Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.Variant.Bulz.468687.12862.10596

Overview

General Information

Sample Name:SecuriteInfo.com.Variant.Bulz.468687.12862.10596 (renamed file extension from 10596 to exe)
Analysis ID:547112
MD5:b151f8d7b9dcf80375ba12746289c15b
SHA1:c826226bfd50994b82aa6de2c1acab492cb042bc
SHA256:7b7ffdabadd1e1ea05600f00d17abf7032e65873bc833a50555b7cd8b26c8a17
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Connects to a pastebin service (likely for C&C)
Binary or sample is protected by dotNetProtector
PE file contains section with special chars
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Drops PE files
Installs a global mouse hook
Checks if the current process is being debugged
PE file contains sections with non-standard names
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Variant.Bulz.468687.12862.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000000.285180412.000002863F91E000.00000002.00020000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      Process Memory Space: SecuriteInfo.com.Variant.Bulz.468687.12862.exe PID: 5312JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.0.SecuriteInfo.com.Variant.Bulz.468687.12862.exe.2863f770000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeVirustotal: Detection: 61%Perma Link
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeMetadefender: Detection: 17%Perma Link
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeReversingLabs: Detection: 51%
          Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49695 version: TLS 1.2
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: mm.pdbBSJB source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe
          Source: Binary string: costura.costura.pdb.compressed source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe
          Source: Binary string: colorsliderEcostura.colorslider.dll.compressedEcostura.colorslider.pdb.compressed source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe
          Source: Binary string: togglesliderGcostura.toggleslider.dll.compressedGcostura.toggleslider.pdb.compressed6 source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe
          Source: Binary string: mm.pdb source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe
          Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe
          Source: Binary string: costura.toggleslider.pdb.compressed source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe
          Source: Binary string: costura.colorslider.pdb.compressed source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe

          Networking:

          barindex
          Connects to a pastebin service (likely for C&C)Show sources
          Source: unknownDNS query: name: pastebin.com
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: global trafficHTTP traffic detected: GET /raw/gBt2aRU3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
          Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
          Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe, 00000001.00000003.306779426.000002865A4A2000.00000004.00000001.sdmpString found in binary or memory: http://en.w
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe, 00000001.00000003.309121622.000002865A4B5000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe, 00000001.00000003.315178869.000002865A4AC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe, 00000001.00000003.313074890.000002865A4AC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe, 00000001.00000003.313910200.000002865A4E1000.00000004.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.468687.12862.exe, 00000001.00000003.315022391.000002865A4E1000.00000004.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.468687.12862.exe, 00000001.00000003.315231252.000002865A4E1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeString found in binary or memory: https://discord.gg/TEURkNF6D3
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeString found in binary or memory: https://pastebin.com/raw/gBt2aRU3
          Source: unknownDNS traffic detected: queries for: pastebin.com
          Source: global trafficHTTP traffic detected: GET /raw/gBt2aRU3 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49695 version: TLS 1.2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeWindows user hook set: 0 mouse low level C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeJump to behavior

          System Summary:

          barindex
          PE file contains section with special charsShow sources
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeStatic PE information: section name: `M&#
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeStatic PE information: No import functions for PE file found
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe, 00000001.00000000.285190031.000002863F934000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemm.exe& vs SecuriteInfo.com.Variant.Bulz.468687.12862.exe
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeBinary or memory string: OriginalFilenamemm.exe& vs SecuriteInfo.com.Variant.Bulz.468687.12862.exe
          Source: SiticoneDotNetRT64.dll.1.drStatic PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: SiticoneDotNetRT64.dll.1.drStatic PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeStatic PE information: Section: `M&# ZLIB complexity 1.0003094116
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeVirustotal: Detection: 61%
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeMetadefender: Detection: 17%
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeReversingLabs: Detection: 51%
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeFile created: C:\Users\user\AppData\Local\Temp\32a4a32f-b10a-42fc-a699-939a32e55fe5Jump to behavior
          Source: classification engineClassification label: mal68.troj.evad.winEXE@1/1@1/1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeStatic file information: File size 1836544 > 1048576
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeStatic PE information: Raw size of `M&# is bigger than: 0x100000 < 0x1aae00
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: mm.pdbBSJB source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe
          Source: Binary string: costura.costura.pdb.compressed source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe
          Source: Binary string: colorsliderEcostura.colorslider.dll.compressedEcostura.colorslider.pdb.compressed source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe
          Source: Binary string: togglesliderGcostura.toggleslider.dll.compressedGcostura.toggleslider.pdb.compressed6 source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe
          Source: Binary string: mm.pdb source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe
          Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe
          Source: Binary string: costura.toggleslider.pdb.compressed source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe
          Source: Binary string: costura.colorslider.pdb.compressed source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe

