Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Artemis6D92C3B9739F.17565.19344

Overview

General Information

Sample Name:	SecuriteInfo.com.Artemis6D92C3B9739F.17565.19344 (renamed file extension from 19344 to exe)
Analysis ID:	432685
MD5:	6d92c3b9739f2747f6956811f68888ea
SHA1:	f59d802038242dcd6703a937617b2d8d34b7aa33
SHA256:	675e2470a3c7fe645fe445c95ae152a2dd2d2ccedb366e3cc1e070bb31c59ec4
Tags:	AgentTeslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe (PID: 3260 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe' MD5: 6D92C3B9739F2747F6956811F68888EA)

SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe (PID: 1324 cmdline: {path} MD5: 6D92C3B9739F2747F6956811F68888EA)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "sales@bmrtecpack.comABdiamond6_mail.bmrtecpack.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000E.00000000.293820764.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000000.293820764.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000E.00000002.474523641.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.474523641.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.298346159.000000000423A000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.298346159.000000000423A000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000E.00000002.483683568.00000000029F1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.483683568.00000000029F1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.296676571.0000000003235000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe PID: 1324	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe PID: 1324	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe PID: 3260	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe PID: 3260	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author
14.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.4306fa8.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.4306fa8.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.4306fa8.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.4306fa8.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
14.0.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.0.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 3 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000E.00000002.483683568.00000000029F1000.00000004.00000001.sdmp

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "sales@bmrtecpack.comABdiamond6_mail.bmrtecpack.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Virustotal: Detection: 37%			Perma Link
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	ReversingLabs: Detection: 32%

Source: 14.0.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.e80000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 14.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

Unpacked PE file: 1.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.e80000.0.unpack

Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 0000000E.00000002.483683568.00000000029F1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 0000000E.00000002.483683568.00000000029F1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 0000000E.00000002.483683568.00000000029F1000.00000004.00000001.sdmp	String found in binary or memory: http://cYyYVS.com
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 0000000E.00000002.483683568.00000000029F1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.298346159.000000000423A000.00000004.00000001.sdmp, SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 0000000E.00000000.293820764.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 0000000E.00000002.483683568.00000000029F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 14.0.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bC0448DA7u002d4E27u002d4EBBu002dBFE2u002d7B9ACCAD555Fu007d/C0905EA8u002d4351u002d4435u002dAE89u002d987684056F20.cs	Large array initialization: .cctor: array initializer size 11955
Source: 14.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC0448DA7u002d4E27u002d4EBBu002dBFE2u002d7B9ACCAD555Fu007d/C0905EA8u002d4351u002d4435u002dAE89u002d987684056F20.cs	Large array initialization: .cctor: array initializer size 11955

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_056C01A4 NtQueryInformationProcess,	1_2_056C01A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_056C017E NtQueryInformationProcess,	1_2_056C017E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_056C3448 NtQueryInformationProcess,	1_2_056C3448

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_05220040	1_2_05220040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_05221548	1_2_05221548
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_05221558	1_2_05221558
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_052254C8	1_2_052254C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_05221F67	1_2_05221F67
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_05221F68	1_2_05221F68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_05220006	1_2_05220006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_056C2D28	1_2_056C2D28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_056C3770	1_2_056C3770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_056C3200	1_2_056C3200
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_056C04E0	1_2_056C04E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_056C04D0	1_2_056C04D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_056C2D18	1_2_056C2D18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_056C3760	1_2_056C3760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_056C31F1	1_2_056C31F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_096F8BC8	1_2_096F8BC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_096FD498	1_2_096FD498
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_096F8EB8	1_2_096F8EB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_096F9528	1_2_096F9528
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_096F9538	1_2_096F9538
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_096F94DF	1_2_096F94DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_096F5628	1_2_096F5628
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_096F5638	1_2_096F5638
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_096F8EA7	1_2_096F8EA7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_096FEEB8	1_2_096FEEB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 14_2_00D446A0	14_2_00D446A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 14_2_00D44690	14_2_00D44690
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 14_2_00D44672	14_2_00D44672
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 14_2_00D4DA01	14_2_00D4DA01

Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.296606542.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWindowsNetwork.dll> vs SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.296606542.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameePUOspPlFKoWfYWsXFvPOOzMAHL.exe4 vs SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.295762615.0000000000F6A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameeA0n.exe: vs SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.307680627.0000000007B80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.307763637.0000000007DB0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 0000000E.00000002.474523641.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameePUOspPlFKoWfYWsXFvPOOzMAHL.exe4 vs SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 0000000E.00000000.292900335.00000000005AA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameeA0n.exe: vs SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Binary or memory string: OriginalFilenameeA0n.exe: vs SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 14.0.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.0.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.log

Jump to behavior

Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Virustotal: Detection: 37%
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	ReversingLabs: Detection: 32%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe {path}
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

Unpacked PE file: 1.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.e80000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

Unpacked PE file: 1.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.e80000.0.unpack

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_00E87905 push 2B61A594h; retf	1_2_00E87916
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_056C20F4 push ds; retf	1_2_056C20F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_096FA17F push eax; retf	1_2_096FA180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_096FA189 push eax; retf	1_2_096FA18A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_096F8330 pushfd ; retf	1_2_096F8333
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_096F9786 push FFFFFFBAh; iretd	1_2_096F978A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 1_2_096F86A4 push dword ptr [esi+esi*2-3Eh]; ret	1_2_096F86AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Code function: 14_2_004C7905 push 2B61A594h; retf	14_2_004C7916

Source: initial sample

Static PE information: section name: .text entropy: 7.1033361475

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000001.00000002.296676571.0000000003235000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe PID: 3260, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.296676571.0000000003235000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.296676571.0000000003235000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Window / User API: threadDelayed 2816			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Window / User API: threadDelayed 7005			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe TID: 1748	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe TID: 5492	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe TID: 6512	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe TID: 6520	Thread sleep count: 2816 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe TID: 6520	Thread sleep count: 7005 > 30	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.296676571.0000000003235000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.296676571.0000000003235000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.296676571.0000000003235000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.296676571.0000000003235000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.296676571.0000000003235000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.296676571.0000000003235000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.296676571.0000000003235000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.296676571.0000000003235000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.296676571.0000000003235000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe {path}

Jump to behavior

Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 0000000E.00000002.480490904.00000000013F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 0000000E.00000002.480490904.00000000013F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 0000000E.00000002.480490904.00000000013F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 0000000E.00000002.480490904.00000000013F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000E.00000000.293820764.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.474523641.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.298346159.000000000423A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 14.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.4306fa8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.4306fa8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.1.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000E.00000000.293820764.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.474523641.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.298346159.000000000423A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.483683568.00000000029F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe PID: 1324, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe PID: 3260, type: MEMORY
Source: Yara match	File source: 14.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.4306fa8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.4306fa8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.1.unpack, type: UNPACKEDPE

Source: Yara match	File source: 0000000E.00000002.483683568.00000000029F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe PID: 1324, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000E.00000000.293820764.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.474523641.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.298346159.000000000423A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 14.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.4306fa8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.4306fa8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.1.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000E.00000000.293820764.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.474523641.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.298346159.000000000423A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.483683568.00000000029F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe PID: 1324, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe PID: 3260, type: MEMORY
Source: Yara match	File source: 14.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.4306fa8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.4306fa8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.1.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Process Injection112	Masquerading1	OS Credential Dumping	Security Software Discovery211	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion131	Security Account Manager	Virtualization/Sandbox Evasion131	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery113	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing22	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	37%	Virustotal		Browse
SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe	33%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
14.0.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.1.unpack	100%	Avira	TR/Spy.Gen8	Download File
1.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.e80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
14.2.SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://cYyYVS.com	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 0000000E.00000002.483683568.00000000029F1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false		high
http://DynDns.comDynDNS	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 0000000E.00000002.483683568.00000000029F1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 0000000E.00000002.483683568.00000000029F1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false		high
http://www.tiro.com	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cYyYVS.com	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 0000000E.00000002.483683568.00000000029F1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false		high
https://api.ipify.org%GETMozilla/5.0	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 0000000E.00000002.483683568.00000000029F1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.304159213.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 00000001.00000002.298346159.000000000423A000.00000004.00000001.sdmp, SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe, 0000000E.00000000.293820764.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432685
Start date:	10.06.2021
Start time:	16:58:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Artemis6D92C3B9739F.17565.19344 (renamed file extension from 19344 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.6% (good quality ratio 0.9%) Quality average: 40.6% Quality standard deviation: 38.2%
HCA Information:	Successful, ratio: 96% Number of executed functions: 113 Number of non-executed functions: 12
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:00:06	API Interceptor	483x Sleep call for process: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe.log Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzr
MD5:	B666A4404B132B2BF6C04FBF848EB948
SHA1:	D2EFB3D43F8B8806544D3A47F7DAEE8534981739
SHA-256:	7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
SHA-512:	00E955EE9F14CEAE07E571A8EF2E103200CF421BAE83A66ED9F9E1AA6A9F449B653EDF1BFDB662A364D58ECF9B5FE4BB69D590DB2653F2F46A09F4D47719A862
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.099353891925965
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe
File size:	948224
MD5:	6d92c3b9739f2747f6956811f68888ea
SHA1:	f59d802038242dcd6703a937617b2d8d34b7aa33
SHA256:	675e2470a3c7fe645fe445c95ae152a2dd2d2ccedb366e3cc1e070bb31c59ec4
SHA512:	5b19fd3cec2dd08edbb9eb59f649602ef4322b3c36212f5c68f790a4931054f242d6340a41a69c57668e8d49485b021a84995ee9285a0905cb91576bf0840de3
SSDEEP:	12288:ITg2Nz2NNl8JIpA1J8k+vsUKRHmIH01b3Ua0EXCRT27JDD8yTahsPcT0WyId/q5+:ORNYj8JpSdsrkXl3ZCRTKX8l
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0..b............... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4e809e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60C1ACE9 [Thu Jun 10 06:10:49 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe804c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xea000	0x10f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xec000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe60a4	0xe6200	False	0.67023059818	data	7.1033361475	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xea000	0x10f8	0x1200	False	0.377170138889	data	4.90318952392	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xec000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xea0a0	0x32c	data
RT_MANIFEST	0xea3cc	0xd25	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2017 - 2021
Assembly Version	1.0.0.0
InternalName	eA0n.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Pharmacy POS
ProductVersion	1.0.0.0
FileDescription	Pharmacy POS
OriginalFilename	eA0n.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe PID: 3260 Parent PID: 5684

General

Start time:	16:59:09
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe'
Imagebase:	0xe80000
File size:	948224 bytes
MD5 hash:	6D92C3B9739F2747F6956811F68888EA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.298346159.000000000423A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.298346159.000000000423A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.296676571.0000000003235000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe PID: 1324 Parent PID: 3260

