca544109f54ab824ec4e7a246e0bd908f4e2db
Opcode Fuzzy Hash: 406ae76d5fbd6ce1a2a88e1bb55d36af64611edd760f993e15176fcd072aafc2
Instruction Fuzzy Hash: 4E014CB1A0021DABCB00DFA9D9459AEBBF8FF58700F10445AE905E7340D7749A00CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 019BB02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: fa1d097adb59e72dde591d1ff11f446752ff2dae912e50a158ee53b0ae0986eb
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: D5018472204A809FE3278B5CDAC4FB67BECEB85750F0900A5FA1ACB6D5D628DC40C621

Uniqueness

Uniqueness Score: -1.00%

Function 01A71074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673f7000ab945b69116c0b8ce5c9570e3bb2536a7ec20b76f1d22ca4867cb4a4
Instruction ID: e8f6a9880eab84f9913eab2ffdb901d691956610e3f5d4d5aa1b96363e88ab8f
Opcode Fuzzy Hash: 673f7000ab945b69116c0b8ce5c9570e3bb2536a7ec20b76f1d22ca4867cb4a4
Instruction Fuzzy Hash: E90147726047469FC711EF68DD40F1ABBE9BBC4320F04C629F98693690EE34DA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A6129A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08b0be31f4cb19f5ebdbd1b91e245c4afecd4d5bc2ce95d7ea4207ff3cf400d
Instruction ID: 02afd249bbe436c10d6efa7225e131948ec01f1491c3e9ff5ca2555624df6739
Opcode Fuzzy Hash: a08b0be31f4cb19f5ebdbd1b91e245c4afecd4d5bc2ce95d7ea4207ff3cf400d
Instruction Fuzzy Hash: 23018871A00259AFDB14DFE9D805EAF7BB8EF94700F044066F905DB280D674D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01A61751, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69140a315b5c3c97fe5c80a270801f2b5635bfd7bf7526d1728d606ff1455f78
Instruction ID: 5d5b30eb14957974bea5b2e9f24b1550855b1f1912d29ceb48a129fa3eacf80a
Opcode Fuzzy Hash: 69140a315b5c3c97fe5c80a270801f2b5635bfd7bf7526d1728d606ff1455f78
Instruction Fuzzy Hash: 94018475A00219EBDB10DBA9D805EAFBBB8EFD4700F04406AF905EB280DA749901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01A789E7, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc84cfd51083903ff79ed71398108c8aa84c261154ba4608e9f756cfcc87d62c
Instruction ID: ecb8418c631c7fbe5ad71d6c1c59050b6e038e10ec9cb6e241609907ca65adfa
Opcode Fuzzy Hash: fc84cfd51083903ff79ed71398108c8aa84c261154ba4608e9f756cfcc87d62c
Instruction Fuzzy Hash: 33012CB1A0021DAFDB00DFA9D9859AEBBF8FF58710F54405AF905E7340D634AA01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019AB1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: a4824f16dee9e90bd10672ee7fa29a372924dd3a87148f396c88291193d25638
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: C501D1322006809BD32397ADD904F697BD8FFA5750F0804A2FE198B6B2D678D840C655

Uniqueness

Uniqueness Score: -1.00%

Function 019A7057, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27650a994a62cba899021d2d5f52be41c72e27927d52feacc980fb1d6c49fe9e
Instruction ID: 875cfee139d9225b7ed534b90805c4109f0cf763758114885fb38b7187b51654
Opcode Fuzzy Hash: 27650a994a62cba899021d2d5f52be41c72e27927d52feacc980fb1d6c49fe9e
Instruction Fuzzy Hash: 6001A235200608ABD735DF98DD06FABB7FDEF84A10F10055DE90983150CBA1A904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A61229, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a9954f19fa4b5016cd1ba673c0e8c7a1d537c665a7b7765d94ff373464fb0b
Instruction ID: 0e04ae2812dd56ca8466c2584fa4add4b662d43e6b19a440af3f9ea90701666e
Opcode Fuzzy Hash: 28a9954f19fa4b5016cd1ba673c0e8c7a1d537c665a7b7765d94ff373464fb0b
Instruction Fuzzy Hash: C601CD72A00258AFDB15DFF9C5059AFB7F8EF54710F00806AF515E7290DA74D901C791

Uniqueness

Uniqueness Score: -1.00%

Function 019A1480, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7d4663d62046aefbf398c2601a6ef7ccf85a2c444bb44e9c472d1d2916286d
Instruction ID: 3207760c593edb34c75e0980ef004f40863426c3393abbaa6b196b1e70e61101
Opcode Fuzzy Hash: cf7d4663d62046aefbf398c2601a6ef7ccf85a2c444bb44e9c472d1d2916286d
Instruction Fuzzy Hash: 9CF0AF36B01108ABDB25DB4DC840FBEBBBDDFC4A00F1401AAA909E7740DA30AE05C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 01A617D2, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e5c39166c237c8eb74fd6fdd9162c68300383465871ccedf0cf3b6fe4a4960
Instruction ID: 499021a5b1dc468dd616b82e8574bdcb35a50ca9c1ddd4bc765ffe46b812bac3
Opcode Fuzzy Hash: e1e5c39166c237c8eb74fd6fdd9162c68300383465871ccedf0cf3b6fe4a4960
Instruction Fuzzy Hash: DE01C872E00259AFDB05DFF9C8069AFB7B8EF94710F00809AF515EB290DA74D905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019A3591, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03d260d01ce357f0602aa94a8546785f0ff55cdf9f4f89ff7566860e2396e50
Instruction ID: ad79435c5a91e67cfaf799790d41f7f89a606034c1657ec1ce6dcb03776c8f46
Opcode Fuzzy Hash: d03d260d01ce357f0602aa94a8546785f0ff55cdf9f4f89ff7566860e2396e50
Instruction Fuzzy Hash: 9BF04671A01208ABEB11DB6CC810FAABBACFF80714F288155EE4DD7200DA32EB4493D0