          Data Obfuscation:

          barindex
          Yara detected Costura Assembly LoaderShow sources
          Source: Yara matchFile source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe, type: SAMPLE
          Source: Yara matchFile source: 1.0.SecuriteInfo.com.Variant.Bulz.468687.12862.exe.2863f770000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.285180412.000002863F91E000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Variant.Bulz.468687.12862.exe PID: 5312, type: MEMORYSTR
          Binary or sample is protected by dotNetProtectorShow sources
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exe, 00000001.00000000.285180412.000002863F91E000.00000002.00020000.sdmpString found in binary or memory: dotNetProtector
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeString found in binary or memory: dotNetProtector
          Source: SecuriteInfo.com.Variant.Bulz.468687.12862.exeStatic PE information: section name: `M&#
          Source: initial sampleStatic PE information: section name: `M&# entropy: 7.9998839862
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeFile created: C:\Users\user\AppData\Local\Temp\32a4a32f-b10a-42fc-a699-939a32e55fe5\SiticoneDotNetRT64.dllJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeRDTSC instruction interceptor: First address: 00007FFC6E1D1F0F second address: 00007FFC6E1D1F90 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov dword ptr [esp+28h], eax 0x0000000e dec eax 0x0000000f mov eax, dword ptr [esp+30h] 0x00000013 dec eax 0x00000014 mov ecx, dword ptr [esp+28h] 0x00000018 dec eax 0x00000019 sub ecx, eax 0x0000001b dec eax 0x0000001c mov eax, ecx 0x0000001e dec eax 0x0000001f add esp, 48h 0x00000022 ret 0x00000023 dec eax 0x00000024 mov dword ptr [00010326h], eax 0x0000002a mov dword ptr [esp+28h], 00000000h 0x00000032 jmp 00007F9DC516E9ECh 0x00000034 mov eax, dword ptr [esp+50h] 0x00000038 cmp dword ptr [esp+28h], eax 0x0000003c jnl 00007F9DC516EA24h 0x0000003e rdtsc
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeWindow / User API: threadDelayed 515Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeWindow / User API: foregroundWindowGot 809Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionVirtualization/Sandbox Evasion1Input Capture1Security Software Discovery11Remote ServicesInput Capture1Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing2NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol3Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SecuriteInfo.com.Variant.Bulz.468687.12862.exe62%VirustotalBrowse
          SecuriteInfo.com.Variant.Bulz.468687.12862.exe17%MetadefenderBrowse
          SecuriteInfo.com.Variant.Bulz.468687.12862.exe51%ReversingLabsByteCode-MSIL.Trojan.Bulz

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\32a4a32f-b10a-42fc-a699-939a32e55fe5\SiticoneDotNetRT64.dll2%VirustotalBrowse
          C:\Users\user\AppData\Local\Temp\32a4a32f-b10a-42fc-a699-939a32e55fe5\SiticoneDotNetRT64.dll3%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\32a4a32f-b10a-42fc-a699-939a32e55fe5\SiticoneDotNetRT64.dll7%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://en.w0%URL Reputationsafe
          https://discord.gg/TEURkNF6D30%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          pastebin.com
          104.23.98.190
          truefalse
            high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://pastebin.com/raw/gBt2aRU3false
              high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Variant.Bulz.468687.12862.exe, 00000001.00000003.309121622.000002865A4B5000.00000004.00000001.sdmpfalse
                high
                http://www.fontbureau.com/designers/frere-jones.htmlSecuriteInfo.com.Variant.Bulz.468687.12862.exe, 00000001.00000003.313910200.000002865A4E1000.00000004.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.468687.12862.exe, 00000001.00000003.315022391.000002865A4E1000.00000004.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.468687.12862.exe, 00000001.00000003.315231252.000002865A4E1000.00000004.00000001.sdmpfalse
                  high
                  http://www.fontbureau.com/designersSecuriteInfo.com.Variant.Bulz.468687.12862.exe, 00000001.00000003.315178869.000002865A4AC000.00000004.00000001.sdmpfalse
                    high
                    http://www.fontbureau.com/designers/SecuriteInfo.com.Variant.Bulz.468687.12862.exe, 00000001.00000003.313074890.000002865A4AC000.00000004.00000001.sdmpfalse
                      high
                      http://en.wSecuriteInfo.com.Variant.Bulz.468687.12862.exe, 00000001.00000003.306779426.000002865A4A2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://discord.gg/TEURkNF6D3SecuriteInfo.com.Variant.Bulz.468687.12862.exefalse
                      • Avira URL Cloud: safe
                      unknown