General

Start time:	16:59:49
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x4c0000
File size:	948224 bytes
MD5 hash:	6D92C3B9739F2747F6956811F68888EA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.293820764.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.293820764.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.474523641.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000002.474523641.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.483683568.00000000029F1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.483683568.00000000029F1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe PID: 3260 Parent PID: 5684 SecuriteInfo.com.Artemis6D92C3B9739F.17565.exeCOMMON

Executed Functions

Function 056C017E, Relevance: 1.6, APIs: 1, Instructions: 118nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 056C3505

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 93a2f2129091ce2bb7b9d13f9027bf23b96572fa250abd3d718692aca3c9f5ee
Instruction ID: 77f8ff0931c2a85d559ddf4e8a1179863477a9e72639a99c0498ce14e60cbd2c
Opcode Fuzzy Hash: 93a2f2129091ce2bb7b9d13f9027bf23b96572fa250abd3d718692aca3c9f5ee
Instruction Fuzzy Hash: 2541B8B4D042989FCB10CFA9D884ADEBBB5FB0A324F14946AE815B7310D735A906CF65

Uniqueness

Uniqueness Score: -1.00%

Function 056C3448, Relevance: 1.6, APIs: 1, Instructions: 104nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 056C3505

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 0ed765ce273c55d4bdf0638f0ea80da460466ae17fdbc61c430fa01203ab077d
Instruction ID: bf1161cb54e6fb252b098ddbea6f6c2e83ba9331d23751f389c1caa65997c5e6
Opcode Fuzzy Hash: 0ed765ce273c55d4bdf0638f0ea80da460466ae17fdbc61c430fa01203ab077d
Instruction Fuzzy Hash: 7A4177B9D002589FCF10CFA9D980ADEFBB5BB59314F10946AE815B7310D335A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 056C01A4, Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 056C3505

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: fad201b924ef32ea9007629524c2aaac1970f2b8b3bdfdc08ee746487d2c7f95
Instruction ID: f5b2148f5bffc4f44939586e5c8094a2c0fb12bab3294db3422545bb62b1885c
Opcode Fuzzy Hash: fad201b924ef32ea9007629524c2aaac1970f2b8b3bdfdc08ee746487d2c7f95
Instruction Fuzzy Hash: 234186B8E042589FCF10CFAAD980ADEFBB5BB09314F10946AE814B7310D335A905CF64

Uniqueness

Uniqueness Score: -1.00%

Function 056C3770, Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

H(, xrefs: 056C3A0F

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID: H(
API String ID: 2591292051-2376481732
Opcode ID: 91afa4368b06be35725ca4ef252b9f52c583a595ac2465d14f906fe5205331fb
Instruction ID: f811beaf565c0a3a17cb034f2bd5d8d360c1f1c9b10130bf8a42832040d48615
Opcode Fuzzy Hash: 91afa4368b06be35725ca4ef252b9f52c583a595ac2465d14f906fe5205331fb
Instruction Fuzzy Hash: 23A137B4E05218CFDB24CFA5D9886EDBBB2FB49301F1095ADC40AAB364DB385941CF25

Uniqueness

Uniqueness Score: -1.00%

Function 056C3760, Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

H(, xrefs: 056C3A0F

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID:
String ID: H(
API String ID: 0-2376481732
Opcode ID: cdf2b401ec1d481162bad3a860406837114bc661c8f6042205079316553ff136
Instruction ID: e5e923691968a75b3b0bbe08f4e63a0910af12bd4f9a43f6af13689c76ed3198
Opcode Fuzzy Hash: cdf2b401ec1d481162bad3a860406837114bc661c8f6042205079316553ff136
Instruction Fuzzy Hash: 96A15874E04218CFDB24CFA4D988AEDBBB2FB49301F1498ADC40AA7364DB385941CF25

Uniqueness

Uniqueness Score: -1.00%

Function 05220040, Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

|1q, xrefs: 052204AC

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID: |1q
API String ID: 0-1794949004
Opcode ID: dded122c560de00fc117b884a707d360ef9a5b4bfe8e6c49149dc11508f991b1
Instruction ID: 1b3be8d76f1c08555fe314726373a0f04a71c5007b7f1b5455d7ea89c041b777
Opcode Fuzzy Hash: dded122c560de00fc117b884a707d360ef9a5b4bfe8e6c49149dc11508f991b1
Instruction Fuzzy Hash: 3B914975E1562A9BDB64CF69CC44BD9BBB2FF89300F00C1EAD509A7254EB705A81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 096F94DF, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

uq, xrefs: 096F9645

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID: uq
API String ID: 0-417495262
Opcode ID: 43023d10a85cda61d37e131ac02b85d890b567be2254b14b8e87af2c66b14e06
Instruction ID: 6a36158f2a045a1904851d485cca76b12f7de070e3ce27cdde40c64ecb23c836
Opcode Fuzzy Hash: 43023d10a85cda61d37e131ac02b85d890b567be2254b14b8e87af2c66b14e06
Instruction Fuzzy Hash: 7C4193B1D016589FEB19CFA6C96439EBBF2BF89304F14C1AAC518AB264DB750945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 096FD498, Relevance: .7, Instructions: 719COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7bb9c72ff42ab0f99a7d950a112eeec9e569387e9108c1a9589f949486e4f7a
Instruction ID: db84e1beff07923f40e85a82d18168443481c4bfc36b2004624e32fcab2bb72a
Opcode Fuzzy Hash: e7bb9c72ff42ab0f99a7d950a112eeec9e569387e9108c1a9589f949486e4f7a
Instruction Fuzzy Hash: A0526D35B005159FCB18DF69C4A4AADB7B6FF89314F168169EA06DB7A0DB31EC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 096F8EA7, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e657f4f9e3afb362628ac18b3c476248e3eddf7f0bb7cc815ca697ef2a203d27
Instruction ID: acf8362a36808503403a181a849e6c9348be44a7da347bc2c548f31b5721ade2
Opcode Fuzzy Hash: e657f4f9e3afb362628ac18b3c476248e3eddf7f0bb7cc815ca697ef2a203d27
Instruction Fuzzy Hash: 56611478E152099FCB44DFA6E84559EFBB2FF88340F10E56AE816E7354DB34A9028F50

Uniqueness

Uniqueness Score: -1.00%

Function 05220006, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783adb2c705a4e5fff1e2bc768686b7c15d9d1fdb1c044e6ab997ac262f5c56a
Instruction ID: 47d5aae2cc0e22a914aed2de3db3ebd40484b2d71829c1d9de6dc40cf7c0c1a5
Opcode Fuzzy Hash: 783adb2c705a4e5fff1e2bc768686b7c15d9d1fdb1c044e6ab997ac262f5c56a
Instruction Fuzzy Hash: C2617A75D1526A9FEB29CF69CC447D9BBB2BF89300F04C2EAD508A7251EB705A81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 096F8EB8, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692e9f8413bccaa4bca7c49e1c4ae92cb96e012a5f4e153b48b2eefa2d84bffe
Instruction ID: 1f83511d56a1ba7eb939518e580ae214eac1ed1dda0b14fe2a81df0b131f50d4
Opcode Fuzzy Hash: 692e9f8413bccaa4bca7c49e1c4ae92cb96e012a5f4e153b48b2eefa2d84bffe
Instruction Fuzzy Hash: A6610578E152099FCB44DFA6E84559EFBB2FF88340F10E56AE816A7354DB34A9028F50

Uniqueness

Uniqueness Score: -1.00%

Function 056C2D28, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f19b00b0181cd7f093c9318b6bff279e5167f942cafccfcb29f097931568ff7
Instruction ID: 506c6e7743985b52ceae4758f0344fc7d56c995a0da569ade6cef2b1326c86cc
Opcode Fuzzy Hash: 5f19b00b0181cd7f093c9318b6bff279e5167f942cafccfcb29f097931568ff7
Instruction Fuzzy Hash: F061E2B8D00208DFCB14CFE5E5945ADBFB2FF89305F14846AD816AB264D7385A46CF52

Uniqueness

Uniqueness Score: -1.00%

Function 056C2D18, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0599cc8239a5b4ac2745410e3def16ede57ece34a774c1a9ac428542e96aabbb
Instruction ID: c2f59c54e65cb7593596de772f777aa0746c367e870ca4eb9c5f146a6606968b
Opcode Fuzzy Hash: 0599cc8239a5b4ac2745410e3def16ede57ece34a774c1a9ac428542e96aabbb
Instruction Fuzzy Hash: 16611778D00208DFCB14CFE5E5946ADBFB2FF89301F1484AAD856A7264DB385A46CF52

Uniqueness

Uniqueness Score: -1.00%

Function 096F8BC8, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74103a560fc614722b047396862a598d96e1496dac1c75bd3b074f527bcf4688
Instruction ID: 024248fbd89b67466293d9e126527b25b4496a93a40c9e0804660fe8c51f733e
Opcode Fuzzy Hash: 74103a560fc614722b047396862a598d96e1496dac1c75bd3b074f527bcf4688
Instruction Fuzzy Hash: 59513474E0520ACFCB04CFAAD5956EEFBF2EF88344F10916AD505B7214D7349A428FA5

Uniqueness

Uniqueness Score: -1.00%

Function 056C3200, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e9c1be2445f4c372540135b8d64770bd8d9b21cce94f4909eac1748c473369
Instruction ID: 12cc30523f065a87e79a2462c3b04f2a0d069c7d9c57d59cf09fbbccd07f7d3f
Opcode Fuzzy Hash: c0e9c1be2445f4c372540135b8d64770bd8d9b21cce94f4909eac1748c473369
Instruction Fuzzy Hash: D9510474E14649DBCB24CFE9D8405ADFBB6FF89300F24862AD51AAB314DB706942CF40

Uniqueness

Uniqueness Score: -1.00%

Function 056C31F1, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11ee1752c150bc224b86427077d880587ce6e0285a5131af6a79adefb3cb832
Instruction ID: 36c542a5db25137c3ff9ae242b6e2246a7a1e588012eb4c54013b4e9c0f935c0
Opcode Fuzzy Hash: a11ee1752c150bc224b86427077d880587ce6e0285a5131af6a79adefb3cb832
Instruction Fuzzy Hash: 3D51F375E14649DBCB14CFE9D9405ADFBB2FF89314F24862AD51AAB214EB30A942CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05221C2C, Relevance: 1.7, APIs: 1, Instructions: 232processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05221E14