Uniqueness

Uniqueness Score: -1.00%

Function 01A6131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8519de2208703ccec7de78190f0ff34ff1e0f95b5fcc072d7d9d98b2fa37493
Instruction ID: fdf197c3992d566d6a3c02cd4652e1260a99c375e12558803a1cd0e34640ebda
Opcode Fuzzy Hash: f8519de2208703ccec7de78190f0ff34ff1e0f95b5fcc072d7d9d98b2fa37493
Instruction Fuzzy Hash: EA013171A01249AFCB44DFE9D545AAEBBF4FF58700F404059B945EB341E6349A40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01A61608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b62cb7f67d5b9fc0ebc77bd1dc056aef7ac16063a26315a6473388f2f57a0d
Instruction ID: 3d96d172028d03b2e9fa946a9ac71bd96bf4dba054a7fe80f36986d5bf8bb24c
Opcode Fuzzy Hash: e9b62cb7f67d5b9fc0ebc77bd1dc056aef7ac16063a26315a6473388f2f57a0d
Instruction Fuzzy Hash: 2DF06275A00249EFDB14DFE8D505A6EBBF8EF54700F444059A905EB391EA349900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 019CC577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81386c7384538345077b3506e6cbbc23f237d5d38539286c0886edc7ff4a8211
Instruction ID: 062d29ddf528ac156cd68af764cd954dbc26abce5d3631a92df3958c6cc72413
Opcode Fuzzy Hash: 81386c7384538345077b3506e6cbbc23f237d5d38539286c0886edc7ff4a8211
Instruction Fuzzy Hash: A2F024B291D2D08FE732C31CC014B217FDC9B28E72F54486FD48D83186C2A4C880C243

Uniqueness

Uniqueness Score: -1.00%

Function 01A62073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7924d252da35c088f1682391e7fc5ff31ca1a2ec750dbbe9e3c027f7aca58cf8
Instruction ID: 7e45f918cc402e660b7343c1ef199ac12201c00529a70faf516afd00e85c3340
Opcode Fuzzy Hash: 7924d252da35c088f1682391e7fc5ff31ca1a2ec750dbbe9e3c027f7aca58cf8
Instruction Fuzzy Hash: C8F0A02B8251894ADF736B2C62113E53FDADB9A164B0A4887D8A01720AC9398CD3CB20

Uniqueness

Uniqueness Score: -1.00%

Function 019E927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 5e74b7585881ad58bff916937e87f99bf31f932ab0b75142c5267a2d7bdaa9d4
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 4AE02B323405016BEB229E09CC84F0337ADDFD2725F00407DB5081F242C6E5DC0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 019C746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1f53f99ebf0aee30040cad2737df34a930da36e864dd77d6b9eef6de8dbe7e
Instruction ID: 9c808afa439c4a4086940c7dfea81f3af69174b6bdb85da54c935644ddb5e071
Opcode Fuzzy Hash: 3c1f53f99ebf0aee30040cad2737df34a930da36e864dd77d6b9eef6de8dbe7e
Instruction Fuzzy Hash: 53F09034500145BADF1A97ECC450F79FBA7AF04E50F04051DD8D9E7151E7249800CE96

Uniqueness

Uniqueness Score: -1.00%

Function 019A354C, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d784ab1ddfd8d50d1818a08ad5fb7ef940d108b8aeea34de9a972b92effa9516
Instruction ID: 59805e923c4617463e3912f7de41ebef0e89e483e6fc1cb972a19ed2ffe152b1
Opcode Fuzzy Hash: d784ab1ddfd8d50d1818a08ad5fb7ef940d108b8aeea34de9a972b92effa9516
Instruction Fuzzy Hash: BBF02733921288AFD722DB1CC104F11BBDC9B01B72F1541A9E60DC7953C328EC80C380

Uniqueness

Uniqueness Score: -1.00%

Function 019AB540, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db0d0cb0958b8e4861dfe3b9044452523a7baccb4eff2b1f38d774106920cc8
Instruction ID: 781b8203f77d7e9ca5988f157103ee08bab0155a0cfab7d8a070c1af8140f5f8
Opcode Fuzzy Hash: 0db0d0cb0958b8e4861dfe3b9044452523a7baccb4eff2b1f38d774106920cc8
Instruction Fuzzy Hash: 70F0E2311005868FCB2B8B9CC941F21BB79EB81731F5443A8E85A8B1A2DB24D945DBC0