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      104.23.98.190
                      pastebin.comUnited States
                      13335CLOUDFLARENETUSfalse

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:547112
                      Start date:02.01.2022
                      Start time:14:39:14
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 5m 32s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:SecuriteInfo.com.Variant.Bulz.468687.12862.10596 (renamed file extension from 10596 to exe)
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:7
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal68.troj.evad.winEXE@1/1@1/1
                      EGA Information:Failed
                      HDC Information:Failed
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      Warnings:
                      Show All
                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      14:40:31API Interceptor2x Sleep call for process: SecuriteInfo.com.Variant.Bulz.468687.12862.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      104.23.98.190C4erXJwD0y.exeGet hashmaliciousBrowse
                      • pastebin.com/raw/VJWK0vZ5
                      p38z7oEMj6.exeGet hashmaliciousBrowse
                      • pastebin.com/raw/VJWK0vZ5
                      C1jT7pIYSJ.exeGet hashmaliciousBrowse
                      • pastebin.com/raw/npsqXhuQ
                      uwoYazbVds.exeGet hashmaliciousBrowse
                      • pastebin.com/raw/npsqXhuQ
                      u6Wf8vCDUv.exeGet hashmaliciousBrowse
                      • pastebin.com/raw/BCAJ8TgJ
                      EU441789083.docGet hashmaliciousBrowse
                      • pastebin.com/raw/BCAJ8TgJ
                      b095b966805abb7df4ffddf183def880.exeGet hashmaliciousBrowse
                      • pastebin.com/raw/XMKKNkb0
                      E1Q0TjeN32.exeGet hashmaliciousBrowse
                      • pastebin.com/raw/XMKKNkb0
                      6YCl3ATKJw.exeGet hashmaliciousBrowse
                      • pastebin.com/raw/XMKKNkb0
                      Hjnb15Nuc3.exeGet hashmaliciousBrowse
                      • pastebin.com/raw/XMKKNkb0
                      JDgYMW0LHW.exeGet hashmaliciousBrowse
                      • pastebin.com/raw/XMKKNkb0
                      4av8Sn32by.exeGet hashmaliciousBrowse
                      • pastebin.com/raw/XMKKNkb0
                      5T4Ykc0VSK.exeGet hashmaliciousBrowse
                      • pastebin.com/raw/XMKKNkb0
                      afvhKak0Ir.exeGet hashmaliciousBrowse
                      • pastebin.com/raw/XMKKNkb0
                      T6OcyQsUsY.exeGet hashmaliciousBrowse
                      • pastebin.com/raw/XMKKNkb0
                      1KITgJnGbI.exeGet hashmaliciousBrowse
                      • pastebin.com/raw/XMKKNkb0
                      PxwWcmbMC5.exeGet hashmaliciousBrowse
                      • pastebin.com/raw/XMKKNkb0
                      XnAJZR4NcN.exeGet hashmaliciousBrowse
                      • pastebin.com/raw/XMKKNkb0
                      PbTwrajNMX.exeGet hashmaliciousBrowse
                      • pastebin.com/raw/XMKKNkb0