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 30f22b97d9771073c17d4cf346b273e261df958f759153bb21f4f4c0a11af475
Instruction ID: 47c4e5ebf0861b333d2cdb8679770412a56c3589381c678dfa607e97ee2c05f0
Opcode Fuzzy Hash: 30f22b97d9771073c17d4cf346b273e261df958f759153bb21f4f4c0a11af475
Instruction Fuzzy Hash: F8910275C04229DFCB20DFA4C880BEDBBB5BF59304F1191AAE509B7220DB709A85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05221C38, Relevance: 1.7, APIs: 1, Instructions: 222processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05221E14

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4aa0562aaf73b76b6983124d64e084efcbd25ccf026ccb0d099dd0d323469567
Instruction ID: 4b26507c0e1b4880eb83ea525275f4c12136ac9deb61192bfd0f557abd61eede
Opcode Fuzzy Hash: 4aa0562aaf73b76b6983124d64e084efcbd25ccf026ccb0d099dd0d323469567
Instruction Fuzzy Hash: 8681F275C04229DFCB20DFA4C880BDDBBB5BF49304F1191AAE509B7220DB709A85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05FBF31C, Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 05FBFD3B

Memory Dump Source

Source File: 00000001.00000002.301327705.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: b390977cdd91a6da05ff50ceecc6a24e3eb37b79cafb4861ee0388cb0cc01c3d
Instruction ID: 92ebc3dbc49dc119688ad7c421d1dc9f7dbdcf263ceee06f294ed71f1eecac12
Opcode Fuzzy Hash: b390977cdd91a6da05ff50ceecc6a24e3eb37b79cafb4861ee0388cb0cc01c3d
Instruction Fuzzy Hash: 725154B8D04258DFDB10CFAAD984ADEBBF5BB09314F24902AE819BB214D374A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05FBFC38, Relevance: 1.6, APIs: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 05FBFD3B

Memory Dump Source

Source File: 00000001.00000002.301327705.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: f74e9166c47ffeb1cd70ac3bb96627db25da63497a4972829eb9c9f0441fc59c
Instruction ID: 6ca41a83c5607e357dfe6a28cd3178600d002c97d5df406d60974f7a4512575b
Opcode Fuzzy Hash: f74e9166c47ffeb1cd70ac3bb96627db25da63497a4972829eb9c9f0441fc59c
Instruction Fuzzy Hash: F05155B8D05258DFDB10CFA9D984ADEFBF1BB09314F24902AE819BB214D374A949CF54

Uniqueness

Uniqueness Score: -1.00%

Function 056C803C, Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 056C95C1

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bc4d672b5ff6cf5b9ff1f72e7d97797472031e68ae6d720abb2e30b2472c2129
Instruction ID: cef9599c905ddcb75c61f9f1c4dd2babc30221755bad4a17cfbff74565a2c38e
Opcode Fuzzy Hash: bc4d672b5ff6cf5b9ff1f72e7d97797472031e68ae6d720abb2e30b2472c2129
Instruction Fuzzy Hash: 6251C371D0462C8FDB20DFA5C880B9EBBB5FF45304F5180AAD509BB251DB716A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 052229F0, Relevance: 1.6, APIs: 1, Instructions: 115injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05222ACE

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9b9e9a32a6305f6b0f66e73d61cd26b24d20ca5e6b6105639db3057e61734723
Instruction ID: 1b7b153660b7ade4763657f7fd07dc1a66b364ac09988cad051009bab1df3379
Opcode Fuzzy Hash: 9b9e9a32a6305f6b0f66e73d61cd26b24d20ca5e6b6105639db3057e61734723
Instruction Fuzzy Hash: DA4189B9D04258DFCB10CFA9D984ADEFBF1BB09314F24902AE818B7210D375AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 052229F8, Relevance: 1.6, APIs: 1, Instructions: 112injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05222ACE

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 85ceb52aee0fa19d6640d63e14b12f38efbe58ab9e05862588ab840ffda7d479
Instruction ID: cec57586c02fe00a70339843c0b77576aa5f8f9dc9d628fa1e77c29a94fdc3f7
Opcode Fuzzy Hash: 85ceb52aee0fa19d6640d63e14b12f38efbe58ab9e05862588ab840ffda7d479
Instruction Fuzzy Hash: 574178B9D04258DFCB10CFA9D984ADEFBF1BB49314F24902AE819B7210D375AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 052227C0, Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0522287D

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 443f7fe4b791d5d2c5807a29e6cd4761746df3243f4b17383bd78fd7ea842ff1
Instruction ID: b183a244b354fded50f722fe7f720d1d726d92c044d065aa7ba20b563ac3a654
Opcode Fuzzy Hash: 443f7fe4b791d5d2c5807a29e6cd4761746df3243f4b17383bd78fd7ea842ff1
Instruction Fuzzy Hash: B64186B9D04258DFCF10CFAAD984AEEFBB1BB19310F14902AE818B7210D375A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 052227C8, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0522287D

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: afdae87e01e2796618ee7766af967a8abe95baa09b4e77e04307906542bae497
Instruction ID: 3d4936271bb88aa4a946cdacc095454c390e248dbdc3090b2b37f7a1c0bdf482
Opcode Fuzzy Hash: afdae87e01e2796618ee7766af967a8abe95baa09b4e77e04307906542bae497
Instruction Fuzzy Hash: D94185B9D04258DFCF10CFAAD884ADEFBB5BB19310F10A02AE818B7210D335A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 052228E2, Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05222995

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 08e004a09203a1794ca42512f92060ecf89b4419c4d886cffe029a62a3bbb282
Instruction ID: d7f04167506e816dbc1e37ad239b0e225dc4afb158ade18766b02af0c5b3b277
Opcode Fuzzy Hash: 08e004a09203a1794ca42512f92060ecf89b4419c4d886cffe029a62a3bbb282
Instruction Fuzzy Hash: 5F3174B9D04258EFCF10CFA9D980ADEBBB5BB19310F20A02AE814B7310D735A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 056C2BCA, Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 056C2C77

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 661e716cdb40e282e9a2726d68fa8a8e11e5db45f455d865162cd539b076ac77
Instruction ID: 98f2422476c0077e86d8986ced2df1c200cb44b75b47811f5020501226129d20
Opcode Fuzzy Hash: 661e716cdb40e282e9a2726d68fa8a8e11e5db45f455d865162cd539b076ac77
Instruction Fuzzy Hash: 5931A6B9D042589FCF10CFA9E880AEEFBB4BB09314F24906AE815B7310D735A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 056CCCA0, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 056CDEE2

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1eb4d75c9a9ecc07ebb4467b78ca99059605a216978f83296eff2b9f1d0348a3
Instruction ID: 2fa04f835cc1676e2a03e90b89a735f492a9149621aeddb320191a8f28af09c1
Opcode Fuzzy Hash: 1eb4d75c9a9ecc07ebb4467b78ca99059605a216978f83296eff2b9f1d0348a3
Instruction Fuzzy Hash: 4A4186B4D042599FCB10CFA9D884AAEFBF5BB59314F14906AE914B7310D334A946CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 056C3FF8, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 056C407E

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 96ac4aba08a7ac574bdd281e4604001c92ace05ea1f76112d26e7abd49372e77
Instruction ID: e0bb7cecf58f8d8b2e480833107e7995f6b5ee9123cf300ba2cceffbd4ecfab7
Opcode Fuzzy Hash: 96ac4aba08a7ac574bdd281e4604001c92ace05ea1f76112d26e7abd49372e77
Instruction Fuzzy Hash: 08310EB4D042489FCF10CFA9D885AEEBFB4EB0A324F14849AE804B3350D735A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 052228E8, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05222995

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a270b4ede79e2292003a5ce61986672baa23fe9c0af2b1a1767369b9477b219a
Instruction ID: 76ab9ed53412bd5646dd0b5dd1784d6a1c9242313e036d8d7eec8c91859b121b
Opcode Fuzzy Hash: a270b4ede79e2292003a5ce61986672baa23fe9c0af2b1a1767369b9477b219a
Instruction Fuzzy Hash: B33164B9D04258DFCF10CFA9D984A9EBBB5BB19310F20A42AE814B7310D735A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 056C2BD0, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 056C2C77

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 2127b516d8ae0e5aea70a6b6194c0b894820ec8da428c9d0b6ecef5410341136
Instruction ID: 96210b3c55cd9d18a93732f63ca85264ebac1dac88fd2e3359ba659b5c8fbe8c
Opcode Fuzzy Hash: 2127b516d8ae0e5aea70a6b6194c0b894820ec8da428c9d0b6ecef5410341136
Instruction Fuzzy Hash: AF3198B9D042589FCF10CFAAD884AEEFBB4BB09310F14906AE814B7310D735A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 052226A8, Relevance: 1.6, APIs: 1, Instructions: 93threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 05222762

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: b20066d665bc3370804d11f9e828733df4fcd572da7bade76819ef7bc2bf2a14
Instruction ID: e0028f9fd73300d88d4aac3127d01333734be24902074ea67968890a343dbd14
Opcode Fuzzy Hash: b20066d665bc3370804d11f9e828733df4fcd572da7bade76819ef7bc2bf2a14
Instruction Fuzzy Hash: 6931AAB8D052589FCB10CFA9D884ADEBBF5BB49314F24802AE414B7200D779A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 052226B0, Relevance: 1.6, APIs: 1, Instructions: 90threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 05222762

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 607f66ad7a8713aa2736dac6ef3bd38106874c40ce3d1be7d7fefe12b4b86906
Instruction ID: 906e9389451b58b5c60f2b5e3a890b4698319b33a39dba2f086d6db44648e851
Opcode Fuzzy Hash: 607f66ad7a8713aa2736dac6ef3bd38106874c40ce3d1be7d7fefe12b4b86906
Instruction Fuzzy Hash: 7D31A9B8D04258DFCB10CFAAD884ADEBBF1BB49314F24802AE418B7200D779A945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 05222FC8, Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0522306B

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5f780e0b579621704b25c8f182cac02e3b380442cf893126a41e7f9b18efbd5d
Instruction ID: 1ef46e3869a5ca393ccff264e8425e38e4f6979809b9958eb44bbacd874643ca
Opcode Fuzzy Hash: 5f780e0b579621704b25c8f182cac02e3b380442cf893126a41e7f9b18efbd5d
Instruction Fuzzy Hash: 8B3186B9D00258AFCF10CFA9D884ADEFBF4AB59310F14942AE814B7310D375AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05222FD0, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0522306B

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a106578f52c6184941135b9f365fc218e3b9963aa823408d61fc5325d605cbfb
Instruction ID: 634bdbcb615377a850e32c7bf06e5c30ff73cd8d2516c0e4dc32963ff7349a1d
Opcode Fuzzy Hash: a106578f52c6184941135b9f365fc218e3b9963aa823408d61fc5325d605cbfb
Instruction Fuzzy Hash: 3A3186B8D00258AFCF10CFA9D884A9EFBF4AB59310F14941AE814B7310D375A9458FA5