Uniqueness

Uniqueness Score: -1.00%

Function 019DA44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75226c383da462af8f49276d0c3fde76e258ea7e354030b2ec79a6bbc2bfb75
Instruction ID: 1b83a2f142fbd21b934ef9fe10da915fc95a030348351e036fa9d4716bfb5b89
Opcode Fuzzy Hash: e75226c383da462af8f49276d0c3fde76e258ea7e354030b2ec79a6bbc2bfb75
Instruction Fuzzy Hash: 06E0D872B01421ABD3225F59FC00F6773ADDBE4A51F0A4439F649C7214DA28DD12C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 019AF358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 587600db9583cd7acc2499bb5af7bae83de0ed13c37834126536e733164655d0
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: A4E0D832A40118FBDB31A6D99E05F5AFFBCDB94BA1F014195BA08D7150D9609D00C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 019A15C1, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd4c1e868dd77add1da121991445beedef88028e086df1525fa9b969b472fc7
Instruction ID: e797cf2d9cecf1a060652c6b8bdacf64fc0c43279af4905b2716328857f88bbd
Opcode Fuzzy Hash: abd4c1e868dd77add1da121991445beedef88028e086df1525fa9b969b472fc7
Instruction Fuzzy Hash: 37E06831200286A7CF36AB48C400FB6B7ADAF91B04F889036F94E8F192DB60DC49D3D0

Uniqueness

Uniqueness Score: -1.00%

Function 019D4710, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df256ba2b9307f516b5a4f7d47ef3065f2fd7a7a153fc2d55d4bb558cf3f2de
Instruction ID: e063014aa0f53a47054132c30a852797168aebfde5364b112238e882e2627727
Opcode Fuzzy Hash: 0df256ba2b9307f516b5a4f7d47ef3065f2fd7a7a153fc2d55d4bb558cf3f2de
Instruction Fuzzy Hash: 3EF02B76204300DFCB0ADF55D040EA57FE5EB56350F010454EC598B311D771E941CF40

Uniqueness

Uniqueness Score: -1.00%

Function 019CE760, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb08acbcfe384487744fe4bab481c89967f57a21b23858a310e04e3bff3283a9
Instruction ID: 07d1a779753e75103331e74c006c443775cf3ef76ff5447a1b9af1eff6c31756
Opcode Fuzzy Hash: eb08acbcfe384487744fe4bab481c89967f57a21b23858a310e04e3bff3283a9
Instruction Fuzzy Hash: 21F0A031514284DEE722D72EC144F21BBD8AB08BB0F054479D50987116C77CD880C260

Uniqueness

Uniqueness Score: -1.00%

Function 019AB990, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84564271e46cf6d9f2c021a583ff182159ae60306067e01860b7afd17ccfdbe7
Instruction ID: a38ebe6f0f3a4021db21b4b30d657e70996ab25982be790c7cbb201f5215d778
Opcode Fuzzy Hash: 84564271e46cf6d9f2c021a583ff182159ae60306067e01860b7afd17ccfdbe7
Instruction Fuzzy Hash: 3FE06D326043455FF314AA09D420F6277DEEBD4654F5A81A5EA0E4B796DA71E80887D0

Uniqueness

Uniqueness Score: -1.00%

Function 01A341E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef71bb6e985d37c45d796b27e5148f39d7aca362242c2b3a4b83c25cdc2ab11
Instruction ID: 45cc46947fd45441bab13fed09a66be7a2e6cf58c2bf2f5533e0f6b876044502
Opcode Fuzzy Hash: 0ef71bb6e985d37c45d796b27e5148f39d7aca362242c2b3a4b83c25cdc2ab11
Instruction Fuzzy Hash: 71F03978822709EFCBB1EFA9D60070C36F4F79A310F00411AA108972AACB3845E6CF01

Uniqueness

Uniqueness Score: -1.00%

Function 01A5D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 67a07ecf8b9b0b7b3f0309e2c54836441ccd9bbbb91bd8d11a2061e3e0e1268a
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 2DE0C231284209BBEB225F88CC00F697B26DB90BA0F104031FE085A691C6719C91DAC5

Uniqueness

Uniqueness Score: -1.00%

Function 019DA185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdb957f8ffba41aa3bbaf28b5688fe8deaf824f0d62fb645c1254b7c5898cff
Instruction ID: 152f4f0ae7b493472032a86a87f66c07944219d5069b5528346f07fa8f5ef4d5
Opcode Fuzzy Hash: 3cdb957f8ffba41aa3bbaf28b5688fe8deaf824f0d62fb645c1254b7c5898cff
Instruction Fuzzy Hash: B8D05E711610025ACB2F67609958B293692FFC4BA0F38880DF24F4B9A4EE6088E5D20A

Uniqueness

Uniqueness Score: -1.00%

Function 019D16E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78674eb502001207dd33bf06aae5cb195e0f312dadc4142cb48ef92f7c8107fd
Instruction ID: bf49d0433aeacd1cf80323d13966c5779b5d386c1313096860fb51ce70ddfd60
Opcode Fuzzy Hash: 78674eb502001207dd33bf06aae5cb195e0f312dadc4142cb48ef92f7c8107fd
Instruction Fuzzy Hash: 0BD0A77220010192EE2D5B149814B142665EBD0B82F38007CF20F494D1CFA0CCD2E048

Uniqueness

Uniqueness Score: -1.00%

Function 01A253CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 4e4854d21a54c31d0b75c404e4995a54db291bedfd20440b1256df0f36c65837
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: FBE08C319006849BCF12DB8DC6A0F8EBBF9FB84B00F140408E0085B620C624AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0041584D, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d2fcd2084ff59ff0b3a78e82aba096856c42f6942f1665d61836ef2847a7e3f
Instruction ID: a80ae7c34a1b69a87fc567a5d567371f1e6a51223c7e289b2f93a660786dfecd
Opcode Fuzzy Hash: 0d2fcd2084ff59ff0b3a78e82aba096856c42f6942f1665d61836ef2847a7e3f
Instruction Fuzzy Hash: 5DB0922AB8E25539912658993C508F8EFA88083075E202677E609F75928202D225829D