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      pastebin.comaTEuNvR5p8.exeGet hashmaliciousBrowse
                      • 104.23.99.190
                      OAch7032Uv.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      BEA Copie de paiement bancairepdf.exeGet hashmaliciousBrowse
                      • 104.23.99.190
                      36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      Bse5LQc2n4.exeGet hashmaliciousBrowse
                      • 104.23.99.190
                      wpJqviS40a.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      NFE_345654.msiGet hashmaliciousBrowse
                      • 104.23.98.190
                      workfromhomepolicy.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      UUXQwuYmWt.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      CfAG7RLYwP.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      imgengine.dllGet hashmaliciousBrowse
                      • 104.23.98.190
                      imgengine.dllGet hashmaliciousBrowse
                      • 104.23.99.190
                      NotaFiscal.msiGet hashmaliciousBrowse
                      • 104.23.98.190
                      6VTSHr3nIo.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      NFE_87654.MSIGet hashmaliciousBrowse
                      • 104.23.99.190
                      sh8srUMTFU.exeGet hashmaliciousBrowse
                      • 104.23.99.190
                      NotaFiscal.msiGet hashmaliciousBrowse
                      • 104.23.99.190
                      cIMLOZ1cev.msiGet hashmaliciousBrowse
                      • 104.23.98.190
                      RT.msiGet hashmaliciousBrowse
                      • 104.23.98.190
                      qJMspmXMZw.exeGet hashmaliciousBrowse
                      • 104.23.98.190

                      ASN

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      CLOUDFLARENETUSA8ibgLBZ6i.exeGet hashmaliciousBrowse
                      • 104.18.115.97
                      SecuriteInfo.com.Trojan.PWS.DiscordNET.4.1579.exeGet hashmaliciousBrowse
                      • 162.159.133.233
                      SecuriteInfo.com.BackDoor.Orcus.7.17083.exeGet hashmaliciousBrowse
                      • 162.159.133.233
                      aTEuNvR5p8.exeGet hashmaliciousBrowse
                      • 104.23.99.190
                      phantom.x86Get hashmaliciousBrowse
                      • 141.101.96.213
                      7RbpPodUxF.exeGet hashmaliciousBrowse
                      • 172.67.143.210
                      4eW6Rbzt5c.exeGet hashmaliciousBrowse
                      • 172.67.213.194
                      LqXN86hbFW.exeGet hashmaliciousBrowse
                      • 104.21.75.46
                      JY41YNvtSO.exeGet hashmaliciousBrowse
                      • 104.21.27.252
                      pFbDBiVrlg.exeGet hashmaliciousBrowse
                      • 104.21.75.46
                      9FfrM4JJzA.exeGet hashmaliciousBrowse
                      • 104.21.50.158
                      7WQadnF0l1.exeGet hashmaliciousBrowse
                      • 172.67.143.210
                      KM3g6Tj6pV.exeGet hashmaliciousBrowse
                      • 162.159.130.233
                      WiLIUq6inF.exeGet hashmaliciousBrowse
                      • 104.21.27.252
                      U1s1GwPLnL.exeGet hashmaliciousBrowse
                      • 172.67.132.27
                      3YzgU3S0nW.exeGet hashmaliciousBrowse
                      • 162.159.133.233
                      GJXZRPhgm4.exeGet hashmaliciousBrowse
                      • 162.159.133.233
                      4f4deRCUD7.exeGet hashmaliciousBrowse
                      • 162.159.135.233
                      28043B9D96A6D54044950BCA23633AB601DCFDBE4305B.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      #Ud83d#UdcdeVM-#Ud83d#Udce0Firstontario.htmGet hashmaliciousBrowse
                      • 104.18.11.207

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      3b5074b1b5d032e5620f69f9f700ff0enVtmOImU7k.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      SecuriteInfo.com.Trojan.PWS.DiscordNET.4.1579.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      SecuriteInfo.com.BackDoor.Orcus.7.17083.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      CD795qHYPg.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      aTEuNvR5p8.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      BcRHxjnP48.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      NipvRhVwat.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      YmytY81Ix0.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      RKj1mHZRn7.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      3el53P37FZ.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      r6ztFWfade.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      1.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      neworder-enquiry (2).exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      ZWA.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      ZWA.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      Skinschanger.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      ZkVJRlUYnR.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      ZojuYUkz0q.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      QFRFUSOEkW.exeGet hashmaliciousBrowse
                      • 104.23.98.190
                      4HWena6foj.exeGet hashmaliciousBrowse
                      • 104.23.98.190