Uniqueness

Uniqueness Score: -1.00%

Function 056C01E0, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 056C3F62

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 5140bb4dee32858bdd7b84b21a821846c0e1ea36d5473ba768b6b3e7294d0b08
Instruction ID: a4fa8a31ca699b1052174e374fa7a9dd332150bdff9ee2462442bd4756e64258
Opcode Fuzzy Hash: 5140bb4dee32858bdd7b84b21a821846c0e1ea36d5473ba768b6b3e7294d0b08
Instruction Fuzzy Hash: F431AAB4D042489FCB10CFA9D584AAEFBF5AB49314F14846AE818B7310D734A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 056C3EC1, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 056C3F62

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 1c5816452b030782dde67e022be3531c43675e705f64429fd41fcfc582e4209b
Instruction ID: 2fc65d81e94895683060da4ead82cbf1bbdb94a9f034381e78502d41e073e7df
Opcode Fuzzy Hash: 1c5816452b030782dde67e022be3531c43675e705f64429fd41fcfc582e4209b
Instruction Fuzzy Hash: E031ABB4D042489FCB14CFA9D484AEEFBF5AB49314F14846AE818B7320D734A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 056CDB28, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 056CDBBA

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1d1738404dffcfbf69005583bf59c62f45b17fae8926554b53500eb6f23006d5
Instruction ID: 5404984c16fb00a8cd1d71e82bb69fe28f58c98e492ef04008cb7a8c1f8770e4
Opcode Fuzzy Hash: 1d1738404dffcfbf69005583bf59c62f45b17fae8926554b53500eb6f23006d5
Instruction Fuzzy Hash: 243187B4D042599FCB14CFAAD884AEEFBF5AB49314F14906AE818B7310D334A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 056C01F8, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 056C407E

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 021bfc18fe1b26cf97e866d94bb7bc99133a3105f7fa7beef4c4e2d5df1d92c9
Instruction ID: 4f9d523a63359a157de068638074806c506bddbcf8d39c4d2b60826bb393a740
Opcode Fuzzy Hash: 021bfc18fe1b26cf97e866d94bb7bc99133a3105f7fa7beef4c4e2d5df1d92c9
Instruction Fuzzy Hash: 8331A9B4D042589FCF10CFA9E884AEEFBF4AB09225F14905AE815B7300D735A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05222C18, Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 05222C9E

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a5c4c4022f3e2ee214999766cfcd8a84adc91b19b17581ca1a60aeabf6e00542
Instruction ID: 67772af5ec009793d31d5a8669149f2e6d3e2bc9c3094354c1ab3b4e099097bb
Opcode Fuzzy Hash: a5c4c4022f3e2ee214999766cfcd8a84adc91b19b17581ca1a60aeabf6e00542
Instruction Fuzzy Hash: 5531AAB9D002189FCB10CFA9D884ADEFBF4BB59324F14902AE818B3300D375A845CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05222C20, Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 05222C9E

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: db61034c3e61f608a4729ab47d2afd64b64b575d96412b3a9ca9d9d5a38c616b
Instruction ID: 8c0be1bb36e085397d239209a0ef9b7cacf2d25491b0562e52f264f3cb8c404b
Opcode Fuzzy Hash: db61034c3e61f608a4729ab47d2afd64b64b575d96412b3a9ca9d9d5a38c616b
Instruction Fuzzy Hash: 462197B9D142189FCB10CFA9D884ADEFBF4BB49324F14902AE819B7300D775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 096F2F40, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95a261b0f90d8387d849ed8f3d7ed58baf2d0ceddff66e89f4fb80e7a1b72c4
Instruction ID: 6656da14bed7d18d94169608efd004257b343071cc39951a05c7d9dc124d91e2
Opcode Fuzzy Hash: d95a261b0f90d8387d849ed8f3d7ed58baf2d0ceddff66e89f4fb80e7a1b72c4
Instruction Fuzzy Hash: 4142F230D00619CFCF15EFA8C855ADCBBB1BF49340F5186A9D5497B264EB30AA99CF81

Uniqueness

Uniqueness Score: -1.00%

Function 096F2F30, Relevance: .5, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c298aada06074e38572ca4620bae297295eb5d2becbd58831b3fdab10c69d4
Instruction ID: e2490fe20b886be1f4793381f8f910f40102ba7410cb2389833b5deef8954758
Opcode Fuzzy Hash: 63c298aada06074e38572ca4620bae297295eb5d2becbd58831b3fdab10c69d4
Instruction Fuzzy Hash: E2420330D00659CFCF15EFA8C855ADCBBB1BF49300F5182A9D5497B265EB309A99CF81

Uniqueness

Uniqueness Score: -1.00%

Function 096F3768, Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31c24e76c84546f6d42f5d550c43615518879fb9979fd4cb22502bdaf1b5de69
Instruction ID: 072f4582488c35f4642735307d2dee5495cdea8543a4846013762cde56863ad5
Opcode Fuzzy Hash: 31c24e76c84546f6d42f5d550c43615518879fb9979fd4cb22502bdaf1b5de69
Instruction Fuzzy Hash: EE227C31A00709DFCF15DF64C854A9DBBB2FF85340F10869AE949AB350EB74EA85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 096F12D8, Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183670d9132638c0702e6f5fe1836c3ccf4efad38b944ff738f1b94c22c95c03
Instruction ID: 5453485a23463c14e4d00cdc190bac4abcf88d56aa988ff7a59264bdbd2e5927
Opcode Fuzzy Hash: 183670d9132638c0702e6f5fe1836c3ccf4efad38b944ff738f1b94c22c95c03
Instruction Fuzzy Hash: 0EB1BC71B08208CFDB24DFA5C8646ADBBB2FF8A340F22456ED209A7345DB359851CB51

Uniqueness

Uniqueness Score: -1.00%

Function 096F0040, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a1cc25ad857a6a3794eb5cc4cefe2e7d35d8b7b23330e4c98206d2e8fca695
Instruction ID: 3181732a6a8ed4b3e71a540e567119bc92503291ef03ea72c4293917862fd322
Opcode Fuzzy Hash: 36a1cc25ad857a6a3794eb5cc4cefe2e7d35d8b7b23330e4c98206d2e8fca695
Instruction Fuzzy Hash: 52812D35A0025ACFCF11DFA9C8909DDFBB5FF89310B158656E918AB211E730ED96CB90

Uniqueness

Uniqueness Score: -1.00%

Function 096F25A0, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ce8f32e697935f1899fc4dd6539b687f407f00fd61a10ec68f9261db5a9555
Instruction ID: fda5dd95e1da60b1e43bcd6384a02968e7bc83754e4ca8a03664ac4082146ac2
Opcode Fuzzy Hash: 55ce8f32e697935f1899fc4dd6539b687f407f00fd61a10ec68f9261db5a9555
Instruction Fuzzy Hash: 3B818E30A00609DFCB15EFA8D9B96EDBFB0FF44340F114469E565A72A4EB7099A5CF80

Uniqueness

Uniqueness Score: -1.00%

Function 096FD298, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675f4171fa88a97b5786dadc246552b519cbc4209c9d097896bee4c91409d237
Instruction ID: b54216c53034c20be37f9ef0a3554236e8be9e2f347c4fac5b2e823200416d6f
Opcode Fuzzy Hash: 675f4171fa88a97b5786dadc246552b519cbc4209c9d097896bee4c91409d237
Instruction Fuzzy Hash: E461A432B052568FCB14DF78C4B566E7BB2AF86254B05846AE705CB3E1DB30F845C792

Uniqueness

Uniqueness Score: -1.00%

Function 096FCE70, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea42f26575201e4228d1a9565422a91c28c11f6a15cae340391307211ee7a5bb
Instruction ID: 72cc69a46711acf55add494cdb1ed7c15ae56ef02c947ccbde2247d5d6d35ea5
Opcode Fuzzy Hash: ea42f26575201e4228d1a9565422a91c28c11f6a15cae340391307211ee7a5bb
Instruction Fuzzy Hash: 63617231B011188FCF04DFA8D565AADBBB2AF88711F15506AFA02EB3A0DB30DC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 096F1A6C, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ff93e83cd6a43fca8fb9217745032979d5c6a4c5fc903a4ba2cd18c86d3fd07
Instruction ID: f4e860d5a08fe35ca6b1b8ddad8a2bdcea051dcdd0bfabe893e4fcdab5c8a839
Opcode Fuzzy Hash: 0ff93e83cd6a43fca8fb9217745032979d5c6a4c5fc903a4ba2cd18c86d3fd07
Instruction Fuzzy Hash: A2510631B082948FCB06DB64C8649EE7FB6EF8A344F5640AAE505AB351DF34AC05C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 096F3DB0, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02fda1e846ea3bb01fae856f5d1b803cb24c48cfa2624aafc040f30796d1982
Instruction ID: c6f459e3b0cc44d98f4fc7b122feec74bd1c46e9a460888530c549b30139ac90
Opcode Fuzzy Hash: c02fda1e846ea3bb01fae856f5d1b803cb24c48cfa2624aafc040f30796d1982
Instruction Fuzzy Hash: C2613471E0562ADFCF04CFA9E8999AEBBB1FF48300F05816AF944A7354DB309864CB54

Uniqueness

Uniqueness Score: -1.00%

Function 096F0ED8, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be5ab17ce16073471bf9bff161ffb7c549def6dc54ed274bd6c48a398ad9a3a3
Instruction ID: 713a388e3470e4c4b1c55268033c0f1da336a3b3858ef4b1698c2afca99a1908
Opcode Fuzzy Hash: be5ab17ce16073471bf9bff161ffb7c549def6dc54ed274bd6c48a398ad9a3a3
Instruction Fuzzy Hash: 9F51AC31B01248CFDB04DFA9D864AACBBF2AF89310F1985A9F501AB3A1DB749D40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 096F1B0C, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a11613f3ae382bb7069586acc4e57ff0fb1aaeeef2958fd966a7207ce8f5de
Instruction ID: d539da8f47b905d5ecbc5567b6297ffd932437e3529740fcfa5f755b5fcf1b4d
Opcode Fuzzy Hash: 03a11613f3ae382bb7069586acc4e57ff0fb1aaeeef2958fd966a7207ce8f5de
Instruction Fuzzy Hash: D3418270F0451A9FDB05AF65C8796AA7BF1EB44340F510425E636E7294EA30C916CED1