Uniqueness

Uniqueness Score: -1.00%

Function 019A9515, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c16d2f1afa17dba0d206c0069360ca6c78a37c15bc0f17052bee8c994bb9e9
Instruction ID: 623838d45e50df5525f93ba44a1282206c39a3f6ddda923d94e109bdc3a0b4c8
Opcode Fuzzy Hash: c0c16d2f1afa17dba0d206c0069360ca6c78a37c15bc0f17052bee8c994bb9e9
Instruction Fuzzy Hash: 23D0223220207093CB285688B914F636A09AF80A54F0A006C3C0D8390084108C02CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 019A8410, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673c9b26c85ffb05b9eb3856db6b2e4edb38a72714c1db6ba7e30358146903eb
Instruction ID: 8fb67aadce70f1d8fc03b1c8254ee48727f850dc1a2c9b12463028da3052da42
Opcode Fuzzy Hash: 673c9b26c85ffb05b9eb3856db6b2e4edb38a72714c1db6ba7e30358146903eb
Instruction Fuzzy Hash: BED0A732040108ABC711FF4CCD80F053B6DEBD4700F004024B40C87263CA34EC61CA84

Uniqueness

Uniqueness Score: -1.00%

Function 019D35A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 1c5183a32d099142e07892800ffe25caf1c736573a31bfaa0ff4e25f1d195ccb
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: BAD0A9B14011829AEB02AF14C218BA83BBABB0020BFD8A0A5800E06852C33A4B0AC602

Uniqueness

Uniqueness Score: -1.00%

Function 01A2A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 0de055460ff60fb4dd9ef85498f58a44de49ad4d176d6ceb08ef8df6c72729bc
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: BBC08C33080248BBCB127F81CC00F067F2AFBA4B60F008014FA480B571C632E970EB84

Uniqueness

Uniqueness Score: -1.00%

Function 019D36CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: dff33ec090c67df0050dc61229eed7ce82cc366a52ef6fa3b6baff648812558d
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 61C02BB0250440FBD7251F30CE11F147268F740E23FA403587324464F0D5289C00D101

Uniqueness

Uniqueness Score: -1.00%

Function 019B76E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: ff72fa40cf744e2cd27b50fe4decd1dc72364961cfe5c9fdc92272a9c001dcd1
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: FDC08C701411C49AEB2E578CCF64B203A58AB88A0AF480A9CAA490D4E2C368AC02D609

Uniqueness

Uniqueness Score: -1.00%

Function 019D4190, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
Instruction ID: d5310c1d12ea270f2f2aaf02720b6f08508ed7198b49b1e1511286089cce2636
Opcode Fuzzy Hash: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
Instruction Fuzzy Hash: 86C04C757515418FCF15CB69C384F1537E4B744B44F150890E809CB726D664E800CA11

Uniqueness

Uniqueness Score: -1.00%

Function 01A787CF, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7342938eed41a2186320ed702457316c2ea2c435f83f70e6a7ab4e9bc3603639
Instruction ID: 572f0dc6731e62f202fd08ba9d42ca52467d3756265ce2b2bd1ac0ac6ddea9d8
Opcode Fuzzy Hash: 7342938eed41a2186320ed702457316c2ea2c435f83f70e6a7ab4e9bc3603639
Instruction Fuzzy Hash: 8CB01231212541DFC7026B20CB90B9872A9BF41AC0F0900B0650485430D6189810D501

Uniqueness

Uniqueness Score: -1.00%

Function 019E99A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 533bae7c0f38fa21d4086203dcaeedaecb3d5cd4b3af6a4ffbd9264751f4bd3d
Instruction ID: 584a51a6c86ed0791a0cbb28a00dcd7c95c871de469cae6b4a94e7b8f0246775
Opcode Fuzzy Hash: 533bae7c0f38fa21d4086203dcaeedaecb3d5cd4b3af6a4ffbd9264751f4bd3d
Instruction Fuzzy Hash: F29002A174110452D10061994414B064085E7E1341F52C019E2094554DC659CC527266

Uniqueness

Uniqueness Score: -1.00%

Function 019E99D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4e0cb52d081d281b67d6a4456077818c1244078465c4e3779fe8c6e952211b6
Instruction ID: 1080411f8b29e335534abe23bd5f84ef81cc8407b338b35c4b6c1b50cdcf8888
Opcode Fuzzy Hash: a4e0cb52d081d281b67d6a4456077818c1244078465c4e3779fe8c6e952211b6
Instruction Fuzzy Hash: 559002A161110052D1046199440470640C5A7E1241F52C016A3184554CC5698C617265

Uniqueness

Uniqueness Score: -1.00%

Function 019E9910, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c566ecf3feccb679baa8406b00a186f20d58d626ec2d02e8d77ecbc42f33da
Instruction ID: 70919bc3d6f3b35487f5da3a1203a6347b7df5251ff8354d6d1bbd2531179261
Opcode Fuzzy Hash: 42c566ecf3feccb679baa8406b00a186f20d58d626ec2d02e8d77ecbc42f33da
Instruction Fuzzy Hash: 149002B160110412D140719944047464085A7D0341F52C015A6094554EC6998DD577A5