                      Dropped Files

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      C:\Users\user\AppData\Local\Temp\32a4a32f-b10a-42fc-a699-939a32e55fe5\SiticoneDotNetRT64.dllAmbrosial.exeGet hashmaliciousBrowse
                        FIa4FloXT2.exeGet hashmaliciousBrowse

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Temp\32a4a32f-b10a-42fc-a699-939a32e55fe5\SiticoneDotNetRT64.dll
                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):146414
                          Entropy (8bit):6.346082537918833
                          Encrypted:false
                          SSDEEP:3072:tvfStxRL/l1JLnPynOuA7tuPkVg4qm5a4:ZKFJdvhqm5/
                          MD5:9C43F77CB7CFF27CB47ED67BABE3EDA5
                          SHA1:B0400CF68249369D21DE86BD26BB84CCFFD47C43
                          SHA-256:F25B9288FE370DCFCB4823FB4E44AB88C7F5FCE6E137D0DBA389A3DBA07D621E
                          SHA-512:CDE6FB6CF8DB6F9746E69E6C10214E60B3646700D70B49668A2A792E309714DD2D4C5A5241977A833A95FCDE8318ABCC89EB9968A5039A0B75726BBFA27125A7
                          Malicious:false
                          Antivirus:
                          • Antivirus: Virustotal, Detection: 2%, Browse
                          • Antivirus: Metadefender, Detection: 3%, Browse
                          • Antivirus: ReversingLabs, Detection: 7%
                          Joe Sandbox View:
                          • Filename: Ambrosial.exe, Detection: malicious, Browse
                          • Filename: FIa4FloXT2.exe, Detection: malicious, Browse
                          Reputation:low
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0..J0..J0..J_.&J3..J9..J;..J0..Jf..J_..J1..J+,.J1..J+,&J(..J+,.J1..J+,.J1..J+,.J1..JRich0..J........................PE..d......Y.........." .........0...............................................p......8&....@.............................................s.......x....@.......0...............P..................................................................`....................text...1........................... ..`.rdata..c...........................@..@.data...X.... ......................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P....... ..............`...........................................................................................................................................................................................................................................................

                          Static File Info

                          General

                          File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.983894033759613
                          TrID:
                          • Win64 Executable GUI Net Framework (217006/5) 49.88%
                          • Win64 Executable GUI (202006/5) 46.43%
                          • Win64 Executable (generic) (12005/4) 2.76%
                          • Generic Win/DOS Executable (2004/3) 0.46%
                          • DOS Executable Generic (2002/1) 0.46%
                          File name:SecuriteInfo.com.Variant.Bulz.468687.12862.exe
                          File size:1836544
                          MD5:b151f8d7b9dcf80375ba12746289c15b
                          SHA1:c826226bfd50994b82aa6de2c1acab492cb042bc
                          SHA256:7b7ffdabadd1e1ea05600f00d17abf7032e65873bc833a50555b7cd8b26c8a17
                          SHA512:cf03670e1872b2ab0c391289b3db0f0076e575b9ca7ce18aa560669028cfc7d378a25771a08cf53d86e8be15a4f769d2acf84b068e325147f1729a6c387d8ecf
                          SSDEEP:49152:VxeSA72PbxqYB4hsVXuRjRzeGxqlegrAq:DxA7MEYmy9eZeGVgr
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..B....................@...... .......................`............`...@......@............... .....

                          File Icon

                          Icon Hash:00828e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x400000
                          Entrypoint Section:
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                          Time Stamp:0x4BCA6EE [Sat Jul 8 19:39:26 1972 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:v4.0.30319
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:

                          Entrypoint Preview

                          Instruction
                          dec ebp
                          pop edx
                          nop
                          add byte ptr [ebx], al
                          add byte ptr [eax], al
                          add byte ptr [eax+eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c40000x1125.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x1aebf00x1c.text
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x1ae0000x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          `M&#0x20000x1aad700x1aae00False1.0003094116data7.9998839862IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                          .text0x1ae0000x141640x14200False0.421644506988data5.83707175433IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rsrc0x1c40000x11250x1200False0.389539930556data4.99924114982IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_VERSION0x1c40a00x2ecdata
                          RT_MANIFEST0x1c438c0xd99XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                          Version Infos