Uniqueness

Uniqueness Score: -1.00%

Function 096F2816, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b8105059f7ab13ba66a78abe94b8a2bbf6f1a750f5895e4c2674a5ea845500
Instruction ID: 0f971874a6957e5c8a655ff2a2f323b9686af9f5881a01d483eb921c5a89efaa
Opcode Fuzzy Hash: d3b8105059f7ab13ba66a78abe94b8a2bbf6f1a750f5895e4c2674a5ea845500
Instruction Fuzzy Hash: 5641F470E042169FDB06EF65C97A6E97BB1BB04340F11046AE636A7295E630C916CF81

Uniqueness

Uniqueness Score: -1.00%

Function 096F0EE8, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9760378d7c870814bdfb479405222679158c643d602dda1e461f0ad41d52c0d7
Instruction ID: 0c8065ea72b0c793e54e048c2c3444d7ee649004266b0d84a3de00551519e400
Opcode Fuzzy Hash: 9760378d7c870814bdfb479405222679158c643d602dda1e461f0ad41d52c0d7
Instruction Fuzzy Hash: 87413C31B01208DFDB04DFA9D864AADBBB6EF89310F158569F501AB3A1DB74DD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 096F1ADC, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424923b471589dd21205934545251bc3f9c6faa4cf9bc20a29de213cc1bdc9a4
Instruction ID: 6f1b9c3dbecf04fcf4493c19225ca8a3a295eb5f345db7140b3316b04e11a69b
Opcode Fuzzy Hash: 424923b471589dd21205934545251bc3f9c6faa4cf9bc20a29de213cc1bdc9a4
Instruction Fuzzy Hash: 484165B4D012589FCF10CFA9D984A9EFBF5BB49314F24902AE918BB310D374A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 096F21E1, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc8a70136956b9aa175aacb18c255cbb295c22ba02a27c89e279341ab123d87
Instruction ID: 0044f58034841a167a46df431d913fef7e592068c99223a6444cb77b0e2b15dc
Opcode Fuzzy Hash: 7cc8a70136956b9aa175aacb18c255cbb295c22ba02a27c89e279341ab123d87
Instruction Fuzzy Hash: 774144B5D012589FCB10CFA9D984ADEFBF1BB49314F24942AE918BB310D374AA46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 096F12C8, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c008d0540e1690de0855afaf074936922069dd5a00375b2290606ad96d46c6c
Instruction ID: f634c6c2ec4b7969efc91c407e11cf9896c66ce5c6a3d102ebd8a0aa07ff98d9
Opcode Fuzzy Hash: 3c008d0540e1690de0855afaf074936922069dd5a00375b2290606ad96d46c6c
Instruction Fuzzy Hash: F2413370E09208DFEF219FA5D9985ADBFB2FF89300F224199E4456B256CB3198A1CF41

Uniqueness

Uniqueness Score: -1.00%

Function 096F1D36, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e88b2dc311990b4241bc01209e87c13589c9332c5310cb84459878cd55168e
Instruction ID: 2ab223a72fcacc1072915cdc7f44ee3586b76cf4dad387a57343a397e1ed80aa
Opcode Fuzzy Hash: 21e88b2dc311990b4241bc01209e87c13589c9332c5310cb84459878cd55168e
Instruction Fuzzy Hash: 0431F931A04298DBCF01DBA0C860ADEBBB6EF89344F514169E50577751DB34AD09C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 096F1A88, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a08d13f24a32fb6fdfcb5064b5e557c95e73a9735d1d19306f798c82238006
Instruction ID: 3512e5eef47b84549e156a5eef9ad77d1ba8c2d2a26d866aee9e24b1c200bd6a
Opcode Fuzzy Hash: 14a08d13f24a32fb6fdfcb5064b5e557c95e73a9735d1d19306f798c82238006
Instruction Fuzzy Hash: 39310332A04269DBCF05DFA0C860ADEBBB6EFC9344F514169E60577790EB34AD09C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 096F11E8, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b44c58ee8467234730a0c22821acf6eb3ad52f6c297d7c40505a92ecd2dd023
Instruction ID: 39cf8841aa63104f1b98b62ce07bf80710d8b44cd94f83cba68318b204f411a1
Opcode Fuzzy Hash: 4b44c58ee8467234730a0c22821acf6eb3ad52f6c297d7c40505a92ecd2dd023
Instruction Fuzzy Hash: B4212530E18206CBDF15AFE9C8641EDBBB0EF433C8B524529D646E7244FB32D991DA91

Uniqueness

Uniqueness Score: -1.00%

Function 096F1C08, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6762f5fecbf1e7e4aaa096b8e35e287b405d7e61a23a0941b862605336cdd1cb
Instruction ID: 0e27e99e1169ebde09176cb0e3bdc2b1ff0e0fa91bab0bd44c26688c9eb2495b
Opcode Fuzzy Hash: 6762f5fecbf1e7e4aaa096b8e35e287b405d7e61a23a0941b862605336cdd1cb
Instruction Fuzzy Hash: F221D471B04204CFDB15EF78D4649ADBBF2EF8A250F1640ADD505EB351DA389D46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 096F4E20, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2672d89e2109b0ccdd961c6b7f28ae29839a23d4234f48336dca2adbbfb05369
Instruction ID: ce9624aeef6c489c6bf7ebbc9a40a50b7fd99147f8564811fdbaae900d184649
Opcode Fuzzy Hash: 2672d89e2109b0ccdd961c6b7f28ae29839a23d4234f48336dca2adbbfb05369
Instruction Fuzzy Hash: AE212C35F106098FCB11EFA9C4586AEB7B4FF89210F44416AE619E7260EB709945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 096F49A0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cdcacdc8366a783527a8866920043a9eca9aa2c414f9c8ddd6f3a141e4b2bf6
Instruction ID: 17f817f872b835a5e0a2f08e42938b5dc02e2cc57dd27fdd847343cbafc934af
Opcode Fuzzy Hash: 5cdcacdc8366a783527a8866920043a9eca9aa2c414f9c8ddd6f3a141e4b2bf6
Instruction Fuzzy Hash: 90212232F007514FDB11DF7CC8A62AFBBB1EFC5210F08816ED655A7715EA7899018B85

Uniqueness

Uniqueness Score: -1.00%

Function 096F47C8, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e76e3a2e0f50c6e7f9a919f73fba9a768e47d1d21d4b9b3f5f1677c26fb52e
Instruction ID: 395517085cab6f813025c57663470a946a4a018ddf8403871e2e7720d99fc2c6
Opcode Fuzzy Hash: a6e76e3a2e0f50c6e7f9a919f73fba9a768e47d1d21d4b9b3f5f1677c26fb52e
Instruction Fuzzy Hash: 2B213175E0020A8FCF44EF69C8948EFB7B5FF893407108669E905A7311EB70E945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 096F47B8, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829d15e5689d764e0e31d8f5d8239e574c4e8c5ed295fa1cd3494b67bb5fbdc9
Instruction ID: 8676f5010044a0edcffab3505c1880b98479187c66d4ab14fecb1f43c6857e28
Opcode Fuzzy Hash: 829d15e5689d764e0e31d8f5d8239e574c4e8c5ed295fa1cd3494b67bb5fbdc9
Instruction Fuzzy Hash: B2216A75B002058FCB44EF69C8958AEBBB5FF89300741866AE906E7351EB34ED45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 096F1C30, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae237ac28f854419d57e5a603f3fa7c67f8fe7c2db3c7f12cfdd1cacbd3c8ffd
Instruction ID: cb8403a719123ca72d20f01f6b44a7aec9c2b410c858c6391939c68a59dc9253
Opcode Fuzzy Hash: ae237ac28f854419d57e5a603f3fa7c67f8fe7c2db3c7f12cfdd1cacbd3c8ffd
Instruction Fuzzy Hash: 0E11E670B04244CFD705EF64C4689ADBFF2EF4A250F5641ADD101AB351CA38DC46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 096F1140, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d57e9f797cc83e0829e6d57665a121f09f867216c2678d7a5bf6b8a4b689bce
Instruction ID: a1519a2cae0ba02e83423a598cb0cccf970b59a52147064fda0e62340231930b
Opcode Fuzzy Hash: 8d57e9f797cc83e0829e6d57665a121f09f867216c2678d7a5bf6b8a4b689bce
Instruction Fuzzy Hash: 8511E572F0910AEFCF11AE99D9541FDBFB0EB41390B2248A2D189B3294F23186318FD0

Uniqueness

Uniqueness Score: -1.00%

Function 096F4541, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac3fa3684c991eb02ee7f21ef6cd27f1e2e6db1d570546e4f9e653d4dffca2d
Instruction ID: e8f1f8b791a03563832356c2858436d6d28cb2698675af08c35b22113b58272e
Opcode Fuzzy Hash: aac3fa3684c991eb02ee7f21ef6cd27f1e2e6db1d570546e4f9e653d4dffca2d
Instruction Fuzzy Hash: 5211A1717192948FD705EF79D89486ABFEAAF8621131945EBE146CB7B2CA35CC00CB20

Uniqueness

Uniqueness Score: -1.00%

Function 096F4570, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c812d084db37402ddd4ab8776ee913903faf40796688c06c14027e20a6841c35
Instruction ID: ea0c8a62d7a665d5960053cc6eb89281cc3cabfef35bc1a06e5a5ce3ea66fb80
Opcode Fuzzy Hash: c812d084db37402ddd4ab8776ee913903faf40796688c06c14027e20a6841c35
Instruction Fuzzy Hash: 2E017C717142A48FD705EF69C89486EBBFAAF8A61531944EBE141CB3B2CA74DC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 096F1130, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e6c3c12e1c79372f2e457721ccb3f4f56e512a45a87f62ae913483131443c7
Instruction ID: 3c83acd9a17463b85a60f699fb0905b8a714cab9a486bacfb99de5da0936d9ed
Opcode Fuzzy Hash: 90e6c3c12e1c79372f2e457721ccb3f4f56e512a45a87f62ae913483131443c7
Instruction Fuzzy Hash: A801F2B2F0D245EFDB12AF68D8240F43FB09B433D071A8DA7C289E7292E130451A8B90

Uniqueness

Uniqueness Score: -1.00%

Function 096F0228, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a751408038aec17a06f223762b9330e4fbe6d6daf278be9e49f64a1b47af12e2
Instruction ID: 9ed0bbde60da9451e4edd718508547e1021e02e104121a563dfc9f00fb65bd21
Opcode Fuzzy Hash: a751408038aec17a06f223762b9330e4fbe6d6daf278be9e49f64a1b47af12e2
Instruction Fuzzy Hash: 7E0186343092508FCF159E79C8649693FEA6F8261130A00DAE545CB372DE10CC42E3B1