Uniqueness

Uniqueness Score: -1.00%

Function 019E9950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7705b35b05937ec94d29b16de9ab6d2e453c0a9a1b2b80d5cc07c22b5a99ca
Instruction ID: 9e11675bc222890367255083ff27b01449a431a37fb8ef1560c67b7bdb3dbe9e
Opcode Fuzzy Hash: cf7705b35b05937ec94d29b16de9ab6d2e453c0a9a1b2b80d5cc07c22b5a99ca
Instruction Fuzzy Hash: 049002A160150413D140659948047074085A7D0342F52C015A3094555ECA698C517275

Uniqueness

Uniqueness Score: -1.00%

Function 019E98A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 478d5e7f41701283de95335dc64549088bac9420efa24e21bbbcebf37f201707
Instruction ID: 0dfcec3a325ad2549d1cb52d6f8beddab258096d49438e4ab5b82065fceb2372
Opcode Fuzzy Hash: 478d5e7f41701283de95335dc64549088bac9420efa24e21bbbcebf37f201707
Instruction Fuzzy Hash: 3A90026170110412D102619944147064089E7D1385F92C016E2454555DC6658953B272

Uniqueness

Uniqueness Score: -1.00%

Function 019E98F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5055e1b91ec41c558e8e8b7938516c3afff2d92a3d20a58699d7017cac47f403
Instruction ID: 15dab5cb71a66f072419d14b545cf5d6692bdf1791ce5f3ce20f97af9f1a38d1
Opcode Fuzzy Hash: 5055e1b91ec41c558e8e8b7938516c3afff2d92a3d20a58699d7017cac47f403
Instruction Fuzzy Hash: 81900261A0110512D10171994404716408AA7D0281F92C026A2054555ECA658992B271

Uniqueness

Uniqueness Score: -1.00%

Function 019EB040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b17103000be894b8f4dd2d62a1cfec57d930fdb075dd9cf0cf95843ec6efba
Instruction ID: 76de9c93119a2fa832f03de02f6c1bad7219002737984063c3efade1c69e1952
Opcode Fuzzy Hash: c9b17103000be894b8f4dd2d62a1cfec57d930fdb075dd9cf0cf95843ec6efba
Instruction Fuzzy Hash: 679002A1A01240534540B19948045069095B7E1341392C125A1484560CC6A88855B3A5

Uniqueness

Uniqueness Score: -1.00%

Function 019EA3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761138bd10d31f70c79d4e5d514d2b2fc4d76d596a895f0d9b398ac98cd1edbd
Instruction ID: aed3636be69cab7e1d2c67aeb6080feffe977126126a68fedb380d5f9c13cfd0
Opcode Fuzzy Hash: 761138bd10d31f70c79d4e5d514d2b2fc4d76d596a895f0d9b398ac98cd1edbd
Instruction Fuzzy Hash: 1A90027160154012D1407199844470B9085B7E0341F52C415E1455554CC6558856B361

Uniqueness

Uniqueness Score: -1.00%

Function 019E95D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531e678c946ab69c51572a077ffbbaac2c9af758f6e9f1695948f765791fc734
Instruction ID: 65a57c730bb93776a47d27a38651bba3b0d6605563f2f26718db8b72155624ac
Opcode Fuzzy Hash: 531e678c946ab69c51572a077ffbbaac2c9af758f6e9f1695948f765791fc734
Instruction Fuzzy Hash: CA9002A160210013410571994414716808AA7E0241B52C025E2044590DC56588917265

Uniqueness

Uniqueness Score: -1.00%

Function 019E95F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ecdb83829b80688318058a56929698c64556c09581708a99e25d35fd8f136ea
Instruction ID: f0afd7b2427d50d3c9966913a1628dd633f40e3b8ac6e1797e2be0f4a2263c50
Opcode Fuzzy Hash: 6ecdb83829b80688318058a56929698c64556c09581708a99e25d35fd8f136ea
Instruction Fuzzy Hash: 8590027160110812D104619948047864085A7D0341F52C015A7054655ED6A588917271

Uniqueness

Uniqueness Score: -1.00%

Function 019E9520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849b01dd37d2dc45c6a1e0dfc851832a977bd33fd4a1be13860a8812c612fac2
Instruction ID: f2684de457354e27329aaecf3141850a666e931ca8417e516449a69c175d95f8
Opcode Fuzzy Hash: 849b01dd37d2dc45c6a1e0dfc851832a977bd33fd4a1be13860a8812c612fac2
Instruction Fuzzy Hash: B89002E1601240A24500A2998404B0A8585A7E0241B52C01AE2084560CC5658851B275

Uniqueness

Uniqueness Score: -1.00%

Function 019E9540, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af394b673738f228806e3325dccb134c68860b0ca2e371e93503928a32bbefe1
Instruction ID: 2eda17d99ed2693bb4c268f73138bca783a53915f1f1d92a6d8b507bcc328281
Opcode Fuzzy Hash: af394b673738f228806e3325dccb134c68860b0ca2e371e93503928a32bbefe1
Instruction Fuzzy Hash: 8D900265611100130105A599070460740C6A7D5391352C025F2045550CD66188617261

Uniqueness

Uniqueness Score: -1.00%

Function 019E9560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abcceca8133209d9a10e5cd02920264677177256af8fbd70c8bbcc4dc628b603
Instruction ID: 1c7df99a60e2cdc3eb7e0a78744f38cbf3e2abe4317c8f8ec76c64237087b1f9
Opcode Fuzzy Hash: abcceca8133209d9a10e5cd02920264677177256af8fbd70c8bbcc4dc628b603
Instruction Fuzzy Hash: C2900265621100120145A599060460B44C5B7D6391392C019F2446590CC66188657361