                          DescriptionData
                          Translation0x0000 0x04b0
                          LegalCopyrightCopyright 2021
                          Assembly Version1.0.0.0
                          InternalNamemm.exe
                          FileVersion1.0.0.0
                          CompanyName
                          LegalTrademarks
                          Comments
                          ProductNamemm
                          ProductVersion1.0.0.0
                          FileDescriptionmm
                          OriginalFilenamemm.exe

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jan 2, 2022 14:40:30.768843889 CET49695443192.168.2.3104.23.98.190
                          Jan 2, 2022 14:40:30.768923998 CET44349695104.23.98.190192.168.2.3
                          Jan 2, 2022 14:40:30.769064903 CET49695443192.168.2.3104.23.98.190
                          Jan 2, 2022 14:40:30.807647943 CET49695443192.168.2.3104.23.98.190
                          Jan 2, 2022 14:40:30.807719946 CET44349695104.23.98.190192.168.2.3
                          Jan 2, 2022 14:40:30.867039919 CET44349695104.23.98.190192.168.2.3
                          Jan 2, 2022 14:40:30.867171049 CET49695443192.168.2.3104.23.98.190
                          Jan 2, 2022 14:40:30.872610092 CET49695443192.168.2.3104.23.98.190
                          Jan 2, 2022 14:40:30.872647047 CET44349695104.23.98.190192.168.2.3
                          Jan 2, 2022 14:40:30.872903109 CET44349695104.23.98.190192.168.2.3
                          Jan 2, 2022 14:40:30.924082994 CET49695443192.168.2.3104.23.98.190
                          Jan 2, 2022 14:40:31.177551031 CET49695443192.168.2.3104.23.98.190
                          Jan 2, 2022 14:40:31.209264040 CET44349695104.23.98.190192.168.2.3
                          Jan 2, 2022 14:40:31.209440947 CET44349695104.23.98.190192.168.2.3
                          Jan 2, 2022 14:40:31.209542036 CET49695443192.168.2.3104.23.98.190
                          Jan 2, 2022 14:40:31.216758013 CET49695443192.168.2.3104.23.98.190

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jan 2, 2022 14:40:30.729254961 CET5755853192.168.2.38.8.8.8
                          Jan 2, 2022 14:40:30.750864029 CET53575588.8.8.8192.168.2.3

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          Jan 2, 2022 14:40:30.729254961 CET192.168.2.38.8.8.80x7b11Standard query (0)pastebin.comA (IP address)IN (0x0001)

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          Jan 2, 2022 14:40:30.750864029 CET8.8.8.8192.168.2.30x7b11No error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                          Jan 2, 2022 14:40:30.750864029 CET8.8.8.8192.168.2.30x7b11No error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)

                          HTTP Request Dependency Graph

                          • pastebin.com

                          HTTPS Proxied Packets

                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.349695104.23.98.190443C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exe
                          TimestampkBytes transferredDirectionData
                          2022-01-02 13:40:31 UTC0OUTGET /raw/gBt2aRU3 HTTP/1.1
                          Host: pastebin.com
                          Connection: Keep-Alive
                          2022-01-02 13:40:31 UTC0INHTTP/1.1 200 OK
                          Date: Sun, 02 Jan 2022 13:40:31 GMT
                          Content-Type: text/plain; charset=utf-8
                          Transfer-Encoding: chunked
                          Connection: close
                          x-frame-options: DENY
                          x-content-type-options: nosniff
                          x-xss-protection: 1;mode=block
                          cache-control: public, max-age=1801
                          CF-Cache-Status: HIT
                          Age: 76
                          Last-Modified: Sun, 02 Jan 2022 13:39:15 GMT
                          Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                          Server: cloudflare
                          CF-RAY: 6c74664ee8318bee-FRA
                          2022-01-02 13:40:31 UTC0INData Raw: 35 0d 0a 35 2e 32 2e 38 0d 0a
                          Data Ascii: 55.2.8
                          2022-01-02 13:40:31 UTC0INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Code Manipulations

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Start time:14:40:08
                          Start date:02/01/2022
                          Path:C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.468687.12862.exe"
                          Imagebase:0x2863f770000
                          File size:1836544 bytes
                          MD5 hash:B151F8D7B9DCF80375BA12746289C15B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000000.285180412.000002863F91E000.00000002.00020000.sdmp, Author: Joe Security
                          Reputation:low

                          Disassembly

                          Code Analysis

                          Reset < >