Uniqueness

Uniqueness Score: -1.00%

Function 096F29AB, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccf9bdf11db26db924576ddd9067f3c86a2b308ae896990362d34f8b4daecedb
Instruction ID: 6e780dabb578ce28890f63f98fe7deceb0805693085f17a2bf1e8ca111048581
Opcode Fuzzy Hash: ccf9bdf11db26db924576ddd9067f3c86a2b308ae896990362d34f8b4daecedb
Instruction Fuzzy Hash: D7110870E006058FDB11CFA8C8147AE7FB1EF4A314F044669D521B7391DB785446DF84

Uniqueness

Uniqueness Score: -1.00%

Function 096F4580, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe08351101fc28fc1f25e25796498250a993c974b07c8b8d50f0215d58a482c
Instruction ID: 8f949aad5cddd6c2519c2091efdfb05b98e976965d6287af4f07713b9cb54cda
Opcode Fuzzy Hash: ffe08351101fc28fc1f25e25796498250a993c974b07c8b8d50f0215d58a482c
Instruction Fuzzy Hash: 390169323101248FC704EF6EC89886EBBEAEF8A61531444AAF601CB3B1DA75DC00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 096F29B8, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a16a272c34776118614a63f1054f35c0d1ef1a9181e09c3d37f9597e7f7b30
Instruction ID: 87e340c94b92976dc691fdd6aeffa27bca1928806d2ccb5796e373748afb0bc9
Opcode Fuzzy Hash: 75a16a272c34776118614a63f1054f35c0d1ef1a9181e09c3d37f9597e7f7b30
Instruction Fuzzy Hash: 24016970E006098FDB10DFA9D8147AEBBB1EF48304F148529D625B7391DB789A45CF85

Uniqueness

Uniqueness Score: -1.00%

Function 096F1B89, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2c6f4b9c57c670fa17291010aadec82c9db533b58c68e7ccf7b36702e375c4
Instruction ID: 8c2743db17a6672ffcd74c1a2cd416fc713240cf097c4dc4604e909fc4f82a03
Opcode Fuzzy Hash: df2c6f4b9c57c670fa17291010aadec82c9db533b58c68e7ccf7b36702e375c4
Instruction Fuzzy Hash: 33F0F432E09294DBCB06AB2890242DD7BB2DF87240F12089DD5016B341CEB91D09CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 096F2EB8, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f70a3ec4bd285e14568c6d7ea8e738c092570e05a4250472f7e71bebbebf3e
Instruction ID: 7a08b21b732adccff32d9cfd9c08a3ee2f86dd891f42c0ccb6a2a7c4cfd03a29
Opcode Fuzzy Hash: 62f70a3ec4bd285e14568c6d7ea8e738c092570e05a4250472f7e71bebbebf3e
Instruction Fuzzy Hash: 1D01A232A1074ADFCF11EFB4C8444DDBB72FF99305B118B69E04567220EB70A599CB80

Uniqueness

Uniqueness Score: -1.00%

Function 096F4930, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2aea0e7822ab2ec540c7909fb73cf8fed9a4e5c6fe13500d30a667abc6f664e
Instruction ID: 48c3212b67fd5ccac6a2e29316906f204132122235d46a170d3816361ca291b1
Opcode Fuzzy Hash: f2aea0e7822ab2ec540c7909fb73cf8fed9a4e5c6fe13500d30a667abc6f664e
Instruction Fuzzy Hash: 7D01AF366097C18FC7175B3898265597FA09F8322530E06DBD5D5CF6B3CA284C45C716

Uniqueness

Uniqueness Score: -1.00%

Function 096F48B7, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ddcc1343d81a34fb7dc62a9b05bd00a679da1c94ffce1bde10b28f6ed9e1cf
Instruction ID: b53eb10e53b0916f21487012ec8aea9f8bf6c677d09f6812c296d6c8fb2a65d8
Opcode Fuzzy Hash: d6ddcc1343d81a34fb7dc62a9b05bd00a679da1c94ffce1bde10b28f6ed9e1cf
Instruction Fuzzy Hash: BF0144347012508FD7059B3DD858D6977E6AFC962071A80EAE509CB372DE74DC01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 096F6382, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76603c0465b35a5818d4bef045567eeace12466c5c916346e47c8dcc54a9dcd4
Instruction ID: 1e88ad83b8f83425bad3ff82a2cc5b28ea80a97cf2caf738a48096f33a0897b3
Opcode Fuzzy Hash: 76603c0465b35a5818d4bef045567eeace12466c5c916346e47c8dcc54a9dcd4
Instruction Fuzzy Hash: 3011C874E05228CFDB66DF65CD55B99BABABF98300F0090E9E90DA3254DB315F818F10

Uniqueness

Uniqueness Score: -1.00%

Function 096F1B98, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113117825751d82dc4c9594caf7e90daa5c3b4d5b543737fd41b312aaeec1f8b
Instruction ID: cec77dd39c67bd3498bca79b6a91a8e8165834bc102e2ff4439831ddcab3cd56
Opcode Fuzzy Hash: 113117825751d82dc4c9594caf7e90daa5c3b4d5b543737fd41b312aaeec1f8b
Instruction Fuzzy Hash: C0F02432B0421887C718BF68C0246AE76F6EBC5744F51086ED502AB384CFB92D0587E5

Uniqueness

Uniqueness Score: -1.00%

Function 096F4770, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ddd7805e21955a33538bcb5c93a5f4f661639e5d3c87056b64964bc00c6b7b
Instruction ID: 43fe9e8a23ab4955b4225bcf4b8a6134bf16e98d03846d11433b589c021e322c
Opcode Fuzzy Hash: b3ddd7805e21955a33538bcb5c93a5f4f661639e5d3c87056b64964bc00c6b7b
Instruction Fuzzy Hash: FCE01271B016248B474CFBAFA45886AF7DBEFC8560318C5BFD90D87729ED71A90186C4

Uniqueness

Uniqueness Score: -1.00%

Function 096F8E10, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a8966ee97b65d3276563e7958faf2a9c0776e82474ce6a9a2535f0f3e517c2
Instruction ID: c28d8b12bcaedaf256b5d464bbbd7cc5f252182395bd94befc5b333b79aca33b
Opcode Fuzzy Hash: d4a8966ee97b65d3276563e7958faf2a9c0776e82474ce6a9a2535f0f3e517c2
Instruction Fuzzy Hash: 3EF030B4C09348AFCB42DFE898152ADBFB4FB46204F0446EAC454D7352E7740946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 096F0E08, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e87224b1c8e619504078654adc9b43114e809b97a74ce2708834064987871d7
Instruction ID: 32b3983f8a0eeb3e7502e898a6c903ee547a630474c547d0c778abde26e4706c
Opcode Fuzzy Hash: 9e87224b1c8e619504078654adc9b43114e809b97a74ce2708834064987871d7
Instruction Fuzzy Hash: 34F06DB4C09388EECB22AFB0A419298BFB0AF02201F1945EAD48457762D2340A54CF62

Uniqueness

Uniqueness Score: -1.00%

Function 096F0E97, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deae907679df1def9d62f5e3d2b9fe70ffc408ed73a24b97656daef9741c4e12
Instruction ID: bc577d7cb7f6d71cd308174173711a56078097c5d395a94a4cef2aacf5e0c676
Opcode Fuzzy Hash: deae907679df1def9d62f5e3d2b9fe70ffc408ed73a24b97656daef9741c4e12
Instruction Fuzzy Hash: 76E0125794E3D14FD7234A647C622C43F60AF63515F1A49C7D1D0DA5E7C1544888C762

Uniqueness

Uniqueness Score: -1.00%

Function 096F1750, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e5233dafedfd1b452cb598c8654fb64eaa350cb85fb4aa5139680e670cb2ea
Instruction ID: 4be806fb623b91974e29b05b73e354b3698b3c72067382645885c5c7655410d6
Opcode Fuzzy Hash: 74e5233dafedfd1b452cb598c8654fb64eaa350cb85fb4aa5139680e670cb2ea
Instruction Fuzzy Hash: E1E06D30309344CFC316AB39D8184667BA9AF0720431588BBD0598B6A2C639E881C782

Uniqueness

Uniqueness Score: -1.00%

Function 096FEE58, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad15d41ae553e01ef4b209b71c92427de21e0c1358d3146b8fdd60194cd2f99
Instruction ID: f474dfc0763b5dd390626c1d1ee0ffeb5a4294ce2b1db33634f746a4cfd0742c
Opcode Fuzzy Hash: 5ad15d41ae553e01ef4b209b71c92427de21e0c1358d3146b8fdd60194cd2f99
Instruction Fuzzy Hash: 33F0A574D15248EFCB40EFB8E9057ADBBB4FB05301F4085AAD915A3340E7715A41CF85

Uniqueness

Uniqueness Score: -1.00%

Function 096F4960, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3207d008bf825989ff0dc3dd1f03b0ff08d189e132c0c94e48541b6aa32bb94
Instruction ID: 26f1902522fd3cf0421665464a49ad51244d3508d7b3cf49667a3b69f223674c
Opcode Fuzzy Hash: a3207d008bf825989ff0dc3dd1f03b0ff08d189e132c0c94e48541b6aa32bb94
Instruction Fuzzy Hash: 00E0C232354920578A2A690E982C92E7B8ACBC69A530804AEE68AC7B20CD19DC418299

Uniqueness

Uniqueness Score: -1.00%

Function 096F9151, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42912f1b8784f682860f5f41680479338a67d5152a1723062cace6bfc4676333
Instruction ID: 88eff57612d738fd10598570d48d98b3c9a28de1adda7aae831efa8320978cb9
Opcode Fuzzy Hash: 42912f1b8784f682860f5f41680479338a67d5152a1723062cace6bfc4676333
Instruction Fuzzy Hash: 26E06D70C19284AFCB52EFB4941429C7FB0AB07204F1405EAC545D72A2E7314944C752

Uniqueness

Uniqueness Score: -1.00%

Function 096FC890, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7ac269e156e56b39adb1c2a980d49fd8af24e203b6faa16b02adf8aebd33b3
Instruction ID: 3fa7c9e996896ccd02442b1eb79e9bc32bfd009c9cdaeba60ace7d79d77a6602
Opcode Fuzzy Hash: 3c7ac269e156e56b39adb1c2a980d49fd8af24e203b6faa16b02adf8aebd33b3
Instruction Fuzzy Hash: F7F0D47480021DAFCF40DFE8D8006ADBBB5FB08300F00855AE824A2210D7715660DB81

Uniqueness

Uniqueness Score: -1.00%

Function 096F4760, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6744279a1275b642322a98c2b298f01cfb8c9569d62edcbcfc7275b0ab03460d
Instruction ID: 77cee8ca63c6979841d0397d4c4a9312bc445a8bc23248deed84d963e6df5b5f
Opcode Fuzzy Hash: 6744279a1275b642322a98c2b298f01cfb8c9569d62edcbcfc7275b0ab03460d
Instruction Fuzzy Hash: 77E0DFB97067808FE71A9B7198104637F73AFC711030486DEC0888F6B6EA305C0ACB94