Uniqueness

Uniqueness Score: -1.00%

Function 019E9780, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf41e25a312c1e3c1089bed1c45c63277ad236c10fa2e0de91134f872bb15349
Instruction ID: ef085f96a656c457651e542e31482575c872953401f0c09c017ebd9c1e59ba6b
Opcode Fuzzy Hash: cf41e25a312c1e3c1089bed1c45c63277ad236c10fa2e0de91134f872bb15349
Instruction Fuzzy Hash: 6490026961310012D1807199540870A4085A7D1242F92D419A1045558CC95588697361

Uniqueness

Uniqueness Score: -1.00%

Function 019E97A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de6e86c39118cdbe70126b3a3f00b03aadb26a432f2de4c943dbe6fab33c76b
Instruction ID: 256129c10c06f2da5455221514213396d92ead4bd71d2dfd2f63910c68f87e19
Opcode Fuzzy Hash: 1de6e86c39118cdbe70126b3a3f00b03aadb26a432f2de4c943dbe6fab33c76b
Instruction Fuzzy Hash: 0F90026170110013D140719954187068085F7E1341F52D015E1444554CD95588567362

Uniqueness

Uniqueness Score: -1.00%

Function 019E9710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e547fd1f27bf9d5bc6bece6787bab3e6107e6f848c6ee9c41f53d1143510306
Instruction ID: c136477115c89b8649f3cb81bb230b108a8423e776a78e23a527a74ff9ef68d3
Opcode Fuzzy Hash: 6e547fd1f27bf9d5bc6bece6787bab3e6107e6f848c6ee9c41f53d1143510306
Instruction Fuzzy Hash: A190027160110412D10065D954087464085A7E0341F52D015A6054555EC6A588917271

Uniqueness

Uniqueness Score: -1.00%

Function 019EA710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590df89f1446d4f5955736f77f401667fc7518125b9daa0bdbf59021e6f0e6a3
Instruction ID: edf750abdec4db814f51e1b0e1fe42d3127f1986152e167597fd06fe15296181
Opcode Fuzzy Hash: 590df89f1446d4f5955736f77f401667fc7518125b9daa0bdbf59021e6f0e6a3
Instruction Fuzzy Hash: 09900271701100629500A6D95804B4A8185A7F0341B52D019A5044554CC59488617261

Uniqueness

Uniqueness Score: -1.00%

Function 019E9730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443ee8021ba228838ce5b98e247e2c8daf31a38672b7a6923b883d1bbdff3dd6
Instruction ID: 0480a61025756c8223a0658bf3f710334853a16ae7dc493756865efd07fbc1a7
Opcode Fuzzy Hash: 443ee8021ba228838ce5b98e247e2c8daf31a38672b7a6923b883d1bbdff3dd6
Instruction Fuzzy Hash: 0B900261A0510412D140719954187064095A7D0241F52D015A1054554DC6998A5577E1

Uniqueness

Uniqueness Score: -1.00%

Function 019EA770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc95ee784886efdb7cdf8236407d1d39fa66c514343629773f4580666a7e9872
Instruction ID: c655cec035ee66f51cec26862102e8bb519dd22d86fabea9d6aa00c160256960
Opcode Fuzzy Hash: cc95ee784886efdb7cdf8236407d1d39fa66c514343629773f4580666a7e9872
Instruction Fuzzy Hash: EA90027560514452D50065995804B874085A7D0345F52D415A145459CDC6948861B261

Uniqueness

Uniqueness Score: -1.00%

Function 019E9770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936dce75900fbf1f34c8152b20909d36cb5e1f0ec9bca5e6a6719da40eabad6c
Instruction ID: b53c9b6b66e30f905d2374bed4ab3731a61d9d6e5962a538a76b3e555dcbf579
Opcode Fuzzy Hash: 936dce75900fbf1f34c8152b20909d36cb5e1f0ec9bca5e6a6719da40eabad6c
Instruction Fuzzy Hash: 3C90026160514452D10065995408B064085A7D0245F52D015A2094595DC6758851B271

Uniqueness

Uniqueness Score: -1.00%

Function 019E9760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b53810458c41ff2da0be8aaf4bc062107ea63842641f2b4996acde06c8eda15
Instruction ID: e6f4e7051680f716454d383fa6c6de42472b87346d906b2b0111d1078e659d96
Opcode Fuzzy Hash: 9b53810458c41ff2da0be8aaf4bc062107ea63842641f2b4996acde06c8eda15
Instruction Fuzzy Hash: 0690027160110413D100619955087074085A7D0241F52D415A1454558DD69688517261

Uniqueness

Uniqueness Score: -1.00%

Function 019E96D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f22a01c5375394262fd06fc66d8088dd8bc5948d8e12338a8629d719ba44bb
Instruction ID: 531c34abe9a7642bc894392b2e1d4186846624cfff68bd659306a470584a0988
Opcode Fuzzy Hash: 79f22a01c5375394262fd06fc66d8088dd8bc5948d8e12338a8629d719ba44bb
Instruction Fuzzy Hash: 2D90027160110852D10061994404B464085A7E0341F52C01AA1154654DC655C8517661

Uniqueness

Uniqueness Score: -1.00%

Function 019E9610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26be6917758001abf592172f9954e276cb00e90e84d1aa5711cb96f8ea4052b4
Instruction ID: c73d59bbf15207b9dcbb3037c289c34846188bfabc0983c4805b6066c1c6996b
Opcode Fuzzy Hash: 26be6917758001abf592172f9954e276cb00e90e84d1aa5711cb96f8ea4052b4
Instruction Fuzzy Hash: 8E900271A0510812D150719944147464085A7D0341F52C015A1054654DC7958A5577E1

Uniqueness

Uniqueness Score: -1.00%

Function 019E9650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca78b9333bc50b30d46b5f3444bbf303988ba8c6b5174a37d81667d1ed8cbf24
Instruction ID: 074b914f40a6802ebc65ecc496e6f78aeacb66da939127089cb2c031c2c5ba50
Opcode Fuzzy Hash: ca78b9333bc50b30d46b5f3444bbf303988ba8c6b5174a37d81667d1ed8cbf24
Instruction Fuzzy Hash: 2B90027160514852D14071994404B464095A7D0345F52C015A1094694DD6658D55B7A1

Uniqueness

Uniqueness Score: -1.00%

Function 019E9670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: c60c37e74b7d68a97c296cc2cb0f9392c03fbb41ef3665a11ba28474cd54faf2
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 019A40FD, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E019A40FD(void* __ecx) {
				signed int _v8;
				char _v548;
				unsigned int _v552;
				unsigned int _v556;
				unsigned int _v560;
				char _v564;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t49;
				signed char _t53;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t65;
				unsigned int _t66;
				void* _t68;
				unsigned int _t73;
				unsigned int _t77;
				unsigned int _t85;
				char* _t98;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t112;

				_t45 =  *0x1a9d360 ^ _t107;
				_v8 =  *0x1a9d360 ^ _t107;
				_t105 = __ecx;
				if( *0x1a984d4 == 0) {
					L5:
					return E019EB640(_t45, _t85, _v8 ^ _t107, _t102, _t105, _t106);
				}
				_t85 = 0;
				E019BE9C0(3,  *((intOrPtr*)(__ecx + 0x18)), 0, 0,  &_v564);
				if(( *0x7ffe02d5 & 0x00000003) == 0) {
					_t45 = 0;
				} else {
					_t45 =  *(_v564 + 0x5f) & 0x00000001;
				}
				if(_t45 == 0) {
					_v552 = _t85;
					_t49 = E019A42EB(_t105);
					__eflags = _t49;
					if(_t49 != 0) {
						L15:
						_t103 = 2;
						_v552 = _t103;
						L10:
						__eflags = ( *0x7ffe02d5 & 0x0000000c) - 4;
						if(( *0x7ffe02d5 & 0x0000000c) == 4) {
							_t45 = 1;
						} else {
							_t53 = E019A41EA(_v564);
							asm("sbb al, al");
							_t45 =  ~_t53 + 1;
							__eflags = _t45;
						}
						__eflags = _t45;
						if(_t45 == 0) {
							_t102 = _t103 | 0x00000040;
							_v552 = _t102;
						}
						__eflags = _t102;
						if(_t102 != 0) {
							L33:
							_push(4);
							_push( &_v552);
							_push(0x22);
							_push(0xffffffff);
							_t45 = E019E96C0();
						}
						goto L4;
					}
					_v556 = _t85;
					_t102 =  &_v556;
					_t55 = E019A429E(_t105 + 0x2c, _t102);
					__eflags = _t55;
					if(_t55 >= 0) {
						__eflags = _v556 - _t85;
						if(_v556 == _t85) {
							goto L8;
						}
						_t85 = _t105 + 0x24;
						E01A35720(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v556);
						_v560 = 0x214;
						L019EFA60( &_v548, 0, 0x214);
						_t106 =  *0x1a984d4;
						_t110 = _t108 + 0x20;
						 *0x1a9b1e0( *((intOrPtr*)(_t105 + 0x28)),  *((intOrPtr*)(_t105 + 0x18)),  *((intOrPtr*)(_t105 + 0x20)), L"ExecuteOptions",  &_v568,  &_v548,  &_v560, _t85);
						_t65 =  *((intOrPtr*)( *0x1a984d4))();
						__eflags = _t65;
						if(_t65 == 0) {
							goto L8;
						}
						_t66 = _v560;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L8;
						}
						__eflags = _t66 - 0x214;
						if(_t66 >= 0x214) {
							goto L8;
						}
						_t68 = (_t66 >> 1) * 2 - 2;
						__eflags = _t68 - 0x214;
						if(_t68 >= 0x214) {
							E019EB75A();
							goto L33;
						}
						_push(_t85);
						 *((short*)(_t107 + _t68 - 0x220)) = 0;
						E01A35720(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v548);
						_t111 = _t110 + 0x14;
						_t73 = E019F1480( &_v548, L"Execute=1");
						_push(_t85);
						__eflags = _t73;
						if(_t73 == 0) {
							E01A35720(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v548);
							_t106 =  &_v548;
							_t98 =  &_v548;
							_t112 = _t111 + 0x14;
							_t77 = _v560 + _t98;
							_v556 = _t77;
							__eflags = _t98 - _t77;
							if(_t98 >= _t77) {
								goto L8;
							} else {
								goto L27;
							}
							do {
								L27:
								_t85 = E019F1150(_t106, 0x20);
								__eflags = _t85;
								if(__eflags != 0) {
									__eflags = 0;
									 *_t85 = 0;
								}
								E01A35720(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t106);
								_t112 = _t112 + 0x10;
								L01A23E13(_t105, _t106, __eflags);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L8;
								}
								_t41 = _t85 + 2; // 0x2
								_t106 = _t41;
								__eflags = _t106 - _v556;
							} while (_t106 < _v556);
							goto L8;
						}
						_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
						_push(3);
						_push(0x55);
						E01A35720();
						goto L15;
					}
					L8:
					_t56 = E019A41F7(_t105);
					__eflags = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					_t103 = _v552;
					goto L10;
				} else {
					L4:
					 *(_t105 + 0x34) =  *(_t105 + 0x34) | 0x80000000;
					goto L5;
				}
			}