Uniqueness

Uniqueness Score: -1.00%

Function 096F1740, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969915697075f7fa7f365b3124732511d168ed9cc7f53610b1dda4a45cee2255
Instruction ID: c2a39568114405d580dd74d5c607aca009e5e3afcab9d3002254ffd50e22a150
Opcode Fuzzy Hash: 969915697075f7fa7f365b3124732511d168ed9cc7f53610b1dda4a45cee2255
Instruction Fuzzy Hash: 00E01A71609384CFC32AAB26D4544557BA5EB42201356C9FED4998B6A2D63AEC81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 096F8E20, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c1c4477c8afe9e222c98761cdd873bf5b4e141128d906d4c1e6ff2aed0773ee
Instruction ID: 96391b86e76b4abbe3a1bfb95b18781f47acf8f5b710910d6c84cca3f3e20f1f
Opcode Fuzzy Hash: 6c1c4477c8afe9e222c98761cdd873bf5b4e141128d906d4c1e6ff2aed0773ee
Instruction Fuzzy Hash: 50E09AB4D002189FCB54EFE8E8556AEBBF4FB44304F5046AAD418A3354E7715A41CB85

Uniqueness

Uniqueness Score: -1.00%

Function 096F16F0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4808b1967ea948baf15bdc203b556294a286cf31d840e79ec7fcdc94eaa7fb80
Instruction ID: e7df12ff7da32b4756a2423c1701097e0e36135cb650e307d8b7990d5c1a38ac
Opcode Fuzzy Hash: 4808b1967ea948baf15bdc203b556294a286cf31d840e79ec7fcdc94eaa7fb80
Instruction Fuzzy Hash: B1E026313193808FDF22ABB4BC5809A3FB5EE8509C38605AFD198C7196EE6C5C0AC385

Uniqueness

Uniqueness Score: -1.00%

Function 096F9160, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b88228ce8c5b3cd4126de328481e9dd1511c175996a566c3df671482e4cd495a
Instruction ID: c86e4f91b046a7f9c83e98bd3df62b7c4cfc3b892c77238728aac16724789099
Opcode Fuzzy Hash: b88228ce8c5b3cd4126de328481e9dd1511c175996a566c3df671482e4cd495a
Instruction Fuzzy Hash: 2FE0EC74D01208ABCB50EFF8E45979CBBF4AB05244F5005ADC90597354EB315A858796

Uniqueness

Uniqueness Score: -1.00%

Function 096F21A8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe576efda101951715638224bc8c82abd3e75d637ce4dc1332cd7a147520c83
Instruction ID: cce6aca5b44d245d614c56cb5612adc045091db0a76d85813d57414990a8101e
Opcode Fuzzy Hash: 2fe576efda101951715638224bc8c82abd3e75d637ce4dc1332cd7a147520c83
Instruction Fuzzy Hash: 59E0177610E6C4AFC703EBA48944886BF659F4716074980DFE5888F872C1269516D79A

Uniqueness

Uniqueness Score: -1.00%

Function 096F94F0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defae172515e579ff24419e4101155db87504ff69ae1a881386f21378893effc
Instruction ID: a60839a0741b8d3ce5bf3176f0ec0105adfd011120fb87a5235d89a25c068608
Opcode Fuzzy Hash: defae172515e579ff24419e4101155db87504ff69ae1a881386f21378893effc
Instruction Fuzzy Hash: 11E0E2B0D0420CAFCB90EFE9E40439CBBF4EB04208F0082AAC818A3350EB345A41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 096F4720, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ae51c9355a47861dbebd934cf8accdf55ad9b93ad15a69074aa78304c14beb
Instruction ID: 32553dbf3905a0cfb3be6b7e76eb61d5a14c402ec502aa5f4171c8c0b00fccd7
Opcode Fuzzy Hash: d6ae51c9355a47861dbebd934cf8accdf55ad9b93ad15a69074aa78304c14beb
Instruction Fuzzy Hash: 47E0C2A510D2C58ECB23DBF4A8293A93F60BF03118F0803CAC4A04B2F7CB650403C346

Uniqueness

Uniqueness Score: -1.00%

Function 096F0E18, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71aba84840364fc328d6fb0f466e754863b8631fa607f526ef19b74657616e12
Instruction ID: 6b76e3008948a4b6c96245b374312040515c8be3fafd936c0719f42942dae954
Opcode Fuzzy Hash: 71aba84840364fc328d6fb0f466e754863b8631fa607f526ef19b74657616e12
Instruction Fuzzy Hash: 01D01270D0521CEACB64EFF5A4192ADBFF4AB45205F1481E9D44453354D7341A10DB95

Uniqueness

Uniqueness Score: -1.00%

Function 096F86E5, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc88ae76bb2ae19fe5eb271fef9986afbe5e26db1416ca1c4cd4ce93c8b68338
Instruction ID: a260aa2ad4e21408b25aca5cd8bbf2dcb89dc363c7e01495e79979441d9974e5
Opcode Fuzzy Hash: bc88ae76bb2ae19fe5eb271fef9986afbe5e26db1416ca1c4cd4ce93c8b68338
Instruction Fuzzy Hash: 11E0E534B16229CFCB16CF14DA8469ABBF4FB49300F0461EAD889A7245D7305E40CF51

Uniqueness

Uniqueness Score: -1.00%

Function 096F4730, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ee304a1543491ba96afd79bf4a22f771f6d66e58ab6e174ffa6cd5f6452095
Instruction ID: 5ddd2a9f2737fa834c6578052900bd429928ae81746206600f13d70502e58415
Opcode Fuzzy Hash: b3ee304a1543491ba96afd79bf4a22f771f6d66e58ab6e174ffa6cd5f6452095
Instruction Fuzzy Hash: A2D0A77091110CDFCB50FFF4A80939D7BB4BB01204F5001A9C80493264EB700941C781

Uniqueness

Uniqueness Score: -1.00%

Function 096F21B8, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1cc787153128c383530a610f7d6c7478171e9b119ed206cb1e2effba9b0d413
Instruction ID: 3cbd907b470749ce89c70fa0136ab709be35c737adfb05fff204fb98ecf49be9
Opcode Fuzzy Hash: b1cc787153128c383530a610f7d6c7478171e9b119ed206cb1e2effba9b0d413
Instruction Fuzzy Hash: F4C01236100418BF4A01AB85D800C86BBADEF4A654305C05AE60C8B121D662E51297D4

Uniqueness

Uniqueness Score: -1.00%

Function 096F60B9, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d26237ed3873f2bea80984e53fd150086eb7ee9912db54edbdba88d94b01a3
Instruction ID: 1907517de8598ad9747752ba85222868fb6a51e8893439f7e511ba664b56cbad
Opcode Fuzzy Hash: 64d26237ed3873f2bea80984e53fd150086eb7ee9912db54edbdba88d94b01a3
Instruction Fuzzy Hash: 1FC01231626119CFD714DB20C804696B671EB8A351F0050E4500E97255CB305D818E01

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 096FEEB8, Relevance: 3.9, Strings: 3, Instructions: 177COMMON

Download Yara Rule

Strings

cZvd, xrefs: 096FEF08
|1q, xrefs: 096FEF42
]N', xrefs: 096FEF9C

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID: ]N'$cZvd$|1q
API String ID: 0-302324162
Opcode ID: 438944194e1a8bef59df8c8696cb39273f432a2aa57e5fcac2f1017fabf60bc9
Instruction ID: 33a13ad0a45ea42daed3aef42e2cdc2103a1f45deacf2e75ab7f48b5f2b5f34d
Opcode Fuzzy Hash: 438944194e1a8bef59df8c8696cb39273f432a2aa57e5fcac2f1017fabf60bc9
Instruction Fuzzy Hash: 59713174E1520A8F8B44CFE9D4945AEBFB2EF89300F10A42AD606B7364D7359A028F95

Uniqueness

Uniqueness Score: -1.00%

Function 096F9538, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

uq, xrefs: 096F9645

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID: uq
API String ID: 0-417495262
Opcode ID: cbb4ecd29d99d5d994fd976857a112ad34e48b9831d27c877f647778f1a04427
Instruction ID: d68e06579112b841802846f337504c31dd0cf4586a1fa4ea5151a4c3e5589a80
Opcode Fuzzy Hash: cbb4ecd29d99d5d994fd976857a112ad34e48b9831d27c877f647778f1a04427
Instruction Fuzzy Hash: B73151B1E016188BEB18CFABD96439EFAF6AFC8304F14C169C518AB254DB7509468F84

Uniqueness

Uniqueness Score: -1.00%

Function 096F9528, Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

uq, xrefs: 096F9645

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID: uq
API String ID: 0-417495262
Opcode ID: 2b0a478dc052ea3abc703929168cbc6e573c2ff305b89755d522479fbac9b3c9
Instruction ID: 2481ca0edccfc833bddea470178146b717aea7497d5f958a8f485539c6ea1d18
Opcode Fuzzy Hash: 2b0a478dc052ea3abc703929168cbc6e573c2ff305b89755d522479fbac9b3c9
Instruction Fuzzy Hash: FF4162B1D016588FEB19CFA7C95439EBBF3AFC9304F14C1AAC508AB265DB75094A8F40

Uniqueness

Uniqueness Score: -1.00%

Function 052254C8, Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb6c6130ad85f47033fa8da0a1822408a0b3e3ab76e7525cd43c71a9b9dd660
Instruction ID: 0886c1fa7986a13984388df188489a3003ab89b0cde1de166b536ca8b897aa12
Opcode Fuzzy Hash: 9bb6c6130ad85f47033fa8da0a1822408a0b3e3ab76e7525cd43c71a9b9dd660
Instruction Fuzzy Hash: 38D1AA34B14225AFDB29DB75C454BBEBBF6AF89600F5484ADD10A8F390CB39E901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 056C04E0, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8fdfd2f0558ab9779aa2741d898f3da51ebf829967a005737e097ad8083bbc5
Instruction ID: 3f2d0c96cc493f4a2de2d86dff930fa38185cc79aaa2c59c88a33544c0e9b7c4
Opcode Fuzzy Hash: a8fdfd2f0558ab9779aa2741d898f3da51ebf829967a005737e097ad8083bbc5
Instruction Fuzzy Hash: 165167B5E016188BDB68CF6B8D4479EFAF3BFC9200F14C1BA850CA6224DB300A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 056C04D0, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.299955275.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ecadd88a14a20965304c99a8aa4ddf8ed76d81837e4fafc11e58b47f237b48
Instruction ID: 84c1438268916b1756f24995e81a0e83707eedb58a71cb5944793e41dceec5ca
Opcode Fuzzy Hash: 80ecadd88a14a20965304c99a8aa4ddf8ed76d81837e4fafc11e58b47f237b48
Instruction Fuzzy Hash: 62515971E016588BDB68CF6BCD4479AFBF3BFC9204F14C1AA854DA6264DB3049858F51

Uniqueness

Uniqueness Score: -1.00%

Function 05221558, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0ca206e202bb5fd3af7bd5889f5cdf5e4985208a01c8a44e0d9a7beb267b15
Instruction ID: adc4a07d2958901b5a2aa571d0d174379547f921a5c1ec081dbc46222ef1a5a8
Opcode Fuzzy Hash: 0e0ca206e202bb5fd3af7bd5889f5cdf5e4985208a01c8a44e0d9a7beb267b15
Instruction Fuzzy Hash: C941F774E142299FDB54CFA5D881B9EBBF6FF88200F14C0AAD50DA7250DB305A95CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05221548, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8039c80922f9ebf7940a4b3f67bda9cd09794c962b7c3d9ef1bc724d658d3c5a
Instruction ID: ff20d1f6bea7265e2ba247fdf624c8aab76cef2953c1d68ca47a7ea552d9e834
Opcode Fuzzy Hash: 8039c80922f9ebf7940a4b3f67bda9cd09794c962b7c3d9ef1bc724d658d3c5a
Instruction Fuzzy Hash: A2413774E112299FDB58CFA6D881B9EBBF3BF88200F14C0AAD50DAB250DB305981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 096F5638, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd3d5da1ae355b040832658c3fa01b2b0d2c2951922875d9cc9015a20effd16
Instruction ID: 3001bcf19f6818da8073b197bd426bc97f583e1d1df685c5ff7462c59f15bdd1
Opcode Fuzzy Hash: 6fd3d5da1ae355b040832658c3fa01b2b0d2c2951922875d9cc9015a20effd16
Instruction Fuzzy Hash: B93183B1E016188BEB18CFABD9547CEFAF6AFC8304F14C169C518AB254DB7509458F41

Uniqueness

Uniqueness Score: -1.00%

Function 096F5628, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308585834.00000000096F0000.00000040.00000001.sdmp, Offset: 096F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d74b49d9d35310fd8f74b82f17121c7c11f014fa6f7cdadbd9888285e5877b07
Instruction ID: ee959bb20d699c10404810c73cb5967c582a9a171cc2a8b921f34bea836ad0c3
Opcode Fuzzy Hash: d74b49d9d35310fd8f74b82f17121c7c11f014fa6f7cdadbd9888285e5877b07
Instruction Fuzzy Hash: 9941A2B1E016588BEB18CFABC95438EBBF3AFC9304F14C1AAC408AB295DB750945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05221F68, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3bdf68e3007c3ec5dd29820c71b66a6a3d1248b5954f3d371ebd89b2a319c01
Instruction ID: 19b1772b217e1da0662e37f56b7ae8ddfea46b52430660327c082282f4c0b918
Opcode Fuzzy Hash: d3bdf68e3007c3ec5dd29820c71b66a6a3d1248b5954f3d371ebd89b2a319c01
Instruction Fuzzy Hash: ED211575E106199BDB18CFABD9406EEFBF7AFC8210F14C12AD408B7254EB345A128B52

Uniqueness

Uniqueness Score: -1.00%

Function 05221F67, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.299488510.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19568414bb42335bf67b8533ccc1ebbe45fd1444cbfaa9293d42fa9ef428d557
Instruction ID: 2e466ac9bfdde91e8108154b1c0c38b66177aed9e3b7647c3d8369415a8cf6a6
Opcode Fuzzy Hash: 19568414bb42335bf67b8533ccc1ebbe45fd1444cbfaa9293d42fa9ef428d557
Instruction Fuzzy Hash: 1211E771E116199BDB58CFABD9416EEFAF7AFC8200F14C12AD408B7254EB344A41CF55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe PID: 1324 Parent PID: 3260 SecuriteInfo.com.Artemis6D92C3B9739F.17565.exeCOMMON

Executed Functions

Function 00D4691F, Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00D469A0
GetCurrentThread.KERNEL32 ref: 00D469DD
GetCurrentProcess.KERNEL32 ref: 00D46A1A
GetCurrentThreadId.KERNEL32 ref: 00D46A73

Memory Dump Source

Source File: 0000000E.00000002.480101181.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ee5d31bf09529ac3b87509b235208488ef80cd81e7a512330145da3588928b39
Instruction ID: affbac945f00ed44718393caa3d6e31f5a682bf58134682a19170f5e29fcdb66
Opcode Fuzzy Hash: ee5d31bf09529ac3b87509b235208488ef80cd81e7a512330145da3588928b39
Instruction Fuzzy Hash: 105157B49047488FDB14DFA9D988B9EBBF0BF49304F24849AE449A7360D7759884CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00D46940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00D469A0
GetCurrentThread.KERNEL32 ref: 00D469DD
GetCurrentProcess.KERNEL32 ref: 00D46A1A
GetCurrentThreadId.KERNEL32 ref: 00D46A73

Memory Dump Source

Source File: 0000000E.00000002.480101181.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b68d142ecaa77aec7075264d9d17831166c78045eb0819973e274bd8ecb5b5ce
Instruction ID: 6a82aa0fa898175de6a8fb24f1666b2a3d00601a9d0797945c424cbd3064397f
Opcode Fuzzy Hash: b68d142ecaa77aec7075264d9d17831166c78045eb0819973e274bd8ecb5b5ce
Instruction Fuzzy Hash: 845144B49006488FDB14DFAAD588B9EBBF0FF89314F248459E449A7350D774A884CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00D45084, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00D451A2

Memory Dump Source

Source File: 0000000E.00000002.480101181.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e47119e8a399d61be66f9d441cc93b0b9cd7e93c33a2b65529584c740341ab43
Instruction ID: b7ad4482c54a3c47be56a3154a05531e11d6a20c03dd688205c0df12b2dd98d3
Opcode Fuzzy Hash: e47119e8a399d61be66f9d441cc93b0b9cd7e93c33a2b65529584c740341ab43
Instruction Fuzzy Hash: C251D0B1D103089FDF14CFA9D884ADEBBB5BF88314F64812AE818AB214D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00D45090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00D451A2

Memory Dump Source

Source File: 0000000E.00000002.480101181.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3d663ec33f82850f17d95aa34904e1f4b3ff2ba293606b32aca60dc99d9f92e7
Instruction ID: aa838c9f6d3d6542f286cd6d3d16b7024d1abef28638bc340a0b37221c93ff0f
Opcode Fuzzy Hash: 3d663ec33f82850f17d95aa34904e1f4b3ff2ba293606b32aca60dc99d9f92e7
Instruction Fuzzy Hash: C741D0B1D003089FDF14CFA9D884ADEBBB5BF88314F24812AE818AB210D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00D4779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00D47F01

Memory Dump Source

Source File: 0000000E.00000002.480101181.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: bc461a9d8abcd01a43585b8aa23083e03eaec43c9228cd3e1449325aa77af9bb
Instruction ID: b6c6b113bd50097e7fc740639fdc253a0993ed785cff6a6b7623279295bc79ff
Opcode Fuzzy Hash: bc461a9d8abcd01a43585b8aa23083e03eaec43c9228cd3e1449325aa77af9bb
Instruction Fuzzy Hash: 13414BB4A04245CFCB14CF99C448AAABBF5FF88314F248499E519A7321D774A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D46B62, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D46BEF

Memory Dump Source

Source File: 0000000E.00000002.480101181.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b3bbd1892325453a34109ba4510cc71ecd570bbf60bc52f27375af6aec07c90e
Instruction ID: 196a6f8d8967b9805de8f1bfc7907c0d344a1d8a8a3293c4212eb71373b38586
Opcode Fuzzy Hash: b3bbd1892325453a34109ba4510cc71ecd570bbf60bc52f27375af6aec07c90e
Instruction Fuzzy Hash: 5B21DFB5900248DFDB10CFA9D984AEEBBF4FF49324F14842AE915A7310D378A954CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00D46B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D46BEF

Memory Dump Source

Source File: 0000000E.00000002.480101181.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dcb082c3168e46ec444ab42d69e212ff86554e1984cc372f07c38b7e15fb639f
Instruction ID: 24bce163d606029ba4d085f3fcabb5cde5ac2faf9b2a84b7bc54934c29999859
Opcode Fuzzy Hash: dcb082c3168e46ec444ab42d69e212ff86554e1984cc372f07c38b7e15fb639f
Instruction Fuzzy Hash: 2821D3B5D002489FDB10CFAAD984ADEBFF8FB49324F14841AE915A3310D774A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4C1A8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00D4C222

Memory Dump Source

Source File: 0000000E.00000002.480101181.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 70ab53f9a65e6d50b5e932464902ce7f50a104d3a0d4b6fcb7c3808005e932e1
Instruction ID: eea6eb7204703f643384a3748950a791dad30771a0d8318fd6691a0b5665195b
Opcode Fuzzy Hash: 70ab53f9a65e6d50b5e932464902ce7f50a104d3a0d4b6fcb7c3808005e932e1
Instruction Fuzzy Hash: 6511BEB59123448FDB60DFA9DA4879EBBF4FB48324F248529D405B3310D7B96944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C6D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.479118771.0000000000C6D000.00000040.00000001.sdmp, Offset: 00C6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1e2add280192480f5f78cef4fd32d28d2e737163953cd888fda4cf62705b7f
Instruction ID: aba7b5765e8c657dd2de1c94d25d156fbf4afd9d4209d3f341b9c1105f6b8777
Opcode Fuzzy Hash: 2e1e2add280192480f5f78cef4fd32d28d2e737163953cd888fda4cf62705b7f
Instruction Fuzzy Hash: 1C210775A04240DFCB24DF24D9C0B26BB65FB84318F34C5A9E90A4B246C737D847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C6D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.479118771.0000000000C6D000.00000040.00000001.sdmp, Offset: 00C6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7456e72b066b1c7d50f4321311ce35f58105a91a0abaa89524547573182dfe2a
Instruction ID: 81a38e52ad8f03cd76e9f775c1ed9860c31ecbfa5cd5b274a635bba2f138c848
Opcode Fuzzy Hash: 7456e72b066b1c7d50f4321311ce35f58105a91a0abaa89524547573182dfe2a
Instruction Fuzzy Hash: 73215E755093C08FCB12CF24D9D4B15BF71EB46314F28C5EAD8498B6A7C33A994ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Artemis6D92C3B9739F.17565.19344

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Artemis6D92C3B9739F.17565.exe PID: 3260 Parent PID: 5684

General