0x019a410d
0x019a410f
0x019a411c
0x019a411e
0x019a4158
0x019a4168
0x019a4168
0x019a4126
0x019a4130
0x019a413c
0x01a004a2
0x019a4142
0x019a414b
0x019a414b
0x019a414f
0x019a416b
0x019a4171
0x019a4176
0x019a4178
0x019a41d0
0x019a41d2
0x019a41d3
0x019a41a7
0x019a41ae
0x019a41b0
0x019a41db
0x019a41b2
0x019a41b8
0x019a41bf
0x019a41c1
0x019a41c1
0x019a41c1
0x019a41c3
0x019a41c5
0x019a41df
0x019a41e2
0x019a41e2
0x019a41c7
0x019a41c9
0x01a00628
0x01a00628
0x01a00630
0x01a00631
0x01a00633
0x01a00635
0x01a00635
0x00000000
0x019a41c9
0x019a417d
0x019a4183
0x019a4189
0x019a418e
0x019a4190
0x01a004a9
0x01a004af
0x00000000
0x00000000
0x01a004b5
0x01a004c8
0x01a004d5
0x01a004e5
0x01a004ea
0x01a004f6
0x01a00518
0x01a0051e
0x01a00520
0x01a00522
0x00000000
0x00000000
0x01a00528
0x01a0052e
0x01a00530
0x00000000
0x00000000
0x01a0053b
0x01a0053d
0x00000000
0x00000000
0x01a00545
0x01a0054c
0x01a0054e
0x01a00623
0x00000000
0x01a00623
0x01a00556
0x01a00557
0x01a0056f
0x01a00574
0x01a00583
0x01a0058a
0x01a0058b
0x01a0058d
0x01a005b5
0x01a005c0
0x01a005c6
0x01a005c8
0x01a005cb
0x01a005cd
0x01a005d3
0x01a005d5
0x00000000
0x00000000
0x00000000
0x00000000
0x01a005db
0x01a005db
0x01a005e3
0x01a005e7
0x01a005e9
0x01a005eb
0x01a005ed
0x01a005ed
0x01a005fa
0x01a005ff
0x01a00606
0x01a0060b
0x01a0060d
0x00000000
0x00000000
0x01a00613
0x01a00613
0x01a00616
0x01a00616
0x00000000
0x01a0061e
0x01a0058f
0x01a00594
0x01a00596
0x01a00598
0x00000000
0x01a0059d
0x019a4196
0x019a4198
0x019a419d
0x019a419f
0x00000000
0x00000000
0x019a41a1
0x00000000
0x019a4151
0x019a4151
0x019a4151
0x00000000
0x019a4151

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 01A005F1
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01A00566
ExecuteOptions, xrefs: 01A0050A
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01A0058F
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01A004BF
Execute=1, xrefs: 01A0057D
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01A005AC

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 6b70da00a1f8f72c225352c0cfb15f5fdcb88b39ef5576e070b9e3c2db1d28d7
Instruction ID: d4956fe071b4d02fb93ebdb3569ad82da17d20fe9ec83f0e053545291ead8a5f
Opcode Fuzzy Hash: 6b70da00a1f8f72c225352c0cfb15f5fdcb88b39ef5576e070b9e3c2db1d28d7
Instruction Fuzzy Hash: 67612E317002197AEF21EB55ED85FE977ACFF74705F4800A9E60D97181DBB0AE458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 019A77A0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A02953

Strings

RTL: Resource at %p, xrefs: 01A0296B
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01A0295B
RTL: Re-Waiting, xrefs: 01A02988

Memory Dump Source

Source File: 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1980000_SecuriteInfo.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: d9590be36166479a55dbd4d1448385fd08d6cecc47f906b5389279cc0ba7498f
Instruction ID: 6dd3eb2c47acf59a8c17ee110d3ddf8d3c1778276247d001070ddbceb32dee0f
Opcode Fuzzy Hash: d9590be36166479a55dbd4d1448385fd08d6cecc47f906b5389279cc0ba7498f
Instruction Fuzzy Hash: A7314935A00722BBCB238A59DC85F677BA4EF91BA0F540219FD4897681DB11BC15C7E1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Bulz.785643.17886.29229

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Function 014D6D2E, Relevance: 3.5, Strings: 2, Instructions: 972
COMMON

Function 014D7E10, Relevance: 1.5, Strings: 1, Instructions: 235
COMMON

Function 014D8122, Relevance: 1.4, Strings: 1, Instructions: 182
COMMON

Function 014DE342, Relevance: 6.1, APIs: 4, Instructions: 138
threadCOMMON

Function 014DE350, Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 014DBF38, Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Function 014D3E38, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 014D537F, Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 014DE572, Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 014DE578, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 014DC138, Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 014DC7B1, Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Function 014DC528, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 014DC530, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 0041869D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
filenativeCOMMON

Function 004186A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
filenativeCOMMON

Function 004185F0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 00418642, Relevance: 1.5, APIs: 1, Instructions: 32
filenativeCOMMON

Function 004187CB, Relevance: 1.5, APIs: 1, Instructions: 31
memorynativeCOMMON

Function 004187D0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 0041871A, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON