Edit tour

Windows Analysis Report
CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Overview

General Information

Sample name:	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe
Analysis ID:	1562317
MD5:	1ca01a88b80112024883e55a27b1345a
SHA1:	3fdcd8cd1ff882b9c76dd93f680bb7f60fc97c7d
SHA256:	a848e5d8d3a080b81556f4f7ec1fe1103610bf7bbb023065bf2e6696abaf6769
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Yara detected AgentTesla

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe" MD5: 1CA01A88B80112024883E55A27B1345A)

RegSvcs.exe (PID: 7820 cmdline: "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x402d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40349:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x403d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40465:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x404cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40541:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x405d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40667:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a411:$s2: GetPrivateProfileString 0x3d683:$s3: get_OSFullName 0x3aa1e:$s5: remove_Key 0x3aa3e:$s5: remove_Key 0x3daf2:$s6: FtpWebRequest 0x402b9:$s7: logins 0x4082b:$s7: logins 0x4350e:$s7: logins 0x435ee:$s7: logins 0x465aa:$s7: logins 0x44188:$s9: 1.85 (Hash, version 2, native byte-order)
00000007.00000002.3730171766.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f3ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f461:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f4eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f57d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f5e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f659:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f6ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f77f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39529:$s2: GetPrivateProfileString 0x3c79b:$s3: get_OSFullName 0x39b36:$s5: remove_Key 0x39b56:$s5: remove_Key 0x3cc0a:$s6: FtpWebRequest 0x3f3d1:$s7: logins 0x3f943:$s7: logins 0x42626:$s7: logins 0x42706:$s7: logins 0x456c2:$s7: logins 0x432a0:$s9: 1.85 (Hash, version 2, native byte-order)
00000007.00000002.3728024191.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 A1 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000007.00000002.3730171766.0000000002D04000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3730171766.0000000002D04000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1279697783.0000000002300000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 A1 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7820	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7820	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.RegSvcs.exe.5340000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.5340000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.5340000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.5340000.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d5ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d661:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d6eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d77d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d7e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d859:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d8ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d97f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.5340000.8.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x37729:$s2: GetPrivateProfileString 0x3a99b:$s3: get_OSFullName 0x37d36:$s5: remove_Key 0x37d56:$s5: remove_Key 0x3ae0a:$s6: FtpWebRequest 0x3d5d1:$s7: logins 0x3db43:$s7: logins 0x40826:$s7: logins 0x40906:$s7: logins 0x438c2:$s7: logins 0x414a0:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.RegSvcs.exe.5340000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.5340000.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.5340000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.5340000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f3ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f461:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f4eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f57d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f5e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f659:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f6ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f77f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.5340000.8.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39529:$s2: GetPrivateProfileString 0x3c79b:$s3: get_OSFullName 0x39b36:$s5: remove_Key 0x39b56:$s5: remove_Key 0x3cc0a:$s6: FtpWebRequest 0x3f3d1:$s7: logins 0x3f943:$s7: logins 0x42626:$s7: logins 0x42706:$s7: logins 0x456c2:$s7: logins 0x432a0:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe.2300000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 A1 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.RegSvcs.exe.2ab0000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.2ab0000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.2ab0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.2ab0000.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e4d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e549:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e5d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e665:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e6cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e741:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e7d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e867:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.2ab0000.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x38611:$s2: GetPrivateProfileString 0x3b883:$s3: get_OSFullName 0x38c1e:$s5: remove_Key 0x38c3e:$s5: remove_Key 0x3bcf2:$s6: FtpWebRequest 0x3e4b9:$s7: logins 0x3ea2b:$s7: logins 0x4170e:$s7: logins 0x417ee:$s7: logins 0x447aa:$s7: logins 0x42388:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.RegSvcs.exe.3cb6458.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.3cb6458.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.3cb6458.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3cb6458.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d5ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d661:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d6eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d77d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d7e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d859:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d8ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d97f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.3cb6458.5.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x37729:$s2: GetPrivateProfileString 0x3a99b:$s3: get_OSFullName 0x37d36:$s5: remove_Key 0x37d56:$s5: remove_Key 0x3ae0a:$s6: FtpWebRequest 0x3d5d1:$s7: logins 0x3db43:$s7: logins 0x40826:$s7: logins 0x40906:$s7: logins 0x438c2:$s7: logins 0x414a0:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 A1 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.RegSvcs.exe.29bef46.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.29bef46.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.29bef46.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.29bef46.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x402d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40349:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x403d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40465:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x404cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40541:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x405d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40667:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.29bef46.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a411:$s2: GetPrivateProfileString 0x3d683:$s3: get_OSFullName 0x3aa1e:$s5: remove_Key 0x3aa3e:$s5: remove_Key 0x3daf2:$s6: FtpWebRequest 0x402b9:$s7: logins 0x4082b:$s7: logins 0x4350e:$s7: logins 0x435ee:$s7: logins 0x465aa:$s7: logins 0x44188:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.RegSvcs.exe.2ab0ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.2ab0ee8.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.2ab0ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.29bef46.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.29bef46.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.29bef46.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.2ab0ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d5ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d661:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d6eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d77d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d7e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d859:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d8ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d97f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.2ab0ee8.4.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x37729:$s2: GetPrivateProfileString 0x3a99b:$s3: get_OSFullName 0x37d36:$s5: remove_Key 0x37d56:$s5: remove_Key 0x3ae0a:$s6: FtpWebRequest 0x3d5d1:$s7: logins 0x3db43:$s7: logins 0x40826:$s7: logins 0x40906:$s7: logins 0x438c2:$s7: logins 0x414a0:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.RegSvcs.exe.29bef46.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e4d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e549:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e5d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e665:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e6cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e741:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e7d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e867:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.29bef46.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x38611:$s2: GetPrivateProfileString 0x3b883:$s3: get_OSFullName 0x38c1e:$s5: remove_Key 0x38c3e:$s5: remove_Key 0x3bcf2:$s6: FtpWebRequest 0x3e4b9:$s7: logins 0x3ea2b:$s7: logins 0x4170e:$s7: logins 0x417ee:$s7: logins 0x447aa:$s7: logins 0x42388:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.RegSvcs.exe.3d02f90.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.3d02f90.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.3d02f90.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3d02f90.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d5ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d661:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d6eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d77d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d7e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d859:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d8ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d97f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.3d02f90.7.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x37729:$s2: GetPrivateProfileString 0x3a99b:$s3: get_OSFullName 0x37d36:$s5: remove_Key 0x37d56:$s5: remove_Key 0x3ae0a:$s6: FtpWebRequest 0x3d5d1:$s7: logins 0x3db43:$s7: logins 0x40826:$s7: logins 0x40906:$s7: logins 0x438c2:$s7: logins 0x414a0:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f3ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f461:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f4eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f57d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f5e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f659:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f6ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f77f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39529:$s2: GetPrivateProfileString 0x3c79b:$s3: get_OSFullName 0x39b36:$s5: remove_Key 0x39b56:$s5: remove_Key 0x3cc0a:$s6: FtpWebRequest 0x3f3d1:$s7: logins 0x3f943:$s7: logins 0x42626:$s7: logins 0x42706:$s7: logins 0x456c2:$s7: logins 0x432a0:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.RegSvcs.exe.29bfe2e.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.29bfe2e.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.29bfe2e.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.29bfe2e.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f3ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f461:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f4eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f57d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f5e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f659:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f6ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f77f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.29bfe2e.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39529:$s2: GetPrivateProfileString 0x3c79b:$s3: get_OSFullName 0x39b36:$s5: remove_Key 0x39b56:$s5: remove_Key 0x3cc0a:$s6: FtpWebRequest 0x3f3d1:$s7: logins 0x3f943:$s7: logins 0x42626:$s7: logins 0x42706:$s7: logins 0x456c2:$s7: logins 0x432a0:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 A1 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
7.2.RegSvcs.exe.3cb5570.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.3cb5570.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.3cb5570.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3cb5570.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e4d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e549:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e5d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e665:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e6cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e741:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e7d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e867:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.3cb5570.6.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x38611:$s2: GetPrivateProfileString 0x3b883:$s3: get_OSFullName 0x38c1e:$s5: remove_Key 0x38c3e:$s5: remove_Key 0x3bcf2:$s6: FtpWebRequest 0x3e4b9:$s7: logins 0x3ea2b:$s7: logins 0x4170e:$s7: logins 0x417ee:$s7: logins 0x447aa:$s7: logins 0x42388:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.RegSvcs.exe.3d02f90.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.3d02f90.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.3d02f90.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3d02f90.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f3ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f461:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f4eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f57d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f5e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f659:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f6ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f77f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.3d02f90.7.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39529:$s2: GetPrivateProfileString 0x3c79b:$s3: get_OSFullName 0x39b36:$s5: remove_Key 0x39b56:$s5: remove_Key 0x3cc0a:$s6: FtpWebRequest 0x3f3d1:$s7: logins 0x3f943:$s7: logins 0x42626:$s7: logins 0x42706:$s7: logins 0x456c2:$s7: logins 0x432a0:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.RegSvcs.exe.2ab0000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.2ab0000.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.2ab0000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.2ab0000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x402d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40349:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x403d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40465:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x404cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40541:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x405d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40667:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.2ab0000.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a411:$s2: GetPrivateProfileString 0x3d683:$s3: get_OSFullName 0x3aa1e:$s5: remove_Key 0x3aa3e:$s5: remove_Key 0x3daf2:$s6: FtpWebRequest 0x402b9:$s7: logins 0x4082b:$s7: logins 0x4350e:$s7: logins 0x435ee:$s7: logins 0x465aa:$s7: logins 0x44188:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.RegSvcs.exe.3cb6458.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.3cb6458.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.3cb6458.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3cb6458.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f3ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8bf27:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f461:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8bf99:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f4eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8c023:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f57d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8c0b5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f5e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8c11f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f659:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8c191:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f6ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8c227:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f77f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8c2b7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.3cb6458.5.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39529:$s2: GetPrivateProfileString 0x86061:$s2: GetPrivateProfileString 0x3c79b:$s3: get_OSFullName 0x892d3:$s3: get_OSFullName 0x39b36:$s5: remove_Key 0x39b56:$s5: remove_Key 0x8666e:$s5: remove_Key 0x8668e:$s5: remove_Key 0x3cc0a:$s6: FtpWebRequest 0x89742:$s6: FtpWebRequest 0x3f3d1:$s7: logins 0x3f943:$s7: logins 0x42626:$s7: logins 0x42706:$s7: logins 0x456c2:$s7: logins 0x8bf09:$s7: logins 0x8c47b:$s7: logins 0x8f15e:$s7: logins 0x8f23e:$s7: logins 0x921fa:$s7: logins 0x432a0:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.RegSvcs.exe.29bfe2e.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.29bfe2e.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.29bfe2e.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.29bfe2e.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d5ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d661:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d6eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d77d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d7e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d859:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d8ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d97f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.29bfe2e.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x37729:$s2: GetPrivateProfileString 0x3a99b:$s3: get_OSFullName 0x37d36:$s5: remove_Key 0x37d56:$s5: remove_Key 0x3ae0a:$s6: FtpWebRequest 0x3d5d1:$s7: logins 0x3db43:$s7: logins 0x40826:$s7: logins 0x40906:$s7: logins 0x438c2:$s7: logins 0x414a0:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.RegSvcs.exe.3cb5570.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.3cb5570.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.3cb5570.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3cb5570.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x402d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8ce0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40349:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8ce81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x403d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8cf0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40465:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8cf9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x404cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8d007:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40541:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8d079:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x405d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8d10f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40667:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8d19f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.3cb5570.6.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a411:$s2: GetPrivateProfileString 0x86f49:$s2: GetPrivateProfileString 0x3d683:$s3: get_OSFullName 0x8a1bb:$s3: get_OSFullName 0x3aa1e:$s5: remove_Key 0x3aa3e:$s5: remove_Key 0x87556:$s5: remove_Key 0x87576:$s5: remove_Key 0x3daf2:$s6: FtpWebRequest 0x8a62a:$s6: FtpWebRequest 0x402b9:$s7: logins 0x4082b:$s7: logins 0x4350e:$s7: logins 0x435ee:$s7: logins 0x465aa:$s7: logins 0x8cdf1:$s7: logins 0x8d363:$s7: logins 0x90046:$s7: logins 0x90126:$s7: logins 0x930e2:$s7: logins 0x44188:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 78 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe", CommandLine: "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe", CommandLine|base64offset|contains: %CH9, Image: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, NewProcessName: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, OriginalFileName: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe", ProcessId: 7420, ProcessName: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}

Multi AV Scanner detection for submitted file

Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Joe Sandbox ML: detected

Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.10:49707 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1275322611.0000000004230000.00000004.00001000.00020000.00000000.sdmp, CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1274608798.0000000004090000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1275322611.0000000004230000.00000004.00001000.00020000.00000000.sdmp, CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1274608798.0000000004090000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005B6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_005B6CA9
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_005B60DD
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_005B63F9
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_005BEB60
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005BF56F FindFirstFileW,FindClose,	0_2_005BF56F
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_005BF5FA
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005C1B2F
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005C1C8A
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005C1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_005C1F94

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 50.87.144.157 50.87.144.157

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005C4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_005C4EB5

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: beirutrest.com

Source: RegSvcs.exe, 00000007.00000002.3730171766.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://beirutrest.com
Source: RegSvcs.exe, 00000007.00000002.3730171766.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3730171766.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000007.00000002.3730171766.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000007.00000002.3730171766.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.10:49707 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, n00.cs

.Net Code: lGCzgIzdr

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005C6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_005C6B0C

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005C6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_005C6D07

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

0_2_005C6B0C

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005B2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_005B2B37

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005DF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_005DF7FF

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.RegSvcs.exe.5340000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.5340000.8.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe.2300000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ab0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ab0000.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.3cb6458.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3cb6458.5.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.RegSvcs.exe.29bef46.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.29bef46.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ab0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ab0ee8.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.29bef46.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.29bef46.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.3d02f90.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3d02f90.7.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.RegSvcs.exe.3cb5570.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3cb5570.6.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.29bfe2e.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.29bfe2e.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.3cb5570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3cb5570.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000007.00000002.3728024191.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.1279697783.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00573D19
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d9ae9e02-1
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: ZSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d7c2115a-3
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a810b0ec-2
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c9eac0fd-6

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005B6606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_005B6606

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005AAF64 GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock,

0_2_005AAF64

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005B79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_005B79D3

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_0059B043	0_2_0059B043
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005A410F	0_2_005A410F
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005902A4	0_2_005902A4
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_0057E3E3	0_2_0057E3E3
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005A038E	0_2_005A038E
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005A467F	0_2_005A467F
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005906D9	0_2_005906D9
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005DAACE	0_2_005DAACE
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005A4BEF	0_2_005A4BEF
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_0059CCC1	0_2_0059CCC1
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_0057AF50	0_2_0057AF50
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_00576F07	0_2_00576F07
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_0058B11F	0_2_0058B11F
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_0059D1B9	0_2_0059D1B9
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005D31BC	0_2_005D31BC
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005A724D	0_2_005A724D
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_00583200	0_2_00583200
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_0059123A	0_2_0059123A
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005B13CA	0_2_005B13CA
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005793F0	0_2_005793F0
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_0058F563	0_2_0058F563
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005796C0	0_2_005796C0
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005BB6CC	0_2_005BB6CC
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005DF7FF	0_2_005DF7FF
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005777B0	0_2_005777B0
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005A79C9	0_2_005A79C9
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_0058FA57	0_2_0058FA57
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_00583B70	0_2_00583B70
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_00579B60	0_2_00579B60
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_0058FE6F	0_2_0058FE6F
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_00599ED0	0_2_00599ED0
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_00577FA3	0_2_00577FA3
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_016CD5D0	0_2_016CD5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00408C60	7_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040DC11	7_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00407C3F	7_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00418CCC	7_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00406CA0	7_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004028B0	7_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041A4BE	7_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00418244	7_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00401650	7_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00402F20	7_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004193C4	7_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00418788	7_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00402F89	7_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00402B90	7_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004073A0	7_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0293CDC8	7_2_0293CDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0293D9E0	7_2_0293D9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02931298	7_2_02931298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02931030	7_2_02931030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02931022	7_2_02931022
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0293D110	7_2_0293D110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_061FEE78	7_2_061FEE78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_061F9738	7_2_061F9738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_061FBD98	7_2_061FBD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_061F6318	7_2_061F6318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_061FF5D0	7_2_061FF5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_061F0027	7_2_061F0027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_061F0040	7_2_061F0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06615238	7_2_06615238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0661A0F8	7_2_0661A0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_066161B0	7_2_066161B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06611538	7_2_06611538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_066183B0	7_2_066183B0

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: String function: 0058EC2F appears 68 times
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: String function: 00596AC0 appears 42 times
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: String function: 0059F8A0 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 43 times

Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1276118959.00000000041B3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1276271429.000000000435D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000002.1279697783.0000000002300000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 7.2.RegSvcs.exe.5340000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.5340000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe.2300000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.RegSvcs.exe.2ab0000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.2ab0000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.3cb6458.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3cb6458.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.RegSvcs.exe.29bef46.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.29bef46.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.2ab0ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.2ab0ee8.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.29bef46.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.29bef46.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.3d02f90.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3d02f90.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.RegSvcs.exe.3cb5570.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3cb5570.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.29bfe2e.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.29bfe2e.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.3cb5570.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3cb5570.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000007.00000002.3728024191.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.1279697783.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, NpXw3kw.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, NpXw3kw.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/2

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005BCE7A GetLastError,FormatMessageW,

0_2_005BCE7A

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005AAB84 AdjustTokenPrivileges,CloseHandle,		0_2_005AAB84
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005AB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005AB134

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005BE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_005BE1FD

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005B6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_005B6532

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005CC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_005CC18C

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_0057406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_0057406B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

File created: C:\Users\user\AppData\Local\Temp\aut42B5.tmp

Jump to behavior

Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe"
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe"
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Static file information: File size 1191936 > 1048576

Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1275322611.0000000004230000.00000004.00001000.00020000.00000000.sdmp, CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1274608798.0000000004090000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1275322611.0000000004230000.00000004.00001000.00020000.00000000.sdmp, CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1274608798.0000000004090000.00000004.00001000.00020000.00000000.sdmp

Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_0058E01E LoadLibraryA,GetProcAddress,

0_2_0058E01E

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_00596B05 push ecx; ret	0_2_00596B18
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_0059BDAA push edi; ret	0_2_0059BDAC
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_0059BEC3 push esi; ret	0_2_0059BEC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041C40C push cs; iretd	7_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00423149 push eax; ret	7_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041C50E push cs; iretd	7_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004231C8 push eax; ret	7_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040E21D push ecx; ret	7_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041C6BE push ebx; ret	7_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02933222 push edx; retf	7_2_02933224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02932272 push edx; retf	7_2_02932273
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02934705 pushfd ; retf	7_2_02934719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_029348CC push edx; retf	7_2_029348CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02934C64 push edx; retf	7_2_02934C65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0293392E push edx; retf	7_2_0293392F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0293557C push edx; retf	7_2_0293557D

Source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'P5nvKpNArGjwP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'P5nvKpNArGjwP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'P5nvKpNArGjwP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'P5nvKpNArGjwP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'P5nvKpNArGjwP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005D8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_005D8111
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_0058EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0058EB42

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_0059123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0059123A

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

API/Special instruction interceptor: Address: 16CD1F4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

7_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598856	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597405	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595861	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594531	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8176			Jump to behavior

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Evaded block: after key decision

graph_0-86807

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-87264

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

API coverage: 4.3 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005B6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_005B6CA9
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_005B60DD
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_005B63F9
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_005BEB60
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005BF56F FindFirstFileW,FindClose,	0_2_005BF56F
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_005BF5FA
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005C1B2F
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005C1C8A
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005C1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_005C1F94

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_0058DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0058DDC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598856	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597405	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595861	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594531	Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.3731857262.00000000052BD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	API call chain: ExitProcess graph end node			graph_0-86238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005C6AAF BlockInput,

0_2_005C6AAF

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_00573D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00573D19

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005A3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_005A3920

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

7_2_004019F0

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_0058E01E LoadLibraryA,GetProcAddress,

0_2_0058E01E

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_016CD460 mov eax, dword ptr fs:[00000030h]	0_2_016CD460
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_016CD4C0 mov eax, dword ptr fs:[00000030h]	0_2_016CD4C0
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_016CBE10 mov eax, dword ptr fs:[00000030h]	0_2_016CBE10

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005AA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_005AA66C

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_00598189 SetUnhandledExceptionFilter,	0_2_00598189
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005981AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005981AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004123F1 SetUnhandledExceptionFilter,	7_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 961008

Jump to behavior

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005AB106 LogonUserW,

0_2_005AB106

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_00573D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00573D19

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005B411C SendInput,keybd_event,

0_2_005B411C

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005B74E7 mouse_event,

0_2_005B74E7

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe"

Jump to behavior

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

0_2_005AA66C

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005B71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_005B71FA

Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Binary or memory string: Shell_TrayWnd
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005965C4 cpuid

0_2_005965C4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

7_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005C091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_005C091D

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005EB340 GetUserNameW,

0_2_005EB340

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_005A1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_005A1E8E

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Code function: 0_2_0058DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0058DDC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 7.2.RegSvcs.exe.5340000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bef46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bef46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3d02f90.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bfe2e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3730171766.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3730171766.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7820, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 7.2.RegSvcs.exe.5340000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bef46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bef46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3d02f90.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bfe2e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Binary or memory string: WIN_81
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Binary or memory string: WIN_XP
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Binary or memory string: WIN_XPe
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Binary or memory string: WIN_VISTA
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Binary or memory string: WIN_7
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 7.2.RegSvcs.exe.5340000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bef46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bef46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3d02f90.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bfe2e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3730171766.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7820, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 7.2.RegSvcs.exe.5340000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bef46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bef46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3d02f90.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bfe2e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3730171766.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3730171766.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7820, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 7.2.RegSvcs.exe.5340000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bef46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bef46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3d02f90.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.29bfe2e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3cb5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005C8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_005C8C4F
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005C923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_005C923B
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Code function: 0_2_005A58C5 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,	0_2_005A58C5

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	12 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	148 System Information Discovery	Distributed Component Object Model	121 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	121 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	63%	ReversingLabs	Win32.Trojan.AutoitInject
CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
beirutrest.com	50.87.144.157	true	false		high
api.ipify.org	104.26.12.205	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org	RegSvcs.exe, 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3730171766.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.dyn.com/	RegSvcs.exe, 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ipify.org/t	RegSvcs.exe, 00000007.00000002.3730171766.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000007.00000002.3730171766.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://beirutrest.com	RegSvcs.exe, 00000007.00000002.3730171766.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
50.87.144.157	beirutrest.com	United States		46606	UNIFIEDLAYER-AS-1US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562317
Start date and time:	2024-11-25 13:55:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 47 Number of non-executed functions: 307
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Simulations

Behavior and APIs

Time	Type	Description
07:56:23	API Interceptor	10700535x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
50.87.144.157	MV BBG MUARA Ship's Particulars.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse
	CHARIKLIA JUNIOR DETAILS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse
	PEACE SHIP PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	ZHENGHE 3_Q88 20241118.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	01. MT JS JIANGYIN Ship Particulars.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	ESTEEM ASTRO PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Q88.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	TROODOS AIR PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	COSCO SHIPPING WISDOM VESSEL DETAILS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	EVER ABILITY V66 PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
beirutrest.com	MV BBG MUARA Ship's Particulars.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
	CHARIKLIA JUNIOR DETAILS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
	PEACE SHIP PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	ZHENGHE 3_Q88 20241118.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	01. MT JS JIANGYIN Ship Particulars.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	ESTEEM ASTRO PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	Q88.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	TROODOS AIR PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	COSCO SHIPPING WISDOM VESSEL DETAILS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	EVER ABILITY V66 PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
api.ipify.org	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	DATASHEET.pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://linktr.ee/priyanka662	Get hash	malicious	Gabagool	Browse	172.67.74.152
	mDHwap5GlV.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.74.152
	zapret.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	313e4225be01a2f968dd52e4e8c0b9fd08c906289779b.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	unturnedHack.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	https://sendbot.me/seuemprestimogarantido	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://sendbot.me/seuemprestimogarantido	Get hash	malicious	Unknown	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC, Amadey, CredGrabber, Credential Flusher, Cryptbot, LummaC Stealer, Meduza Stealer	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	packing list G25469.exe	Get hash	malicious	FormBook	Browse	104.21.49.253
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PO_203-25.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.67.200.96
	F7Xu8bRnXT.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	https://go.jrwcap.com/e/955053/230645595232154/6xyvj/710994189/h/-dwcgo8Jrn520ILsDDgocWZSKLzmmTijUb6c_giV2KA	Get hash	malicious	Phisher	Browse	104.22.72.81
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	file.exe	Get hash	malicious	Unknown	Browse	104.21.88.250
UNIFIEDLAYER-AS-1US	http://taerendil.free.fr/Kzf20FukxrNV0r0Xw3	Get hash	malicious	Unknown	Browse	216.172.172.72
	https://cgpsco.rahalat.net/conta	Get hash	malicious	Unknown	Browse	108.179.211.49
	https://google.lt/amp/taerendil.online.fr/gpfv9cqYcuejGaVElbEvNcI6wCkeo	Get hash	malicious	Unknown	Browse	216.172.172.72
	FGQ-667893.pdf	Get hash	malicious	Unknown	Browse	162.214.147.84
	apep.arm6.elf	Get hash	malicious	Mirai	Browse	142.7.137.161
	ZEcVl5jzXD.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	216.172.172.178
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	142.6.128.90
	http://ppc-overwatch.com	Get hash	malicious	Unknown	Browse	69.49.245.172
	Yssr_Receipt.html	Get hash	malicious	Unknown	Browse	69.49.245.172
	https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23YWhvd2FyZEBzZWN1cnVzdGVjaG5vbG9naWVzLmNvbQ==	Get hash	malicious	Unknown	Browse	162.241.65.224

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.26.12.205
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	WNIOSEK BUD#U017bETOWY 25-11-2024#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.26.12.205
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	https://www.e-serviceparts.info/landingpages/cce21bb4-48dd-49da-9e48-d89a21f56454/RtynoRElk6VQIiohoauuXaUdv9Gb4EPJBf3UQg9_Um4	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	lcc333.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	lcc333.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://cgpsco.rahalat.net/conta	Get hash	malicious	Unknown	Browse	104.26.12.205

Process:	C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	267776
Entropy (8bit):	7.916564732301857
Encrypted:	false
SSDEEP:	6144:WRPEVS45BFPse+U467E8n5YAV4QB0Qk7b+yg:WRcVF597NVF0Qk7Dg
MD5:	FF1B10A63C5C72BC7E8EF4585A5E6193
SHA1:	DB6F552A91A8A696667760D8BEED428460ED3EF6
SHA-256:	D34F4D0DF669936BCCEC5520C9031B03519A2F7D2F7AD37A4DE25D6D7986AAD1
SHA-512:	B120A13ED50E71BCF241F85D3A3366B82110F2B45B8B47C6DB7407C238BA16885E53EEFC6DB7436567C218453CAB44D144CD65BF62A2BD7C6529629E55A99A58
Malicious:	false
Reputation:	low
Preview:	...N6FS6TG70..SB.HO4NQGCxARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEW.F0N;Y.8P.>.e.R..i.\'"g3J.5&$:i%Q [)'.2".B1#s+Wh.{.q,\$\|YH]mF0N5FS68W..h<.<.9.Jb .=.b-z&.8;..8xG.9.A.3.3.6}. /[2.?`w,).7.0.e(H}6.N.$0*.9.JNQGC8ARTEWIF0N5F=."70DM..9H.5JQ3.8.RTEWIF0N.Fp7[F>0D.RB92M4NQGC..RTEGIF0.4FS6.G7 DMS@9HJ4NQGC8AWTEWIF0N5&W6PC70.vQB;HO.NQWC8QRTEWYF0^5FS6PG'0DMSB9HO4NQ.V:A.TEWI&2N..R6PG70DMSB9HO4NQGC8ARTEWIF..4FO6PG70DMSB9HO4NQGC8ARTEWIF0N.KQ6.G70DMSB9HO4N.FC.@RTEWIF0N5FS6PG70DMSB9HO4NQi7]9&TEWQ.1N5VS6P.60DISB9HO4NQGC8ARTeWI&.<Q''WPG.]DMS.8HOZNQG.9ARTEWIF0N5FS6.G7pj)26XHO4.aGC8aPTEAIF0D7FS6PG70DMSB9H.4N.i1K31TEW.1N5&Q6P.60DmQB9HO4NQGC8ART.WI.0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG

C:\Users\user\AppData\Local\Temp\lecheries

Download File

Process:	C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	267776
Entropy (8bit):	7.916564732301857
Encrypted:	false
SSDEEP:	6144:WRPEVS45BFPse+U467E8n5YAV4QB0Qk7b+yg:WRcVF597NVF0Qk7Dg
MD5:	FF1B10A63C5C72BC7E8EF4585A5E6193
SHA1:	DB6F552A91A8A696667760D8BEED428460ED3EF6
SHA-256:	D34F4D0DF669936BCCEC5520C9031B03519A2F7D2F7AD37A4DE25D6D7986AAD1
SHA-512:	B120A13ED50E71BCF241F85D3A3366B82110F2B45B8B47C6DB7407C238BA16885E53EEFC6DB7436567C218453CAB44D144CD65BF62A2BD7C6529629E55A99A58
Malicious:	false
Reputation:	low
Preview:	...N6FS6TG70..SB.HO4NQGCxARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEW.F0N;Y.8P.>.e.R..i.\'"g3J.5&$:i%Q [)'.2".B1#s+Wh.{.q,\$\|YH]mF0N5FS68W..h<.<.9.Jb .=.b-z&.8;..8xG.9.A.3.3.6}. /[2.?`w,).7.0.e(H}6.N.$0*.9.JNQGC8ARTEWIF0N5F=."70DM..9H.5JQ3.8.RTEWIF0N.Fp7[F>0D.RB92M4NQGC..RTEGIF0.4FS6.G7 DMS@9HJ4NQGC8AWTEWIF0N5&W6PC70.vQB;HO.NQWC8QRTEWYF0^5FS6PG'0DMSB9HO4NQ.V:A.TEWI&2N..R6PG70DMSB9HO4NQGC8ARTEWIF..4FO6PG70DMSB9HO4NQGC8ARTEWIF0N.KQ6.G70DMSB9HO4N.FC.@RTEWIF0N5FS6PG70DMSB9HO4NQi7]9&TEWQ.1N5VS6P.60DISB9HO4NQGC8ARTeWI&.<Q''WPG.]DMS.8HOZNQG.9ARTEWIF0N5FS6.G7pj)26XHO4.aGC8aPTEAIF0D7FS6PG70DMSB9H.4N.i1K31TEW.1N5&Q6P.60DmQB9HO4NQGC8ART.WI.0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG70DMSB9HO4NQGC8ARTEWIF0N5FS6PG

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.124914767515535
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe
File size:	1'191'936 bytes
MD5:	1ca01a88b80112024883e55a27b1345a
SHA1:	3fdcd8cd1ff882b9c76dd93f680bb7f60fc97c7d
SHA256:	a848e5d8d3a080b81556f4f7ec1fe1103610bf7bbb023065bf2e6696abaf6769
SHA512:	9f978fe421c5217bccf787df0a105f584cd945be1f43e77f1971d688becaa9682a01acf7585b6bcaf4111103835dbcaa2caef59ccd393a16360cedebfb891125
SSDEEP:	24576:Xtb20pkaCqT5TBWgNQ7aaGNhHYefDINn9Zr3qH6A:UVg5tQ7aaaHYaEN9K5
TLSH:	1945CF1373DDC360C7B25273BA25B7017EBB782506B5F96B2F98093DE920122525EA73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67402F0A [Fri Nov 22 07:13:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F6C908FBC4Fh
jmp 00007F6C908EEC64h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F6C908EEDEAh
cmp edi, eax
jc 00007F6C908EF14Eh
bt dword ptr [004C0158h], 01h
jnc 00007F6C908EEDE9h
rep movsb
jmp 00007F6C908EF0FCh
cmp ecx, 00000080h
jc 00007F6C908EEFB4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F6C908EEDF0h
bt dword ptr [004BA370h], 01h
jc 00007F6C908EF2C0h
bt dword ptr [004C0158h], 00000000h
jnc 00007F6C908EEF8Dh
test edi, 00000003h
jne 00007F6C908EEF9Eh
test esi, 00000003h
jne 00007F6C908EEF7Dh
bt edi, 02h
jnc 00007F6C908EEDEFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F6C908EEDF3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F6C908EEE45h
bt esi, 03h
jnc 00007F6C908EEE98h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x59f14	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11e000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x59f14	0x5a000	531c913ef39add43988cc5ee5474a2a4	False	0.9291042751736112	data	7.8980230236481646	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11e000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xc9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xca148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xca6dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcad68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcb7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcbe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc410	0x515eb	data			1.0003330422963717
RT_GROUP_ICON	0x11d9fc	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11da74	0x14	data	English	Great Britain	1.15
RT_VERSION	0x11da88	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11db64	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 13:56:22.002676964 CET	49707	443	192.168.2.10	104.26.12.205
Nov 25, 2024 13:56:22.002721071 CET	443	49707	104.26.12.205	192.168.2.10
Nov 25, 2024 13:56:22.004653931 CET	49707	443	192.168.2.10	104.26.12.205
Nov 25, 2024 13:56:22.009329081 CET	49707	443	192.168.2.10	104.26.12.205
Nov 25, 2024 13:56:22.009352922 CET	443	49707	104.26.12.205	192.168.2.10
Nov 25, 2024 13:56:23.322767973 CET	443	49707	104.26.12.205	192.168.2.10
Nov 25, 2024 13:56:23.322916985 CET	49707	443	192.168.2.10	104.26.12.205
Nov 25, 2024 13:56:23.371126890 CET	49707	443	192.168.2.10	104.26.12.205
Nov 25, 2024 13:56:23.371157885 CET	443	49707	104.26.12.205	192.168.2.10
Nov 25, 2024 13:56:23.371622086 CET	443	49707	104.26.12.205	192.168.2.10
Nov 25, 2024 13:56:23.424588919 CET	49707	443	192.168.2.10	104.26.12.205
Nov 25, 2024 13:56:23.585652113 CET	49707	443	192.168.2.10	104.26.12.205
Nov 25, 2024 13:56:23.631337881 CET	443	49707	104.26.12.205	192.168.2.10
Nov 25, 2024 13:56:23.928700924 CET	443	49707	104.26.12.205	192.168.2.10
Nov 25, 2024 13:56:23.928770065 CET	443	49707	104.26.12.205	192.168.2.10
Nov 25, 2024 13:56:23.928843021 CET	49707	443	192.168.2.10	104.26.12.205
Nov 25, 2024 13:56:23.934561014 CET	49707	443	192.168.2.10	104.26.12.205
Nov 25, 2024 13:56:25.237222910 CET	49709	21	192.168.2.10	50.87.144.157
Nov 25, 2024 13:56:25.358505011 CET	21	49709	50.87.144.157	192.168.2.10
Nov 25, 2024 13:56:25.366390944 CET	49709	21	192.168.2.10	50.87.144.157
Nov 25, 2024 13:56:25.366390944 CET	49709	21	192.168.2.10	50.87.144.157
Nov 25, 2024 13:56:25.486731052 CET	21	49709	50.87.144.157	192.168.2.10
Nov 25, 2024 13:56:25.486901999 CET	49709	21	192.168.2.10	50.87.144.157

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 13:56:21.854711056 CET	61907	53	192.168.2.10	1.1.1.1
Nov 25, 2024 13:56:21.997590065 CET	53	61907	1.1.1.1	192.168.2.10
Nov 25, 2024 13:56:24.552846909 CET	58452	53	192.168.2.10	1.1.1.1
Nov 25, 2024 13:56:25.233720064 CET	53	58452	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 13:56:21.854711056 CET	192.168.2.10	1.1.1.1	0xebb6	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 13:56:24.552846909 CET	192.168.2.10	1.1.1.1	0x1cb1	Standard query (0)	beirutrest.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 13:56:21.997590065 CET	1.1.1.1	192.168.2.10	0xebb6	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 25, 2024 13:56:21.997590065 CET	1.1.1.1	192.168.2.10	0xebb6	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 25, 2024 13:56:21.997590065 CET	1.1.1.1	192.168.2.10	0xebb6	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 25, 2024 13:56:25.233720064 CET	1.1.1.1	192.168.2.10	0x1cb1	No error (0)	beirutrest.com	50.87.144.157	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49707	104.26.12.205	443	7820	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 12:56:23 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-25 12:56:23 UTC	399	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 12:56:23 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e81cc6c7dba0f74-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1471&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1818181&cwnd=136&unsent_bytes=0&cid=3c580bf4b9e44d9b&ts=621&x=0"
2024-11-25 12:56:23 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

Target ID:	0
Start time:	07:56:18
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe"
Imagebase:	0x570000
File size:	1'191'936 bytes
MD5 hash:	1CA01A88B80112024883E55A27B1345A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1279697783.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:56:19
Start date:	25/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe"
Imagebase:	0x710000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3730171766.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000007.00000002.3728024191.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3730171766.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3730171766.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	1.8%
Signature Coverage:	4.5%
Total number of Nodes:	1856
Total number of Limit Nodes:	165

Executed Functions

Function 0059B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3280e957fba89c40d4e39121a4de6ad2839d768b7f337c76d46371cb577fccc6
Instruction ID: 35955e9c4ed1fcbd5e65cf7bbf320afe405faaedee57ccc32c0a7f6d9503cb93
Opcode Fuzzy Hash: 3280e957fba89c40d4e39121a4de6ad2839d768b7f337c76d46371cb577fccc6
Instruction Fuzzy Hash: 52325075A022198BEF24CF54ED856E9BBB5FF4A310F1841D9E40AE7A91D7309E80CF52

Function 00573D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00573AA3,?), ref: 00573D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00573AA3,?), ref: 00573D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,00631148,00631130,?,?,?,?,00573AA3,?), ref: 00573DC8

Part of subcall function 00576430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00573DEE,00631148,?,?,?,?,?,00573AA3,?), ref: 00576471

SetCurrentDirectoryW.KERNEL32(?,?,?,00573AA3,?), ref: 00573E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,006228F4,00000010), ref: 005E1CCE
SetCurrentDirectoryW.KERNEL32(?,00631148,?,?,?,?,?,00573AA3,?), ref: 005E1D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0060DAB4,00631148,?,?,?,?,?,00573AA3,?), ref: 005E1D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00573AA3), ref: 005E1D90

Part of subcall function 00573E6E: GetSysColorBrush.USER32(0000000F), ref: 00573E79
Part of subcall function 00573E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00573E88
Part of subcall function 00573E6E: LoadIconW.USER32(00000063), ref: 00573E9E
Part of subcall function 00573E6E: LoadIconW.USER32(000000A4), ref: 00573EB0
Part of subcall function 00573E6E: LoadIconW.USER32(000000A2), ref: 00573EC2
Part of subcall function 00573E6E: RegisterClassExW.USER32(?), ref: 00573F30

Part of subcall function 005736B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005736E6
Part of subcall function 005736B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00573707
Part of subcall function 005736B8: ShowWindow.USER32(00000000,?,?,?,?,00573AA3,?), ref: 0057371B
Part of subcall function 005736B8: ShowWindow.USER32(00000000,?,?,?,?,00573AA3,?), ref: 00573724

Part of subcall function 00574FFC: _memset.LIBCMT ref: 00575022
Part of subcall function 00574FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 005750CB

Strings

runas, xrefs: 005E1D84
()b, xrefs: 005E1D49
This is a third-party compiled AutoIt script., xrefs: 005E1CC8

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: ()b$This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-4035154860
Opcode ID: 2026e3f05497c4635531f33f4183ac75a2a11bafa342dff5ba43448961466f24
Instruction ID: 9424488fd5c19615b77675236a595e953d48adb1cc086bb96707eede0dd83c22
Opcode Fuzzy Hash: 2026e3f05497c4635531f33f4183ac75a2a11bafa342dff5ba43448961466f24
Instruction Fuzzy Hash: E3510930D04246AACB11ABB0FC49DED7F7BBB56710F00C464F649AA192DB744545FB71

Function 0058DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0058DDEC
GetCurrentProcess.KERNEL32(00000000,0060DC38,?,?), ref: 0058DEAC
GetNativeSystemInfo.KERNELBASE(?,0060DC38,?,?), ref: 0058DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 0058DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 0058DF1F
GetSystemInfo.KERNEL32(?,0060DC38,?,?), ref: 0058DF29
GetSystemInfo.KERNEL32(?,0060DC38,?,?), ref: 0058DF35

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 6ecf1e26af137129a96587716bc86aafcb4254223798373c9e02c2e09ae14d79
Instruction ID: 00edf291a40d7204bd000bfbff063ea9a89c6f300bf5f2eef6b8a4e7d24fe1bd
Opcode Fuzzy Hash: 6ecf1e26af137129a96587716bc86aafcb4254223798373c9e02c2e09ae14d79
Instruction Fuzzy Hash: E96193B180A2C4DBCF15DF6894C15E9BFB87F69300F1989D9DC85AF28BC6248909CB65

Function 0057406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0057449E,?,?,00000000,00000001), ref: 0057407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0057449E,?,?,00000000,00000001), ref: 00574092
LoadResource.KERNEL32(?,00000000,?,?,0057449E,?,?,00000000,00000001,?,?,?,?,?,?,005741FB), ref: 005E4F1A
SizeofResource.KERNEL32(?,00000000,?,?,0057449E,?,?,00000000,00000001,?,?,?,?,?,?,005741FB), ref: 005E4F2F
LockResource.KERNEL32(0057449E,?,?,0057449E,?,?,00000000,00000001,?,?,?,?,?,?,005741FB,00000000), ref: 005E4F42

Strings

SCRIPT, xrefs: 00574088

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 9fb533edef612092b281a3ae356e90d643e9b7e71d0b2f0a9cafde89bce24a99
Instruction ID: 5316ba32da2a57b611af4a8f7cf9bd11f6c4340278aa7cd980ed941b7ba5f54f
Opcode Fuzzy Hash: 9fb533edef612092b281a3ae356e90d643e9b7e71d0b2f0a9cafde89bce24a99
Instruction Fuzzy Hash: AC115A74200701AFE7218B25EC48F277BBAEBC5B51F10812CF606DA2A0DB71DC04EA70

Function 005B6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,005E2F49), ref: 005B6CB9
FindFirstFileW.KERNELBASE(?,?), ref: 005B6CCA
FindClose.KERNEL32(00000000), ref: 005B6CDA

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: ee482288a1eb6f6cfb23989a28742bfbe51ac874f9ad7cdc6c30ce77ec4026ae
Instruction ID: 4a9afe491c7eae58b4a6e92c6ac633f5f17085ae940008b78303cadd9ff0cec8
Opcode Fuzzy Hash: ee482288a1eb6f6cfb23989a28742bfbe51ac874f9ad7cdc6c30ce77ec4026ae
Instruction Fuzzy Hash: 52E012318145155782106738AC098E97F6DEA15339B104715F575C11D0E768FD54D5A5

Function 0057E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0057E959
timeGetTime.WINMM ref: 0057EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0057ED2E
TranslateMessage.USER32(?), ref: 0057ED3F
DispatchMessageW.USER32(?), ref: 0057ED4A
LockWindowUpdate.USER32(00000000), ref: 0057ED79
DestroyWindow.USER32 ref: 0057ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0057ED9F
Sleep.KERNEL32(0000000A), ref: 005E5270
TranslateMessage.USER32(?), ref: 005E59F7
DispatchMessageW.USER32(?), ref: 005E5A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 005E5A19

Strings

@TRAY_ID, xrefs: 005E54C9
@GUI_CTRLID, xrefs: 005E5314
@GUI_CTRLHANDLE, xrefs: 005E53AC
@GUI_WINHANDLE, xrefs: 005E5360

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 9fd8ac041105e00aec4ef9e4ca580b108c8d6bbf71f19b24c0953c2cad3a4681
Instruction ID: 74943fa49a999b8b69e9b2d87509a5a79826fc0301f91af5c6e137462d97d52e
Opcode Fuzzy Hash: 9fd8ac041105e00aec4ef9e4ca580b108c8d6bbf71f19b24c0953c2cad3a4681
Instruction Fuzzy Hash: 2062DB70504381DFDB24DF24D88ABAA7FE5BF84304F14896DF98A8B292D774D844DB52

Function 005A5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 005A5EC3
___createFile.LIBCMT ref: 005A5F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 005A5F2D
__dosmaperr.LIBCMT ref: 005A5F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 005A5F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 005A5F6A
__dosmaperr.LIBCMT ref: 005A5F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 005A5F7C
__set_osfhnd.LIBCMT ref: 005A5FAC
__lseeki64_nolock.LIBCMT ref: 005A6016
__close_nolock.LIBCMT ref: 005A603C
__chsize_nolock.LIBCMT ref: 005A606C
__lseeki64_nolock.LIBCMT ref: 005A607E
__lseeki64_nolock.LIBCMT ref: 005A6176
__lseeki64_nolock.LIBCMT ref: 005A618B
__close_nolock.LIBCMT ref: 005A61EB

Part of subcall function 0059EA9C: CloseHandle.KERNELBASE(00000000,0061EEF4,00000000,?,005A6041,0061EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0059EAEC
Part of subcall function 0059EA9C: GetLastError.KERNEL32(?,005A6041,0061EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0059EAF6
Part of subcall function 0059EA9C: __free_osfhnd.LIBCMT ref: 0059EB03
Part of subcall function 0059EA9C: __dosmaperr.LIBCMT ref: 0059EB25

Part of subcall function 00597C0E: __getptd_noexit.LIBCMT ref: 00597C0E

__lseeki64_nolock.LIBCMT ref: 005A620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 005A6342
___createFile.LIBCMT ref: 005A6361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 005A636E
__dosmaperr.LIBCMT ref: 005A6375
__free_osfhnd.LIBCMT ref: 005A6395
__invoke_watson.LIBCMT ref: 005A63C3
__wsopen_helper.LIBCMT ref: 005A63DD

Strings

@, xrefs: 005A5F98

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: 82d33b5f4e94ad7c202f80f546c95b0799829e49f85b28bdff4276e9fc052327
Instruction ID: 94951a92fef12857173b9183c1c4a98f99eefa42bcdce9285a55391a446eb2f9
Opcode Fuzzy Hash: 82d33b5f4e94ad7c202f80f546c95b0799829e49f85b28bdff4276e9fc052327
Instruction Fuzzy Hash: 3B22457190060A9FEF259F68CC49BBD7F61FF56324F284629E5219B2D1E3358E40CB91

Function 005BFA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 005BFA96
_wcschr.LIBCMT ref: 005BFAA4
_wcscpy.LIBCMT ref: 005BFABB
_wcscat.LIBCMT ref: 005BFACA
_wcscat.LIBCMT ref: 005BFAE8
_wcscpy.LIBCMT ref: 005BFB09
__wsplitpath.LIBCMT ref: 005BFBE6
_wcscpy.LIBCMT ref: 005BFC0B
_wcscpy.LIBCMT ref: 005BFC1D
_wcscpy.LIBCMT ref: 005BFC32
_wcscat.LIBCMT ref: 005BFC47
_wcscat.LIBCMT ref: 005BFC59
_wcscat.LIBCMT ref: 005BFC6E

Part of subcall function 005BBFA4: _wcscmp.LIBCMT ref: 005BC03E
Part of subcall function 005BBFA4: __wsplitpath.LIBCMT ref: 005BC083
Part of subcall function 005BBFA4: _wcscpy.LIBCMT ref: 005BC096
Part of subcall function 005BBFA4: _wcscat.LIBCMT ref: 005BC0A9
Part of subcall function 005BBFA4: __wsplitpath.LIBCMT ref: 005BC0CE
Part of subcall function 005BBFA4: _wcscat.LIBCMT ref: 005BC0E4
Part of subcall function 005BBFA4: _wcscat.LIBCMT ref: 005BC0F7

Strings

t2b, xrefs: 005BFC97
>>>AUTOIT SCRIPT<<<, xrefs: 005BFA61

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<$t2b
API String ID: 2955681530-802444957
Opcode ID: b7161e3dbaa5de2a3cc67011769472a8bf0f527c3f2d93b00feb90d3ab729d6b
Instruction ID: e07bf3198d4c551701d7683159777151da61700178980253d46c310c32341c9c
Opcode Fuzzy Hash: b7161e3dbaa5de2a3cc67011769472a8bf0f527c3f2d93b00feb90d3ab729d6b
Instruction Fuzzy Hash: 4E91A172504706AFDB20EF54C855E9ABBE9BF84310F008869F94997292DB34FE44CB92

Function 005BBFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005BBDB4: __time64.LIBCMT ref: 005BBDBE

Part of subcall function 00574517: _fseek.LIBCMT ref: 0057452F

__wsplitpath.LIBCMT ref: 005BC083

Part of subcall function 00591DFC: __wsplitpath_helper.LIBCMT ref: 00591E3C

_wcscpy.LIBCMT ref: 005BC096
_wcscat.LIBCMT ref: 005BC0A9
__wsplitpath.LIBCMT ref: 005BC0CE
_wcscat.LIBCMT ref: 005BC0E4
_wcscat.LIBCMT ref: 005BC0F7
_wcscmp.LIBCMT ref: 005BC03E

Part of subcall function 005BC56D: _wcscmp.LIBCMT ref: 005BC65D
Part of subcall function 005BC56D: _wcscmp.LIBCMT ref: 005BC670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 005BC2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 005BC338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 005BC34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005BC35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005BC371

Strings

p1Mw`KNw, xrefs: 005BC2A1, 005BC338, 005BC35F, 005BC371

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID: p1Mw`KNw
API String ID: 2378138488-3626030660
Opcode ID: 54997edebe720afd2a9141c5e36567571d27c87f5cce0bdc081727629ccb4ea0
Instruction ID: 0661726d3fdc5eec62f307e07f6a24859a5afeb0fb04f3ae236f2cb2cc792e95
Opcode Fuzzy Hash: 54997edebe720afd2a9141c5e36567571d27c87f5cce0bdc081727629ccb4ea0
Instruction Fuzzy Hash: D8C12CB1900229AFDF11DF95CC85EDEBBBDBF88300F1080A6F609E6151DB70AA449F65

Function 00573F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00573F86
RegisterClassExW.USER32(00000030), ref: 00573FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00573FC1
InitCommonControlsEx.COMCTL32(?), ref: 00573FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00573FEE
LoadIconW.USER32(000000A9), ref: 00574004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00574013

Strings

TaskbarCreated, xrefs: 00573FB6
AutoIt v3 GUI, xrefs: 00573FA2
0, xrefs: 00573F68
+, xrefs: 00573F6F

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 4f0e943ae456119b1a744c0354ace563e6fb39e7e082d7fe70668f3fe291e729
Instruction ID: 059caacf082bd9359fabbf7b7c112332c3621616fd7ce5033cddf5bef5a9589d
Opcode Fuzzy Hash: 4f0e943ae456119b1a744c0354ace563e6fb39e7e082d7fe70668f3fe291e729
Instruction Fuzzy Hash: 2721F7B5901318AFDB00EFE4E889BDDBBB6FB1A700F10521AF511EA2A0D7B44544DFA1

Function 00573742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 005737B3
KillTimer.USER32(?,00000001), ref: 005737DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00573800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0057380B
CreatePopupMenu.USER32 ref: 0057381F
PostQuitMessage.USER32(00000000), ref: 0057382E

Strings

TaskbarCreated, xrefs: 00573806

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 038964934a8534bd76fd640df5318adde08a95fa7c261a368abbe2f19824679f
Instruction ID: 459e3069efd6909528d7512f6704962b827dcacafb06bd24b68301e06d978332
Opcode Fuzzy Hash: 038964934a8534bd76fd640df5318adde08a95fa7c261a368abbe2f19824679f
Instruction Fuzzy Hash: A04113F110424BABDB1C6F68BC4EB7A3E6AF741320F048515F90ADA191DB749F41B7A2

Function 00573E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00573E79
LoadCursorW.USER32(00000000,00007F00), ref: 00573E88
LoadIconW.USER32(00000063), ref: 00573E9E
LoadIconW.USER32(000000A4), ref: 00573EB0
LoadIconW.USER32(000000A2), ref: 00573EC2

Part of subcall function 00574024: LoadImageW.USER32(00570000,00000063,00000001,00000010,00000010,00000000), ref: 00574048

RegisterClassExW.USER32(?), ref: 00573F30

Part of subcall function 00573F53: GetSysColorBrush.USER32(0000000F), ref: 00573F86
Part of subcall function 00573F53: RegisterClassExW.USER32(00000030), ref: 00573FB0
Part of subcall function 00573F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00573FC1
Part of subcall function 00573F53: InitCommonControlsEx.COMCTL32(?), ref: 00573FDE
Part of subcall function 00573F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00573FEE
Part of subcall function 00573F53: LoadIconW.USER32(000000A9), ref: 00574004
Part of subcall function 00573F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00574013

Strings

#, xrefs: 00573F09
0, xrefs: 00573F02
AutoIt v3, xrefs: 00573F1F

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e18ce2594f5aa07487a3ea5c15cac7b64ac6cfd8d03cc24e776f3d7a6e100273
Instruction ID: ec2f05d80a8c02f0416a8fdbd94a913ef299cffd963e3702fe0f9522dc587595
Opcode Fuzzy Hash: e18ce2594f5aa07487a3ea5c15cac7b64ac6cfd8d03cc24e776f3d7a6e100273
Instruction Fuzzy Hash: 112130B0D00304ABCB04DFA9EC49B99BFF6FB49310F10912AE619AB2A0D7759644DFD1

Function 016CC5B0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 016CC681
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 016CC8A7

Memory Dump Source

Source File: 00000000.00000002.1279315960.00000000016CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ca000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 82da6562ea58e1e6a493f370b5b44df79f1e69436ef7e6b8db348b6991eb573a
Instruction ID: 21a2b21506dafa4747f898bd7f4a4b83a0b49ce6a62aff1d643cd8c10e317f6c
Opcode Fuzzy Hash: 82da6562ea58e1e6a493f370b5b44df79f1e69436ef7e6b8db348b6991eb573a
Instruction Fuzzy Hash: 63A1F774E01209EBDB14CFA4C994BBEBBB5FF48714F20815DE205BB281D7759A41CBA4

Function 005749FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00574A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 005E41DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005E421A
RegCloseKey.ADVAPI32(?), ref: 005E4249

Strings

Software\AutoIt v3\AutoIt, xrefs: 00574A13
Include, xrefs: 005E41D3, 005E4212

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 5b417cb2641dab42deed0c66f9861fc62d77b2ab53e2b9a62ab4279c86051e8e
Instruction ID: b67a5f980537d6dbaed1549461c5a0d2186e62832d789c4a10dd09851c25f5a3
Opcode Fuzzy Hash: 5b417cb2641dab42deed0c66f9861fc62d77b2ab53e2b9a62ab4279c86051e8e
Instruction Fuzzy Hash: 3B115E71600109BFEB08ABA4DD8ADBF7BBCEB54344F004055B506D6191EA706E05EB60

Function 005736B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005736E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00573707
ShowWindow.USER32(00000000,?,?,?,?,00573AA3,?), ref: 0057371B
ShowWindow.USER32(00000000,?,?,?,?,00573AA3,?), ref: 00573724

Strings

edit, xrefs: 00573701
AutoIt v3, xrefs: 005736DE, 005736E3, 005736E4

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 34b0d3fd231bc956f6c6ccd3129c771fa5491fecbc5e420425c23e8e9caa97c2
Instruction ID: 0a0a8ab8a1eb66d0b2f980bc4ac07bd37c8f65c9e0c03352f3673ee102881302
Opcode Fuzzy Hash: 34b0d3fd231bc956f6c6ccd3129c771fa5491fecbc5e420425c23e8e9caa97c2
Instruction Fuzzy Hash: 55F0DA716402D47AE7355B57AC4CE772E7FD7C7F20B01611ABA08AA1A0CB650895DAF0

Function 016CC350 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 016CC240: Sleep.KERNELBASE(000001F4), ref: 016CC251

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 016CC4A9

Strings

IF0N5FS6PG70DMSB9HO4NQGC8ARTEW, xrefs: 016CC50C, 016CC50F

Memory Dump Source

Source File: 00000000.00000002.1279315960.00000000016CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ca000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CreateFileSleep
String ID: IF0N5FS6PG70DMSB9HO4NQGC8ARTEW
API String ID: 2694422964-67170628
Opcode ID: 23cab4860c57960c82dc599d206179d23d77335abf4c5160d4470170bf911efd
Instruction ID: 9f87b7b042aea8e6e3bb4de55068a127fdffcf4e959b87d2f1f59913fd878f2e
Opcode Fuzzy Hash: 23cab4860c57960c82dc599d206179d23d77335abf4c5160d4470170bf911efd
Instruction Fuzzy Hash: 78616270D04288DAEF11DBE8C844BEEBB75AF15704F04419DE649BB2C1D7B90B49CB65

Function 00574A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00575374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00631148,?,005761FF,?,00000000,00000001,00000000), ref: 00575392

Part of subcall function 005749FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00574A1D

_wcscat.LIBCMT ref: 005E2D80
_wcscat.LIBCMT ref: 005E2DB5

Strings

8!c, xrefs: 00574B1C
\Include\, xrefs: 00574B0A
\, xrefs: 005E2DA2

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: 8!c$\$\Include\
API String ID: 3592542968-3665643402
Opcode ID: f3cdf772ee050e00bcc13cf7de8476f6d51f5e2a70608e6c014aea7f105a1592
Instruction ID: 70776ae892a39fbfbeb3d304033e23189af073680aa3de4d7c47208e2554d311
Opcode Fuzzy Hash: f3cdf772ee050e00bcc13cf7de8476f6d51f5e2a70608e6c014aea7f105a1592
Instruction Fuzzy Hash: 155198754043429FC708DF55EEA585ABBFAFF99300F40992EF78893260DB709944DB91

Function 00574139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 005741A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,005739FE,?,00000001), ref: 005741DB

_free.LIBCMT ref: 005E36B7
_free.LIBCMT ref: 005E36FE

Part of subcall function 0057C833: __wsplitpath.LIBCMT ref: 0057C93E
Part of subcall function 0057C833: _wcscpy.LIBCMT ref: 0057C953
Part of subcall function 0057C833: _wcscat.LIBCMT ref: 0057C968
Part of subcall function 0057C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0057C978

Strings

Bad directive syntax error, xrefs: 005E36E4
>>>AUTOIT SCRIPT<<<, xrefs: 005E3491

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 2baf0a1433c4ac7ea81624ad50e063e617352653cb4da054178d820ba17337f9
Instruction ID: eea12e4b7a251edc3236e288308a23a78289339429a6b44e5b8bfb68efa7940c
Opcode Fuzzy Hash: 2baf0a1433c4ac7ea81624ad50e063e617352653cb4da054178d820ba17337f9
Instruction Fuzzy Hash: 5D91737191025AAFCF08EFA5DC599EDBFB4BF49310F50442AF856AB291DB30AA04DF50

Function 005740E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E3725
GetOpenFileNameW.COMDLG32 ref: 005E376F

Part of subcall function 0057660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005753B1,?,?,005761FF,?,00000000,00000001,00000000), ref: 0057662F

Part of subcall function 005740A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005740C6

Strings

X, xrefs: 005E373E
t3b, xrefs: 005E3745

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X$t3b
API String ID: 3777226403-3846106806
Opcode ID: e21b03a0dedbcc8279e411cec59c40271869544e9060592f1f29c1fce827034c
Instruction ID: afbf465a0a320abe314cc6980c39ef7941a006e697ca87375e37b3de701cde1e
Opcode Fuzzy Hash: e21b03a0dedbcc8279e411cec59c40271869544e9060592f1f29c1fce827034c
Instruction Fuzzy Hash: 0A21A871A101989FCF01DF94D8497EE7FF9AF89304F008059E509EB241DBB45A89DF65

Function 005934AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 005934FE

Part of subcall function 00597C0E: __getptd_noexit.LIBCMT ref: 00597C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00593539
__wopenfile.LIBCMT ref: 00593549

Strings

<G, xrefs: 005934CD, 005934F0, 005934FC

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 6fdd28883d0531541d005eb0a65e0c14c7c5d8a36871bc88cfdd8a7eb873c505
Instruction ID: 8bc005a447adae48de627ace796b60365b105fee877a4a023c51857f347c894d
Opcode Fuzzy Hash: 6fdd28883d0531541d005eb0a65e0c14c7c5d8a36871bc88cfdd8a7eb873c505
Instruction Fuzzy Hash: 7D11E770A00307DBDF21BFB09C4666F3FA5BF89750B168825E819DB181EB34CE019BA1

Function 0058D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0058D28B,SwapMouseButtons,00000004,?), ref: 0058D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0058D28B,SwapMouseButtons,00000004,?,?,?,?,0058C865), ref: 0058D2DD
RegCloseKey.KERNELBASE(00000000,?,?,0058D28B,SwapMouseButtons,00000004,?,?,?,?,0058C865), ref: 0058D2FF

Strings

Control Panel\Mouse, xrefs: 0058D2BA

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6ff5de578dfad31cda7e6a011f73181451807855881c5d0d001577d0c137597e
Instruction ID: afb4780e71d8fd5c06537f21ae99acca89ebe6498c8ee62c47585b04d660eb72
Opcode Fuzzy Hash: 6ff5de578dfad31cda7e6a011f73181451807855881c5d0d001577d0c137597e
Instruction Fuzzy Hash: 3F112775611208BFDF20AFA4CC84EAE7BFCEF54754B104869B806E7150EA31AE45AB60

Function 016CB240 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016CBA6D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016CBA91
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016CBAB3

Memory Dump Source

Source File: 00000000.00000002.1279315960.00000000016CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ca000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
Instruction ID: 2a9b72a1041ad1f742f51c694a9339637c76ddc15988b6fd02d65bf5cb061da7
Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
Instruction Fuzzy Hash: A8620B30A142589BEB24CFA4CC51BEEB772EF58700F1091A9D10DEB394E7769E81CB59

Function 005BC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00574517: _fseek.LIBCMT ref: 0057452F

Part of subcall function 005BC56D: _wcscmp.LIBCMT ref: 005BC65D
Part of subcall function 005BC56D: _wcscmp.LIBCMT ref: 005BC670

_free.LIBCMT ref: 005BC4DD
_free.LIBCMT ref: 005BC4E4
_free.LIBCMT ref: 005BC54F

Part of subcall function 00591C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00597A85), ref: 00591CB1
Part of subcall function 00591C9D: GetLastError.KERNEL32(00000000,?,00597A85), ref: 00591CC3

_free.LIBCMT ref: 005BC557

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction ID: 67c45a9f93823d19bdfcc2b2bb019030bb8c66fa1e688425328fba33e0c9ed59
Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction Fuzzy Hash: 53513BB1904219AFDF249F64DC85BADBBB9FF48300F1044AEB259A3241DB716A809F58

Function 0058EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0058EBB2

Part of subcall function 005751AF: _memset.LIBCMT ref: 0057522F
Part of subcall function 005751AF: _wcscpy.LIBCMT ref: 00575283
Part of subcall function 005751AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00575293

KillTimer.USER32(?,00000001,?,?), ref: 0058EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0058EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005E3C88

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 85d75b499b58fdab176a7a39a4202479bdf3cb7b070c75ad29c3901c1312e25c
Instruction ID: a92974b93fc7e31875b01ccef1f78623c43b485ba7d5fde237c36db8844c9403
Opcode Fuzzy Hash: 85d75b499b58fdab176a7a39a4202479bdf3cb7b070c75ad29c3901c1312e25c
Instruction Fuzzy Hash: 0D21C8719047849FE7369B288859BE6BFFDAF11304F14044DE68E67141C7746E84CB51

Function 005BC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 005BC72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 005BC746

Strings

aut, xrefs: 005BC740

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a6d8d557b4adc8db6a2d73b822d363a6b1a714447a11404b89bdd548a1c8d6a7
Instruction ID: 0adb899d3b3beb80c30215a49303a9f6bad3ba8bf105711c21e9ae254c83f797
Opcode Fuzzy Hash: a6d8d557b4adc8db6a2d73b822d363a6b1a714447a11404b89bdd548a1c8d6a7
Instruction Fuzzy Hash: 65D05E7554031EABDB10AB90EC0EF9A777D9710704F0001A07A90E50B1DBB9E699CBA4

Function 005CF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1da3319bf741824dbac29147eb5f1727f06d42f95af8204f33f4498b016631c
Instruction ID: 1a99c4a0c4c85cf0e5b2140835fcb6d1a0840cba650a1f4a664a191c8bbff838
Opcode Fuzzy Hash: d1da3319bf741824dbac29147eb5f1727f06d42f95af8204f33f4498b016631c
Instruction Fuzzy Hash: FFF13A716043029FC710DF64C485B6ABBE5FFC8314F14896EF9999B291DB70E945CB82

Function 0059395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00593973

Part of subcall function 005981C2: __NMSG_WRITE.LIBCMT ref: 005981E9
Part of subcall function 005981C2: __NMSG_WRITE.LIBCMT ref: 005981F3

__NMSG_WRITE.LIBCMT ref: 0059397A

Part of subcall function 0059821F: GetModuleFileNameW.KERNEL32(00000000,00630312,00000104,00000000,00000001,00000000), ref: 005982B1
Part of subcall function 0059821F: ___crtMessageBoxW.LIBCMT ref: 0059835F

Part of subcall function 00591145: ___crtCorExitProcess.LIBCMT ref: 0059114B
Part of subcall function 00591145: ExitProcess.KERNEL32 ref: 00591154

Part of subcall function 00597C0E: __getptd_noexit.LIBCMT ref: 00597C0E

RtlAllocateHeap.NTDLL(01680000,00000000,00000001,00000001,00000000,?,?,0058F507,?,0000000E), ref: 0059399F

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 2bedf47140cab106741edb0b8814878bea9181de00f816fd230560add4f24ecc
Instruction ID: 67ad403940a9089d94a8ff5626a95b661b4abbb9785744ad6ced014ff1deb0b4
Opcode Fuzzy Hash: 2bedf47140cab106741edb0b8814878bea9181de00f816fd230560add4f24ecc
Instruction Fuzzy Hash: A1019236245612DAEF213F24DC5AB3A2F98BBC5B64B211026F5099B1D2DBB0DD0086A4

Function 005BC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,005BC385,?,?,?,?,?,00000004), ref: 005BC6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,005BC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 005BC708
CloseHandle.KERNEL32(00000000,?,005BC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 005BC70F

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 0e191291e87715e73ee9629ef0b67379bafae2df6e447474a452d7eff8d0919f
Instruction ID: 0727ec47faa34f2930dd0b5edffb86f8d7dbfa67c7b0fec8bbbc668aad3d9205
Opcode Fuzzy Hash: 0e191291e87715e73ee9629ef0b67379bafae2df6e447474a452d7eff8d0919f
Instruction Fuzzy Hash: F4E08632140214B7DB212B54AC0DFDE7F29EB15764F104110FB15A90E097B52525D7A8

Function 005BBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005BBB72

Part of subcall function 00591C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00597A85), ref: 00591CB1
Part of subcall function 00591C9D: GetLastError.KERNEL32(00000000,?,00597A85), ref: 00591CC3

_free.LIBCMT ref: 005BBB83
_free.LIBCMT ref: 005BBB95

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction ID: 18e83a12f050181cd6dadc9e64961008b3a34b48783d85811a6a7cb5b995322a
Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction Fuzzy Hash: 0DE012A1641B5347EE2465796E48EF71BCC7F44351714081DB45AE7146CFA4FC4085A8

Function 00572322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 005722A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,005724F1), ref: 00572303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 005725A1
CoInitialize.OLE32(00000000), ref: 00572618
CloseHandle.KERNEL32(00000000), ref: 005E503A

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: c0077622dec347dceb3f9e163684f34231a9921b662bcc8b6910b05a80735fce
Instruction ID: 2bd7c750ad874f3157f52500937f69ea71e77bc3b45cfd3c133a428bd4291883
Opcode Fuzzy Hash: c0077622dec347dceb3f9e163684f34231a9921b662bcc8b6910b05a80735fce
Instruction Fuzzy Hash: D071B0B49012868BC704EF6AB994596BFE7FB9B340780A12ED519CF272CB304685CFD4

Function 00573A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00573A73

Part of subcall function 00591405: __lock.LIBCMT ref: 0059140B

Part of subcall function 00573ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00573AF3
Part of subcall function 00573ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00573B08

Part of subcall function 00573D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00573AA3,?), ref: 00573D45
Part of subcall function 00573D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00573AA3,?), ref: 00573D57
Part of subcall function 00573D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00631148,00631130,?,?,?,?,00573AA3,?), ref: 00573DC8
Part of subcall function 00573D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00573AA3,?), ref: 00573E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00573AB3

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: 1b8905a3455c6614d1bb20de437074ecb2a9b12776785a4b8922b0abd2b81113
Instruction ID: 3d845779b0cc8bdf04808200381e56c4842f216fe1c1747f0959069ea3c9eaab
Opcode Fuzzy Hash: 1b8905a3455c6614d1bb20de437074ecb2a9b12776785a4b8922b0abd2b81113
Instruction Fuzzy Hash: 2211AE719043429BC704EF25EC4991ABFEAFBD5350F00891EF588872A1DB708944CFD2

Function 0059E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0059EA29
__close_nolock.LIBCMT ref: 0059EA42

Part of subcall function 00597BDA: __getptd_noexit.LIBCMT ref: 00597BDA

Part of subcall function 00597C0E: __getptd_noexit.LIBCMT ref: 00597C0E

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 7eb08ef490e0e6b504f54745e491bd26ac03dba8d056f699ee4983c325876d5f
Instruction ID: f326812b524c58a136962b4d09170e08667d24d5a98fcd445a23e0349cd37c76
Opcode Fuzzy Hash: 7eb08ef490e0e6b504f54745e491bd26ac03dba8d056f699ee4983c325876d5f
Instruction Fuzzy Hash: 97119A72809A169ADF12FB68884B3183E627FC1331F2A0640E4201B1F3DBB88D008AA1

Function 0058F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0059395C: __FF_MSGBANNER.LIBCMT ref: 00593973
Part of subcall function 0059395C: __NMSG_WRITE.LIBCMT ref: 0059397A
Part of subcall function 0059395C: RtlAllocateHeap.NTDLL(01680000,00000000,00000001,00000001,00000000,?,?,0058F507,?,0000000E), ref: 0059399F

std::exception::exception.LIBCMT ref: 0058F51E
__CxxThrowException@8.LIBCMT ref: 0058F533

Part of subcall function 00596805: RaiseException.KERNEL32(?,?,0000000E,00626A30,?,?,?,0058F538,0000000E,00626A30,?,00000001), ref: 00596856

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: c4617c501b5381f37d27649e339f901ca465ee913f6885d50a9ee63c1c916974
Instruction ID: f1669aa6acd933edef915ee32b10b9434a2215e021c41ef5ace3178ac527eb86
Opcode Fuzzy Hash: c4617c501b5381f37d27649e339f901ca465ee913f6885d50a9ee63c1c916974
Instruction Fuzzy Hash: 1CF08C3110421FA7DF04BF98E8069EE7EE9BB48354F604426FE08A2181DBB4964497A9

Function 005935E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00597C0E: __getptd_noexit.LIBCMT ref: 00597C0E

__lock_file.LIBCMT ref: 00593629

Part of subcall function 00594E1C: __lock.LIBCMT ref: 00594E3F

__fclose_nolock.LIBCMT ref: 00593634

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 5874667b161c483030a66d6311db24e0ce234a953a215e425822afd8bf12d6d6
Instruction ID: a27756f587c5e4d6f228e423ba37d0c1b0ff8f2d95716fa10244a970dbff7efe
Opcode Fuzzy Hash: 5874667b161c483030a66d6311db24e0ce234a953a215e425822afd8bf12d6d6
Instruction Fuzzy Hash: DAF0B432801606EADF11BFA5C90A76F7EA17F81730F268109E421EB2C1CB7C8E059F55

Function 016CB23D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016CBA6D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016CBA91
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016CBAB3

Memory Dump Source

Source File: 00000000.00000002.1279315960.00000000016CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ca000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction ID: 7fd33dff91beaeaa99b34fb4b555794a08bde5ee88629e523f5b897b429f0d3d
Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction Fuzzy Hash: 2612EE24E18658C6EB24DF64D8507DEB232EF68740F1090ED910DEB7A4E77A4E81CF5A

Function 00592957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00592A0B

Part of subcall function 00597C0E: __getptd_noexit.LIBCMT ref: 00597C0E

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: ffa5be25e00fc366179bdb315aea60ffb1ce3ced45a227ea66d71b4679def818
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: EC41A132700706BFDF288EA9C8855AE7FA6BF85360F24852DE855C7640EBB4DD858B40

Function 0058ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0058EDC7

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: e594d865ad5ccf4854d0213d36bba126f38ed4cc5795baf3332d6169de5fc2d3
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: F131F870A01105DBC718EF58C482969FBB6FF49340B6486A9E809EB366DB30EDC5CBC0

Function 005E9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 005E9A80

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 146fa7d8f2b2ca097a91fcd23341096d1789bf44737c1f1fcba2a26134c2a24b
Instruction ID: 9823b853088641dbc5acd2b0ea7ecc069e150eddb5fe6fa3d010965c197040b4
Opcode Fuzzy Hash: 146fa7d8f2b2ca097a91fcd23341096d1789bf44737c1f1fcba2a26134c2a24b
Instruction Fuzzy Hash: 4E413C705046518FDB24EF15C448B1ABFE1BF85304F19899CE99A5B362C772F886CF52

Function 005741A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00574214: FreeLibrary.KERNEL32(00000000,?), ref: 00574247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,005739FE,?,00000001), ref: 005741DB

Part of subcall function 00574291: FreeLibrary.KERNEL32(00000000), ref: 005742C4

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: 44775373e17aed1b442908521057dd1e5b8a1a974e365f3a85dd9f2ccb1e7da9
Instruction ID: d5102cb402ca4ba83be74d651d5428e18279ae7cdaec5f52c479d446c18fb893
Opcode Fuzzy Hash: 44775373e17aed1b442908521057dd1e5b8a1a974e365f3a85dd9f2ccb1e7da9
Instruction Fuzzy Hash: 9811CB35600207AADF14AB61EC0AFAD7BA57F80700F10C429B59AA61C2DB749A50AF60

Function 005E9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 005E9B51

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1fbd76336919d8e5c2e742cc6ef39e47e1b5822e427bbd2cf04f0fd344df53fa
Instruction ID: 75da7ee6cd517061e525286ede6ef6221559fa985c6e5cb5f22b5a0c30db8606
Opcode Fuzzy Hash: 1fbd76336919d8e5c2e742cc6ef39e47e1b5822e427bbd2cf04f0fd344df53fa
Instruction Fuzzy Hash: C6210770508602CFDB64EF64C448A1ABFE1BF89304F15496CE99A5B262D731F849DF52

Function 0059AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0059AFC0

Part of subcall function 00597BDA: __getptd_noexit.LIBCMT ref: 00597BDA

Part of subcall function 00597C0E: __getptd_noexit.LIBCMT ref: 00597C0E

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 8151e2af55ce2570e8127363d1e63cdf41b1f541f6825f9fdce0a97f5ae264fa
Instruction ID: dadbae2b6a2b13886884b5d9de7a921ade60ebb76845e642de04632ed5caf9f3
Opcode Fuzzy Hash: 8151e2af55ce2570e8127363d1e63cdf41b1f541f6825f9fdce0a97f5ae264fa
Instruction Fuzzy Hash: 9E11BF728146059BFF12BFA4E90E35A3E62BF81331F2A4740E4340F1E2D7B88D048BA1

Function 005739DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction ID: 94ede951815a1230551dd2cb1e3151ee10613bd5f7b17b048ef83e3dfe2ea333
Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction Fuzzy Hash: 1A01863150014AAFCF04EF65D8828EEBF78FF50304F00C065B56697195EB309A49EF64

Function 00592AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00592AED

Part of subcall function 00597C0E: __getptd_noexit.LIBCMT ref: 00597C0E

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 4f7880afef3648c264d51e097d82393197d205e7acf17ee3d5fd19ff631a6081
Instruction ID: 4936f46384feaa77df0816d0d970a133a3f8518a86da908f96d8a5d76b0635dd
Opcode Fuzzy Hash: 4f7880afef3648c264d51e097d82393197d205e7acf17ee3d5fd19ff631a6081
Instruction Fuzzy Hash: 67F06D3290020ABADF21AF648C0A79F3EA6BF80320F158415F8149A1A1D7B88A66DB51

Function 00574252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,005739FE,?,00000001), ref: 00574286

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 300f5f059850163ab7ee5082d2a9f8e7690c7452980bf736aeac9e0dfa0ceb1e
Instruction ID: 7a3af82083bef9eed54315946c46f7707750052ba0098e9b3345163ba63a5785
Opcode Fuzzy Hash: 300f5f059850163ab7ee5082d2a9f8e7690c7452980bf736aeac9e0dfa0ceb1e
Instruction Fuzzy Hash: 33F01C75505702DFCB359F64E494816BBF5BF14315724CA2EF1DA82511C7319854EF50

Function 005740A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005740C6

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 15b3ba7066f8afba5ef6691e950971ff14bfcdba67e2690e91e9fb3084da9636
Instruction ID: 2ccb9333c81bbde6be54a3614b64f7e41ae6c2951bab28824ebb0bbe1a0a294d
Opcode Fuzzy Hash: 15b3ba7066f8afba5ef6691e950971ff14bfcdba67e2690e91e9fb3084da9636
Instruction Fuzzy Hash: 99E0CD375001255BC7119754DC46FFA77ADEFC8690F054075F909D7244D964D981D6A0

Function 016CC23C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 016CC251

Memory Dump Source

Source File: 00000000.00000002.1279315960.00000000016CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ca000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 724ad54ba2b106edcc07217481110add59c96c4bb98b99aa09d4713065939699
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 9EE0BF7494410DEFDB00EFE4D9496EE7BB4EF04701F1045A5FD05D7681DB309E548A62

Function 016CC240 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 016CC251

Memory Dump Source

Source File: 00000000.00000002.1279315960.00000000016CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ca000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 37b0613bd18304ffa8222ceacb3cf3d0970ac2a3437a538e713246fca9e41577
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 1DE0E67494410DDFDB00EFF4D9496AE7FB4EF04701F104165FD05D2281D6309D508A72

Non-executed Functions

Function 005DF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0058B34E: GetWindowLongW.USER32(?,000000EB), ref: 0058B35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 005DF87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005DF8DC
GetWindowLongW.USER32(?,000000F0), ref: 005DF919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005DF940
SendMessageW.USER32 ref: 005DF966
_wcsncpy.LIBCMT ref: 005DF9D2
GetKeyState.USER32(00000011), ref: 005DF9F3
GetKeyState.USER32(00000009), ref: 005DFA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005DFA16
GetKeyState.USER32(00000010), ref: 005DFA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005DFA4F
SendMessageW.USER32 ref: 005DFA72
SendMessageW.USER32(?,00001030,?,005DE059), ref: 005DFB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 005DFB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 005DFB96
SetCapture.USER32(?), ref: 005DFB9F
ClientToScreen.USER32(?,?), ref: 005DFC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005DFC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 005DFC29
ReleaseCapture.USER32 ref: 005DFC34
GetCursorPos.USER32(?), ref: 005DFC69
ScreenToClient.USER32(?,?), ref: 005DFC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 005DFCD8
SendMessageW.USER32 ref: 005DFD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 005DFD41
SendMessageW.USER32 ref: 005DFD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 005DFD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 005DFD8F
GetCursorPos.USER32(?), ref: 005DFDB0
ScreenToClient.USER32(?,?), ref: 005DFDBD
GetParent.USER32(?), ref: 005DFDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 005DFE3F
SendMessageW.USER32 ref: 005DFE6F
ClientToScreen.USER32(?,?), ref: 005DFEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 005DFEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 005DFF19
SendMessageW.USER32 ref: 005DFF3C
ClientToScreen.USER32(?,?), ref: 005DFF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 005DFFB6
GetWindowLongW.USER32(?,000000F0), ref: 005E004B

Strings

F, xrefs: 005DFF42
@GUI_DRAGID, xrefs: 005DFBCC

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 2516578528-4164748364
Opcode ID: d0055f54d2b437c6a72d537b710771f3bedfc28f0c8805c78cb9f71cd39744e0
Instruction ID: 1bf29790a7dc803f07fe6d44e45fdc3560fc29c913d88a510688767fcaf79c14
Opcode Fuzzy Hash: d0055f54d2b437c6a72d537b710771f3bedfc28f0c8805c78cb9f71cd39744e0
Instruction Fuzzy Hash: 4732BC70604245AFDB20CF68C884B6ABFA9FF4A354F040A2AF596D73A1C731DD45EB52

Function 005DAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 005DB1CD

Strings

%d/%02d/%02d, xrefs: 005DAEFC

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 183913e80522d98fbfa439333ce83d1610aad2ae51be1da6867b680461e05d41
Instruction ID: fd92343f1b311ed4922f1ae4729ee95815032c0dfe46ebcf902cb1616de74589
Opcode Fuzzy Hash: 183913e80522d98fbfa439333ce83d1610aad2ae51be1da6867b680461e05d41
Instruction Fuzzy Hash: 7012AD71500209ABEB249F68CC49FAB7FBAFF85710F10451BF919DA2A1DBB48941DB21

Function 0058EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0058EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005E3AEA
IsIconic.USER32(000000FF), ref: 005E3AF3
ShowWindow.USER32(000000FF,00000009), ref: 005E3B00
SetForegroundWindow.USER32(000000FF), ref: 005E3B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005E3B20
GetCurrentThreadId.KERNEL32 ref: 005E3B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 005E3B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 005E3B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 005E3B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 005E3B54
SetForegroundWindow.USER32(000000FF), ref: 005E3B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 005E3B6C
keybd_event.USER32(00000012,00000000), ref: 005E3B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 005E3B81
keybd_event.USER32(00000012,00000000), ref: 005E3B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 005E3B8F
keybd_event.USER32(00000012,00000000), ref: 005E3B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 005E3B9E
keybd_event.USER32(00000012,00000000), ref: 005E3BA3
SetForegroundWindow.USER32(000000FF), ref: 005E3BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 005E3BCD

Strings

Shell_TrayWnd, xrefs: 005E3AE5

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 36f6a73373a89801afa2be93d1cbbaf6e77a4d2420b57a2cc202fa612613cc16
Instruction ID: db6968b36e0a8bb9430508e57f5ccfa18fac7076f722b57b7603fabf556e3c79
Opcode Fuzzy Hash: 36f6a73373a89801afa2be93d1cbbaf6e77a4d2420b57a2cc202fa612613cc16
Instruction Fuzzy Hash: D2316E71A40218BBEB206B668C4AF7E7E7DEB44B50F104025FA05EB1D0DAB45904EAB0

Function 005B60DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 005B6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005B5FA6,?), ref: 005B6ED8

Part of subcall function 005B6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005B5FA6,?), ref: 005B6EF1

Part of subcall function 005B725E: __wsplitpath.LIBCMT ref: 005B727B
Part of subcall function 005B725E: __wsplitpath.LIBCMT ref: 005B728E

Part of subcall function 005B72CB: GetFileAttributesW.KERNEL32(?,005B6019), ref: 005B72CC

_wcscat.LIBCMT ref: 005B6149
_wcscat.LIBCMT ref: 005B6167
__wsplitpath.LIBCMT ref: 005B618E
FindFirstFileW.KERNEL32(?,?), ref: 005B61A4
_wcscpy.LIBCMT ref: 005B6209
_wcscat.LIBCMT ref: 005B621C
_wcscat.LIBCMT ref: 005B622F
lstrcmpiW.KERNEL32(?,?), ref: 005B625D
DeleteFileW.KERNEL32(?), ref: 005B626E
MoveFileW.KERNEL32(?,?), ref: 005B6289
MoveFileW.KERNEL32(?,?), ref: 005B6298
CopyFileW.KERNEL32(?,?,00000000), ref: 005B62AD
DeleteFileW.KERNEL32(?), ref: 005B62BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005B62E1
FindClose.KERNEL32(00000000), ref: 005B62FD
FindClose.KERNEL32(00000000), ref: 005B630B

Strings

\*.*, xrefs: 005B6138, 005B6147, 005B6165
p1Mw`KNw, xrefs: 005B61BA

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*$p1Mw`KNw
API String ID: 1917200108-2160596699
Opcode ID: 0fc9ef82290af264c584c5ecb8a70378903243e38e3ef82f1223750cb8a682ca
Instruction ID: 776acc6995a32dba96d5bc68bb6b94a6d99cd2550b22c3c17fabdfa9aea34cdf
Opcode Fuzzy Hash: 0fc9ef82290af264c584c5ecb8a70378903243e38e3ef82f1223750cb8a682ca
Instruction Fuzzy Hash: 3A514F7680811D6ACB21EB91CC49DEBBBBCBF54300F0904E6E545E3141DA3AA789DFA4

Function 005C6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0060DC00), ref: 005C6B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 005C6B44
GetClipboardData.USER32(0000000D), ref: 005C6B4C
CloseClipboard.USER32 ref: 005C6B58
GlobalLock.KERNEL32(00000000), ref: 005C6B74
CloseClipboard.USER32 ref: 005C6B7E
GlobalUnlock.KERNEL32(00000000), ref: 005C6B93
IsClipboardFormatAvailable.USER32(00000001), ref: 005C6BA0
GetClipboardData.USER32(00000001), ref: 005C6BA8
GlobalLock.KERNEL32(00000000), ref: 005C6BB5
GlobalUnlock.KERNEL32(00000000), ref: 005C6BE9
CloseClipboard.USER32 ref: 005C6CF6

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 703979d18960dff9e90ccf1b256d4a31d758d80e9d12af61ef478b480682c6df
Instruction ID: 5c2b88a363a01478cf8b9dddfe2bdc69096fcee508fad383fc717ae72ec7b2bf
Opcode Fuzzy Hash: 703979d18960dff9e90ccf1b256d4a31d758d80e9d12af61ef478b480682c6df
Instruction Fuzzy Hash: 62516E75200202AFD310AFA4DD4AF7E7BB9BF94B11F00442DF58AD61D1DF64D909EA62

Function 005BF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005BF62B
FindClose.KERNEL32(00000000), ref: 005BF67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005BF6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005BF6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 005BF6E2
__swprintf.LIBCMT ref: 005BF72E
__swprintf.LIBCMT ref: 005BF767
__swprintf.LIBCMT ref: 005BF7BB

Part of subcall function 0059172B: __woutput_l.LIBCMT ref: 00591784

__swprintf.LIBCMT ref: 005BF809
__swprintf.LIBCMT ref: 005BF858
__swprintf.LIBCMT ref: 005BF8A7
__swprintf.LIBCMT ref: 005BF8F6

Strings

%02d, xrefs: 005BF7B0, 005BF7B9, 005BF807, 005BF856, 005BF8A5, 005BF8F4
%4d, xrefs: 005BF761
%4d%02d%02d%02d%02d%02d, xrefs: 005BF728

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 9c4ae662679737a91eaf6f1329a48e8eaa689348d3f164e75c6b349c386d9ee1
Instruction ID: 95525cc3f5df9c922d513c4d8e26eb94100a507850a48302617110e2e3caa60a
Opcode Fuzzy Hash: 9c4ae662679737a91eaf6f1329a48e8eaa689348d3f164e75c6b349c386d9ee1
Instruction Fuzzy Hash: 8DA1FCB1408345ABC310EB94D889DAFBBECFF98704F40492EF59586151EB34D949DB62

Function 005C1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 005C1B50
_wcscmp.LIBCMT ref: 005C1B65
_wcscmp.LIBCMT ref: 005C1B7C
GetFileAttributesW.KERNEL32(?), ref: 005C1B8E
SetFileAttributesW.KERNEL32(?,?), ref: 005C1BA8
FindNextFileW.KERNEL32(00000000,?), ref: 005C1BC0
FindClose.KERNEL32(00000000), ref: 005C1BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 005C1BE7
_wcscmp.LIBCMT ref: 005C1C0E
_wcscmp.LIBCMT ref: 005C1C25
SetCurrentDirectoryW.KERNEL32(?), ref: 005C1C37
SetCurrentDirectoryW.KERNEL32(006239FC), ref: 005C1C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 005C1C5F
FindClose.KERNEL32(00000000), ref: 005C1C6C
FindClose.KERNEL32(00000000), ref: 005C1C7C

Strings

*.*, xrefs: 005C1BE2

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: cbbada90ad2b26ee6e18d8a4adf8c5bab9b68b3b5fbec4624327aa303f45fc2b
Instruction ID: 85c159b362dbf2f10f5a31f35f76c9cfb33093c65276be3fee457337a3cff7d0
Opcode Fuzzy Hash: cbbada90ad2b26ee6e18d8a4adf8c5bab9b68b3b5fbec4624327aa303f45fc2b
Instruction Fuzzy Hash: 4F31B432640A1A6EDF109BE0DC49FEE7BBDAF46324F104159F801D2191EB74DE85DE68

Function 005C1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 005C1CAB
_wcscmp.LIBCMT ref: 005C1CC0
_wcscmp.LIBCMT ref: 005C1CD7

Part of subcall function 005B6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005B6BEF

FindNextFileW.KERNEL32(00000000,?), ref: 005C1D06
FindClose.KERNEL32(00000000), ref: 005C1D11
FindFirstFileW.KERNEL32(*.*,?), ref: 005C1D2D
_wcscmp.LIBCMT ref: 005C1D54
_wcscmp.LIBCMT ref: 005C1D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 005C1D7D
SetCurrentDirectoryW.KERNEL32(006239FC), ref: 005C1D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 005C1DA5
FindClose.KERNEL32(00000000), ref: 005C1DB2
FindClose.KERNEL32(00000000), ref: 005C1DC2

Strings

*.*, xrefs: 005C1D28

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 32feb2ab343e499b5a40108fc8b19b9a2c958e00fe9d76b4dcbf3e57f15c8e56
Instruction ID: 1ed4a4a074e98e36b1753e4b89c633fd438745c084468e5ea225605ad08d184d
Opcode Fuzzy Hash: 32feb2ab343e499b5a40108fc8b19b9a2c958e00fe9d76b4dcbf3e57f15c8e56
Instruction Fuzzy Hash: F731B531500A2A6ECF10ABE0DC09FEE7BA9AF46320F110555F802E2191DB74DE45DE68

Function 005C091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005C09DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 005C09EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 005C09FB
__wsplitpath.LIBCMT ref: 005C0A59
_wcscat.LIBCMT ref: 005C0A71
_wcscat.LIBCMT ref: 005C0A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005C0A98
SetCurrentDirectoryW.KERNEL32(?), ref: 005C0AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 005C0ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 005C0AFF
_wcscpy.LIBCMT ref: 005C0B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005C0B4A

Strings

*.*, xrefs: 005C0B05

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 0b67e315469a0612c330e44a8123c2625e942fb52bab4f2901b92017888f7e85
Instruction ID: 2378a6faca1f4d30672d714e96b0c0c0da2fed34df70edc6eddcd5146daf92ba
Opcode Fuzzy Hash: 0b67e315469a0612c330e44a8123c2625e942fb52bab4f2901b92017888f7e85
Instruction Fuzzy Hash: CB6148765042069FC710EFA0C844EAEBBE9FF89314F04891DF989C7292DB35E945CB92

Function 005AA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005AABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 005AABD7
Part of subcall function 005AABBB: GetLastError.KERNEL32(?,005AA69F,?,?,?), ref: 005AABE1
Part of subcall function 005AABBB: GetProcessHeap.KERNEL32(00000008,?,?,005AA69F,?,?,?), ref: 005AABF0
Part of subcall function 005AABBB: HeapAlloc.KERNEL32(00000000,?,005AA69F,?,?,?), ref: 005AABF7
Part of subcall function 005AABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 005AAC0E

Part of subcall function 005AAC56: GetProcessHeap.KERNEL32(00000008,005AA6B5,00000000,00000000,?,005AA6B5,?), ref: 005AAC62
Part of subcall function 005AAC56: HeapAlloc.KERNEL32(00000000,?,005AA6B5,?), ref: 005AAC69
Part of subcall function 005AAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,005AA6B5,?), ref: 005AAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005AA6D0
_memset.LIBCMT ref: 005AA6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005AA704
GetLengthSid.ADVAPI32(?), ref: 005AA715
GetAce.ADVAPI32(?,00000000,?), ref: 005AA752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005AA76E
GetLengthSid.ADVAPI32(?), ref: 005AA78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 005AA79A
HeapAlloc.KERNEL32(00000000), ref: 005AA7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 005AA7C2
CopySid.ADVAPI32(00000000), ref: 005AA7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005AA7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005AA820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 005AA834

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 9757a862ba2ab149304ed9463ee50332800740276aba9c0f4fd5797112683632
Instruction ID: cb1ca905774f7285bc36d22f653e446da64e4bfcc3a772fe2484f1cb0da56c49
Opcode Fuzzy Hash: 9757a862ba2ab149304ed9463ee50332800740276aba9c0f4fd5797112683632
Instruction Fuzzy Hash: 75511D7190020AABDF109FA5DC49EEEBBB9FF45300F048129F915E7291EB399905DB61

Function 00576F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

BSR_UNICODE), xrefs: 005F2EBA
a, xrefs: 00576F77
aaa a, xrefs: 00577096, 0057709C
CRLF), xrefs: 005F2E43
LIMIT_MATCH=, xrefs: 005F2CF2
UCP), xrefs: 005F2C8F
NO_AUTO_POSSESS), xrefs: 005F2CB0
LIMIT_RECURSION=, xrefs: 005F2D7E
LF), xrefs: 005F2E26
UTF), xrefs: 005F2C7C
ANY), xrefs: 005F2E60
CR), xrefs: 005F2E09
ANYCRLF), xrefs: 005F2E7D
BSR_ANYCRLF), xrefs: 005F2EA0
NO_START_OPT), xrefs: 005F2CD1
UTF16), xrefs: 005F2C56

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID: a$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$aaa a
API String ID: 0-2867935612
Opcode ID: aba8f74173c0b1d2fcf0cf179a9a950563784651f63f2b89cef16373aa3a4f86
Instruction ID: 1de22a818e2f0335f99184a154162902ebf4294f031b7d3a88d76cb6b5ed25b2
Opcode Fuzzy Hash: aba8f74173c0b1d2fcf0cf179a9a950563784651f63f2b89cef16373aa3a4f86
Instruction Fuzzy Hash: 8E7270B1E042199BDF14CF58E8407BEBFB5BF48310F24856AE919EB281DB749E41DB90

Function 005B63F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005B6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005B5FA6,?), ref: 005B6ED8

Part of subcall function 005B72CB: GetFileAttributesW.KERNEL32(?,005B6019), ref: 005B72CC

_wcscat.LIBCMT ref: 005B6441
__wsplitpath.LIBCMT ref: 005B645F
FindFirstFileW.KERNEL32(?,?), ref: 005B6474
_wcscpy.LIBCMT ref: 005B64A3
_wcscat.LIBCMT ref: 005B64B8
_wcscat.LIBCMT ref: 005B64CA
DeleteFileW.KERNEL32(?), ref: 005B64DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 005B64EB
FindClose.KERNEL32(00000000), ref: 005B6506

Strings

\*.*, xrefs: 005B643B
p1Mw`KNw, xrefs: 005B64DA

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*$p1Mw`KNw
API String ID: 2643075503-2160596699
Opcode ID: 8b4a5412f158d0014bbcbce74418339623f4d4596a797b7dc0d8cef48ffa1a27
Instruction ID: 84469524003ac07ea0e5f8410bf9cc3d883b693b0b1cb5d9c48ea246ca794298
Opcode Fuzzy Hash: 8b4a5412f158d0014bbcbce74418339623f4d4596a797b7dc0d8cef48ffa1a27
Instruction Fuzzy Hash: 033154B24083856EC721DBA48889DEBBBECBF95310F44091AF6D9C3141EA39E50DD767

Function 005D31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005D2BB5,?,?), ref: 005D3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005D328E

Part of subcall function 0057936C: __swprintf.LIBCMT ref: 005793AB
Part of subcall function 0057936C: __itow.LIBCMT ref: 005793DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 005D332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 005D33C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 005D3604
RegCloseKey.ADVAPI32(00000000), ref: 005D3611

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: d151c3dbfe49f596bfae81455256420177a2a7a0ec50eee5d87ed4cd3cc6e969
Instruction ID: fd8c3f522defa9f09f9a5df2f97c09ea56075498e890b2c68a25557a06544e40
Opcode Fuzzy Hash: d151c3dbfe49f596bfae81455256420177a2a7a0ec50eee5d87ed4cd3cc6e969
Instruction Fuzzy Hash: 52E14B71604201AFCB24DF28D995E2ABFE9FF89310F04896EF44AD7261DB30E905DB52

Function 005B2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 005B2B5F
GetAsyncKeyState.USER32(000000A0), ref: 005B2BE0
GetKeyState.USER32(000000A0), ref: 005B2BFB
GetAsyncKeyState.USER32(000000A1), ref: 005B2C15
GetKeyState.USER32(000000A1), ref: 005B2C2A
GetAsyncKeyState.USER32(00000011), ref: 005B2C42
GetKeyState.USER32(00000011), ref: 005B2C54
GetAsyncKeyState.USER32(00000012), ref: 005B2C6C
GetKeyState.USER32(00000012), ref: 005B2C7E
GetAsyncKeyState.USER32(0000005B), ref: 005B2C96
GetKeyState.USER32(0000005B), ref: 005B2CA8

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: daa5e373173179ade0f6f26e730a0b952994a9e3b559f88a5b2dd37412d1335d
Instruction ID: 173c993fe6226d479c6dafffe0ba6a39c8fddc50041b007a949e3be32291532c
Opcode Fuzzy Hash: daa5e373173179ade0f6f26e730a0b952994a9e3b559f88a5b2dd37412d1335d
Instruction Fuzzy Hash: 494192345047C979FF359B6489083F9BEA17B21344F048059D5C69A6C2DBA8ADC8C7B2

Function 005C6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 005C6D2E
EmptyClipboard.USER32 ref: 005C6D34
GlobalAlloc.KERNEL32(00000002,?), ref: 005C6D49
CloseClipboard.USER32 ref: 005C6DE8

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 4d30fd0112272e0d00b26c86a504df9432eeb33032779b2c9a89a6e7b8ea80eb
Instruction ID: 2b778a19a8d2abc0d66e61a709736202162e76083f4c2c3fed07223fd64c53df
Opcode Fuzzy Hash: 4d30fd0112272e0d00b26c86a504df9432eeb33032779b2c9a89a6e7b8ea80eb
Instruction Fuzzy Hash: FA216831200211AFDB01AF64DC49B3D7BAAFF54711F008419F90ADB2A1CB38EA01DBA5

Function 005CC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 005A9ABF: CLSIDFromProgID.OLE32 ref: 005A9ADC
Part of subcall function 005A9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 005A9AF7
Part of subcall function 005A9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 005A9B05
Part of subcall function 005A9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 005A9B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 005CC235
_memset.LIBCMT ref: 005CC242
_memset.LIBCMT ref: 005CC360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 005CC38C
CoTaskMemFree.OLE32(?), ref: 005CC397

Strings

NULL Pointer assignment, xrefs: 005CC3E5

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: c24a46ef3dabcf9e1bec560e9f9058c2e587ee17d35afaa252d0a9ebbb38947e
Instruction ID: b7cbdd42f2dbedb11c13faabe45dba1084d59fa85cb9c99355fb1cecb7994dc9
Opcode Fuzzy Hash: c24a46ef3dabcf9e1bec560e9f9058c2e587ee17d35afaa252d0a9ebbb38947e
Instruction Fuzzy Hash: FE912671D00219AFDB10DF94E895EEEBFB9FF48710F10811AF919A7281DB709A45CBA0

Function 005B79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005AB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005AB180
Part of subcall function 005AB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005AB1AD
Part of subcall function 005AB134: GetLastError.KERNEL32 ref: 005AB1BA

ExitWindowsEx.USER32(?,00000000), ref: 005B7A0F

Strings

SeShutdownPrivilege, xrefs: 005B79DD
@, xrefs: 005B7A02
, xrefs: 005B79FD

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 627776a03e704480318ffdc94c8c81e50712d3eac27a03578529cf5c3d45967a
Instruction ID: 8bfa509e95cf6f5da05d835447011896e33dcebd5b11b77ddd67a76ecb2aa580
Opcode Fuzzy Hash: 627776a03e704480318ffdc94c8c81e50712d3eac27a03578529cf5c3d45967a
Instruction Fuzzy Hash: 2901F77165822A6BF7681674DC4EBFF7E58FB89740F250824F953E20C2EA64BE00C1B0

Function 005C8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 005C8CA8
WSAGetLastError.WSOCK32(00000000), ref: 005C8CB7
bind.WSOCK32(00000000,?,00000010), ref: 005C8CD3
listen.WSOCK32(00000000,00000005), ref: 005C8CE2
WSAGetLastError.WSOCK32(00000000), ref: 005C8CFC
closesocket.WSOCK32(00000000,00000000), ref: 005C8D10

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 40703804996304134ed927b6334c00d30527897574b4900e4908c29a4b32642e
Instruction ID: ea96ddef2ef3720806b9bb7077b0362fd542ff150dd0dfe1d14269971c8f19bd
Opcode Fuzzy Hash: 40703804996304134ed927b6334c00d30527897574b4900e4908c29a4b32642e
Instruction Fuzzy Hash: 422193356001019FC710AF68D949B7EBBB9FF44314F108558F956AB2D2CB34AD46DB61

Function 005AAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005AAFAE
OpenProcessToken.ADVAPI32(00000000), ref: 005AAFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 005AAFC4
CloseHandle.KERNEL32(00000004), ref: 005AAFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005AAFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 005AB012

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 6560584a2e807e0c3ee68cfb69dcba7b84071f31372b8161790debb88fd39124
Instruction ID: 482789cc69aea27877ce5861c2185bd8db05a4930d07278b175732a63edd7d29
Opcode Fuzzy Hash: 6560584a2e807e0c3ee68cfb69dcba7b84071f31372b8161790debb88fd39124
Instruction Fuzzy Hash: 78215B72101209AFDF129FA4ED09FAE7FAAFF46304F044015FA01A6161D37A9D25EB61

Function 005B6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 005B6554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 005B6564
Process32NextW.KERNEL32(00000000,0000022C), ref: 005B6583
__wsplitpath.LIBCMT ref: 005B65A7
_wcscat.LIBCMT ref: 005B65BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 005B65F9

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: a2fb8f6a2ef96c7acf96f7baff99fa0d8bb63f118ab1a1d23d7de687755a7984
Instruction ID: 485881d979f5c4dd8779242698c59688b178772b8f5d21daf36c1f3120f7899b
Opcode Fuzzy Hash: a2fb8f6a2ef96c7acf96f7baff99fa0d8bb63f118ab1a1d23d7de687755a7984
Instruction Fuzzy Hash: 54215371900219ABDB20ABA4CC89FEDBBBDBB48300F5004A5E545D7181E775AF95DB60

Function 00579B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00579EA7
ERCP, xrefs: 00579C32
VUUU, xrefs: 00579ED4
VUUU, xrefs: 005FBE14
a, xrefs: 00579CF3
VUUU, xrefs: 00579E95

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$a
API String ID: 0-2775038551
Opcode ID: f2c0215884dd3f5bc7f41eb583c0abb1b8a4377e6ff5c7a88d38a2f85acd263b
Instruction ID: 40ec0a099b718f34623044614e101566862ccc732c0f51c8364b19f5ff761d74
Opcode Fuzzy Hash: f2c0215884dd3f5bc7f41eb583c0abb1b8a4377e6ff5c7a88d38a2f85acd263b
Instruction Fuzzy Hash: 99929E71E0021ECBDF24CF58D8447BDBBB1BB94310F1485AAE91AAB281D7749D81EF91

Function 005B13CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005B13DC

Strings

<2b, xrefs: 005B16FA
|, xrefs: 005B140C
,2b, xrefs: 005B16B1
(, xrefs: 005B1422

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: lstrlen
String ID: ($,2b$<2b$|
API String ID: 1659193697-4021085661
Opcode ID: 7bd0a1f129ed26f2ab6a4637078fc2dff896391acb43000f1551bb2ffa160011
Instruction ID: ad8613dde5f37ac84a2c2181991c570bc327154c5c60c0b3849a813092f8c61a
Opcode Fuzzy Hash: 7bd0a1f129ed26f2ab6a4637078fc2dff896391acb43000f1551bb2ffa160011
Instruction Fuzzy Hash: 7B322675A00B059FCB68CF29C4909AABBF0FF48320B51C56EE59ADB3A1D770E941CB44

Function 005C923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005CA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 005CA84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 005C9296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 005C92B9

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 1f94214aaa9c7be90114ac07b988d2576e6834dd063de13fbe6cd587f8f3653c
Instruction ID: e636cbfba90e95ca05c06af078abb889eec26da00c056c8d627c8b1794282857
Opcode Fuzzy Hash: 1f94214aaa9c7be90114ac07b988d2576e6834dd063de13fbe6cd587f8f3653c
Instruction Fuzzy Hash: CC41C470600501AFDB10BF688849F7E7BEDFF84724F14844CF956AB282DB749D019BA1

Function 005BEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005BEB8A
_wcscmp.LIBCMT ref: 005BEBBA
_wcscmp.LIBCMT ref: 005BEBCF
FindNextFileW.KERNEL32(00000000,?), ref: 005BEBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 005BEC0E

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 7fdf296490438f30027c12a85ca0fe9f32cc5278b3778c94af65673955f9ff0b
Instruction ID: 2151d9aed9cd79f9a3659351a35b19f157ea4b0fbab2292ce5f3277c13131491
Opcode Fuzzy Hash: 7fdf296490438f30027c12a85ca0fe9f32cc5278b3778c94af65673955f9ff0b
Instruction Fuzzy Hash: C6419D356006029FCB18DF28C495AEABBE4FF89324F14455EE95A8B3A1DB31BD44CF91

Function 005D8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 005D8160
IsWindowEnabled.USER32 ref: 005D816E
GetForegroundWindow.USER32(?,?,00000001), ref: 005D817B
IsIconic.USER32 ref: 005D8189
IsZoomed.USER32 ref: 005D8197

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: eec14e37948f2ec2532412388c22c70fbc49c1f10b931e3bfaafb39bf886ae1d
Instruction ID: f3e8239e9a173e70b84182c9915d4dd032d693202f8038ecde47205b6086dafe
Opcode Fuzzy Hash: eec14e37948f2ec2532412388c22c70fbc49c1f10b931e3bfaafb39bf886ae1d
Instruction Fuzzy Hash: AD118E31700211ABE7316F6A9C48A7E7FA9FF94760B05442BE849D7341CF74A906C6A4

Function 0058E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0058E014,774D0AE0,0058DEF1,0060DC38,?,?), ref: 0058E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0058E03E

Strings

GetNativeSystemInfo, xrefs: 0058E038
kernel32.dll, xrefs: 0058E027

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 7e1291e66bb1e6b08f1bf9dde23d7ab534634915e3bcb03e90040bfd6f8d64ef
Instruction ID: 9cf01cc81794fa88beb194509ce87c01d3624905818076d3278f251ae807093c
Opcode Fuzzy Hash: 7e1291e66bb1e6b08f1bf9dde23d7ab534634915e3bcb03e90040bfd6f8d64ef
Instruction Fuzzy Hash: C6D05E70400B23AEC7215B60E809A227AF6AB10308F1A4819ACC1E2150DAB8C884DB60

Function 00583B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON

Download Yara Rule

Strings

c, xrefs: 005E701F
@, xrefs: 00584176
c, xrefs: 005840EC
c, xrefs: 005840A4

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @$ c$ c$ c
API String ID: 3728558374-946635542
Opcode ID: a629fad0986d2828f304ee655d2f7d2db9480b96ce0000a6030f79aa76d67e89
Instruction ID: fe6e685a04e58ac25deda3dd5f263575e40a056a51bb41e67b28b32cd9101822
Opcode Fuzzy Hash: a629fad0986d2828f304ee655d2f7d2db9480b96ce0000a6030f79aa76d67e89
Instruction Fuzzy Hash: 1B72AC34A0420A9FCF14EF94C485AAEBFB5FF88700F14845AED4ABB251D734AE45CB91

Function 0058B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 0058B34E: GetWindowLongW.USER32(?,000000EB), ref: 0058B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 0058B22F

Part of subcall function 0058B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0058B5A5

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 1b81d818a720a97a673b1fd9dc3ef20a2e138792189a7e8f2d6316f01f7a4b84
Instruction ID: d5c4e7b3584dd2dd70e4b8fd68cd6f415924336f1dab9f3659366719135efe5f
Opcode Fuzzy Hash: 1b81d818a720a97a673b1fd9dc3ef20a2e138792189a7e8f2d6316f01f7a4b84
Instruction Fuzzy Hash: B0A1F174124106BAFB387A2A5C8ED7F2D6DFB86344B144A1AFC83FA291DB159D01D372

Function 005C4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,005C43BF,00000000), ref: 005C4FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 005C4FD2

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 76d237dbe0e404aaa3c5ef277235b6a345c5883b7102c973a03923c0d7acc8ba
Instruction ID: 9218d4611743b0f63835ee51104dfc4ff69ba55d5898c2ef5849bf907a0f1613
Opcode Fuzzy Hash: 76d237dbe0e404aaa3c5ef277235b6a345c5883b7102c973a03923c0d7acc8ba
Instruction Fuzzy Hash: 9C41E971504609BFEB209EC4DC85FBF7BBDFB80754F10402EF605A6240E671AE81DA60

Function 005777B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00577921

Strings

\Qb, xrefs: 005F1028

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: _memmove
String ID: \Qb
API String ID: 4104443479-2600166055
Opcode ID: 5d5b20c9b6ee059e531ad1c82e49313d8d9615883b10830e53e96896360d42e6
Instruction ID: 84672374e96d2d7772d17a6c206f021b6aedce3ae55b9c3c17fd8b3afb42651f
Opcode Fuzzy Hash: 5d5b20c9b6ee059e531ad1c82e49313d8d9615883b10830e53e96896360d42e6
Instruction Fuzzy Hash: 71A27B70E04219CFDB28CF58D8846ADBBB1FF48310F2585A9E959AB391D7349E81DF90

Function 005BE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005BE20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 005BE267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 005BE2B4

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 3cf5990476b040a9040e863d6ea01d085fffe478f54a02be6b94dbfd2302d761
Instruction ID: 6e1664275de57231dfb0d0f8cd2cfe506e7bd257833a07f1796d2750cea686ab
Opcode Fuzzy Hash: 3cf5990476b040a9040e863d6ea01d085fffe478f54a02be6b94dbfd2302d761
Instruction Fuzzy Hash: 50214A35A00119EFCB00EFA5D885AEDBFB9FF88310F0484A9E905E7251DB35A915CB60

Function 005AB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0058F4EA: std::exception::exception.LIBCMT ref: 0058F51E
Part of subcall function 0058F4EA: __CxxThrowException@8.LIBCMT ref: 0058F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005AB180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005AB1AD
GetLastError.KERNEL32 ref: 005AB1BA

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 0d4ceeb5642b137aef393dcb0dec64b6d25ddd8cb3220663447a4c8524192221
Instruction ID: 7ef19d3f1081578ac66300bfb04ad0c0f5e200fcbe6c213ed7d3a14b39018c0b
Opcode Fuzzy Hash: 0d4ceeb5642b137aef393dcb0dec64b6d25ddd8cb3220663447a4c8524192221
Instruction Fuzzy Hash: 8611BFB1400305AFE718AF54DC89D2BBBBDFB45310B20852EE45693251EB74FC41CB60

Function 005B6606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005B6623
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 005B6664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005B666F

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 0cf025b9971e70e0c2e01babb8f109461b45e25b2c4968ca7b60c624490ed0ba
Instruction ID: 80a724c1f742041627104716478fd7a8d1bea33975420f44d5f6bcfee84772e4
Opcode Fuzzy Hash: 0cf025b9971e70e0c2e01babb8f109461b45e25b2c4968ca7b60c624490ed0ba
Instruction Fuzzy Hash: EE115E71E01228BFDB108FA8DC44BFEBBBCEB45B10F104152F900E7290D3B45A059BA1

Function 005B71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 005B7223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005B723A
FreeSid.ADVAPI32(?), ref: 005B724A

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: c6848e55b305994e81af14478adedd046810cde617a54f23c7eab27c52f296c1
Instruction ID: cf60c399357b03f07913e8eba038ec8b77831729c9d28cd7a7c59c7159cd9ce0
Opcode Fuzzy Hash: c6848e55b305994e81af14478adedd046810cde617a54f23c7eab27c52f296c1
Instruction Fuzzy Hash: A8F0F976A04209BBDB04DBE5DD89AEEBBBDEB08201F104469A602E2191E6759A44DB20

Function 005BF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005BF599
FindClose.KERNEL32(00000000), ref: 005BF5C9

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 8fef8d29e28da7bc26598da09734a721d05f05a7b994ea19e0afa0f2f24af614
Instruction ID: ca4c01b83705288f26ecaa49d122bc8557d464f2904b0669d1025b96509d6965
Opcode Fuzzy Hash: 8fef8d29e28da7bc26598da09734a721d05f05a7b994ea19e0afa0f2f24af614
Instruction Fuzzy Hash: E9115B726006019FD710EF28D849A6EBBE9FF94324F00895EF8A9D7291DB34AD05CB95

Function 005BCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,005CBE6A,?,?,00000000,?), ref: 005BCEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,005CBE6A,?,?,00000000,?), ref: 005BCEB9

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f6a4c35311917a0877658b2e48a5b0e9da552861182f0d53582e6e443fcf2ff9
Instruction ID: c2916358f6403ad7b6c6700cea421a6cb3a34618e499faeed7d7c93583d06570
Opcode Fuzzy Hash: f6a4c35311917a0877658b2e48a5b0e9da552861182f0d53582e6e443fcf2ff9
Instruction Fuzzy Hash: A8F08235510229EBDB119BA4DC89FFA7B6DBF08351F008565F919D6181D630EA44DBB0

Function 005B411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 005B4153
keybd_event.USER32(?,7707C0D0,?,00000000), ref: 005B4166

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 52b0e787f76733d0ec652862426eb4c782231f86c6d05ff53b9125874cd9f598
Instruction ID: a8a58d7fe12a6eebb397e6d051c86a05b198497be825067f3b42018d756fdc87
Opcode Fuzzy Hash: 52b0e787f76733d0ec652862426eb4c782231f86c6d05ff53b9125874cd9f598
Instruction Fuzzy Hash: 5BF0677080428DAFDB058FA4C805BFE7FB0FF10305F00840AF966A6192D7799616EFA0

Function 005AAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005AACC0), ref: 005AAB99
CloseHandle.KERNEL32(?,?,005AACC0), ref: 005AABAB

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: fb71ac844943f049eb3779d858dea9da0e2072b14c88650f7a1076126f28c435
Instruction ID: b236ba3d475afb622d735c1eeb83745587c58d04b43bf9b1d687a53d159e9b78
Opcode Fuzzy Hash: fb71ac844943f049eb3779d858dea9da0e2072b14c88650f7a1076126f28c435
Instruction Fuzzy Hash: 7DE0BF71000511AFE7252F54EC09D767BAAEF483207108829B95981470DB625D94DB60

Function 005981AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00596DB3,-0000031A,?,?,00000001), ref: 005981B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 005981BA

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 95aa99619d3246b5d64fec562d76bb50d33ea93469b924fdc1abe406ce04316a
Instruction ID: 7b2edf41ce6ad2e9ba6b387273fabed2d0c13c384edd629422d0b2c878669b6b
Opcode Fuzzy Hash: 95aa99619d3246b5d64fec562d76bb50d33ea93469b924fdc1abe406ce04316a
Instruction Fuzzy Hash: CEB09232048608ABDB402BA1EC09B697F7AEB18652F004810F70D840E18B765414EAA2

Function 00583200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON

Download Yara Rule

Strings

c, xrefs: 005E933E

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: BuffCharUpper
String ID: c
API String ID: 3964851224-2769191132
Opcode ID: c487e81b8f8579d5eba32f33f61c080e452d6a0905e3f0c68630b1b943da3e0c
Instruction ID: 1ee50d85bd5d4859ed1d7e1d98a6cc541ef6ac504a72af7f00df27c28f74bb7d
Opcode Fuzzy Hash: c487e81b8f8579d5eba32f33f61c080e452d6a0905e3f0c68630b1b943da3e0c
Instruction Fuzzy Hash: FD927A706083419FD728EF18C484B6ABFE1BF88704F14885DE98A9B362D771ED45CB92

Function 0059D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af064310548d9547c1ad4049485de5361e0150ea9b872df1beceb54a0b20725
Instruction ID: 785df68507a525d291187992f386284dff8ba496a093d2a254e732cb9e116d7e
Opcode Fuzzy Hash: 9af064310548d9547c1ad4049485de5361e0150ea9b872df1beceb54a0b20725
Instruction Fuzzy Hash: BE323622D69F024DDB239634C936336A699FFB73C4F15D737E819B5AA6EB28C4834110

Function 005796C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 04bf545738141f8ead66762b3d491965c524b79a57d0067d81dd3f28c4a38e63
Instruction ID: af1ade717d71f0535f470b13ad10dea22732cdf50e9ba012d9abe084e5e93afe
Opcode Fuzzy Hash: 04bf545738141f8ead66762b3d491965c524b79a57d0067d81dd3f28c4a38e63
Instruction Fuzzy Hash: 192297715083429BD728DF24D885B6BBFE4FF84310F10891DF89A9B291DB70E945DBA2

Function 005A038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa6f6d62f0d1df988404870a655b43ddf3aa8f115d172c593f507beefb4b4e29
Instruction ID: 45496a149df808b5729bb456645e6fd8b938c1dd048a9147108e31b965296498
Opcode Fuzzy Hash: aa6f6d62f0d1df988404870a655b43ddf3aa8f115d172c593f507beefb4b4e29
Instruction Fuzzy Hash: 2AB1FF20D6AF414DD3239638883533BBA5DAFBB2D5B91E71BFC1B74D62EB2185834580

Function 005BB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 005BB6DF

Part of subcall function 0059344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,005BBDC3,00000000,?,?,?,?,005BBF70,00000000,?), ref: 00593453
Part of subcall function 0059344A: __aulldiv.LIBCMT ref: 00593473

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: c68f954e3d8cb8fb60e52a144d2ce432b355d187838cf93722f501f7ac1bbb3b
Instruction ID: 32ddf8841c5e49a8b678e9b2c914f8e6143f4b9623d473dcd0136a55ac8ce710
Opcode Fuzzy Hash: c68f954e3d8cb8fb60e52a144d2ce432b355d187838cf93722f501f7ac1bbb3b
Instruction Fuzzy Hash: 18217572634510CBD729CF28C481A92BBE1EB95311B248E7DE4E5CB2C0CBB4B905DB94

Function 005C6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 005C6ACA

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: b339c206ec994d38dc1a33d32b722b04831199dc894b95fdbc660cbd76de2f5d
Instruction ID: b46ec559960703b4ee6a3be73c44aad0a4f6be98aa63e665e8bc2b4f1ed9d27e
Opcode Fuzzy Hash: b339c206ec994d38dc1a33d32b722b04831199dc894b95fdbc660cbd76de2f5d
Instruction Fuzzy Hash: 9DE01235200205AFC700EB99D804E56BBEDBFB4751F04C41AE945D7251DAB1E8049BA0

Function 005B74E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 005B750A

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: dcdbe0dc50d8b6387e055a4637e7aa6f4d8a43f20fea9fcd3c072b0abf9a7c43
Instruction ID: 02fe8a057a119191120243429a33f97560efe6457f820e4135e9a6a7ff886363
Opcode Fuzzy Hash: dcdbe0dc50d8b6387e055a4637e7aa6f4d8a43f20fea9fcd3c072b0abf9a7c43
Instruction Fuzzy Hash: BBD06CB416CA0D6AEC2A07249C2BFF71E09F388782FD44989B616E90C0A8A47E05A031

Function 005AB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,005AAD3E), ref: 005AB124

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: a23502f28a998915cd6039e247663bc994afce85484a72b1a45975b4fc7b6728
Instruction ID: 550b909ecc3265d93b1d69b4ac0412f35c829ae44b67b477a7df5b50de9398c7
Opcode Fuzzy Hash: a23502f28a998915cd6039e247663bc994afce85484a72b1a45975b4fc7b6728
Instruction Fuzzy Hash: 23D05E320A460EAEDF024FA4DC06EBE3F6AEB04700F408110FA11C50A0C676D531EB60

Function 005EB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 005EB352

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 5fe7cfecc0bc267b47923d74744d18e795b203d15975ed46c968ac074d288267
Instruction ID: c2c0dbc6044d802e1fda0baeb0405c231cbcb04b24045ef30e819011e91d883f
Opcode Fuzzy Hash: 5fe7cfecc0bc267b47923d74744d18e795b203d15975ed46c968ac074d288267
Instruction Fuzzy Hash: 67C04CB1400149DFD755CBD0C9489EEB7BCAB04301F204091A145F1110DB749B45DB72

Function 00598189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0059818F

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c1737c3eac8c1fbefd5ceea48e008218125d543e458d639f6af0ec59f8b4ebf6
Instruction ID: 267ddfdb1a49cb1fe096ee1f25de3631b699859790d611d2297a07588c61072f
Opcode Fuzzy Hash: c1737c3eac8c1fbefd5ceea48e008218125d543e458d639f6af0ec59f8b4ebf6
Instruction Fuzzy Hash: 8FA0123100010CA78F001B41EC044553F2DE6001507000010F50C4006087225410A591

Function 005793F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880301bf3038e6e5538d53d7d94e881d02bf51751c8a95563df098430137b099
Instruction ID: 9e32d00da089300c40e00106e6ac03042de520c9bcc1b2f4b5f682161ad6b748
Opcode Fuzzy Hash: 880301bf3038e6e5538d53d7d94e881d02bf51751c8a95563df098430137b099
Instruction Fuzzy Hash: 1912B270A0060ADFDF04DFA5D985AEEBBF9FF48300F108529E84AE7254EB359911DB60

Function 0057E3E3 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bef96ed33d445046f988fd30a1b04468ca1be3c48a66aaa2947555d22ddd8e1
Instruction ID: a653507b117f144445fd5286b3eac468ddea19aba42ebfce91476a29c61c1bb2
Opcode Fuzzy Hash: 4bef96ed33d445046f988fd30a1b04468ca1be3c48a66aaa2947555d22ddd8e1
Instruction Fuzzy Hash: F112A07090021A8FDB24DF54E486AAEBFB1FF5C304F14C4A9D99A9B351E331AD41DB91

Function 0057AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 46e23e97598f0331be572b531657fc7df3486f84ac39496d9f8553b898726c6b
Instruction ID: 1b3b2ab65e37176469813421bdfe21f49a9a80770413e928e7a5c961c011fdf1
Opcode Fuzzy Hash: 46e23e97598f0331be572b531657fc7df3486f84ac39496d9f8553b898726c6b
Instruction Fuzzy Hash: 3002B370A00106DBDF14DF65D995AAEBFB9FF88300F10C469E80AEB255EB31DA11DB91

Function 005902A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 37d0456c35aeea07a8668cf60298d2f7db2a3ccae42b08a7685e409489aab107
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 0CC1A5722051A30EDF6D4639C47443EBEA57AA27B131A2B6DD8B3CB4D5EF24C524D720

Function 005906D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 31c9bde16a0f5c12011624ae59cf64f391a781ccc9a11211ddedeb346da2acb0
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: C2C1C1722051930EDF6D4639C47443EBEA57AA2BB131A2B6DD8B2CB4D5EF24C524D720

Function 0058FE6F Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: f01f8e701cd21499ba90532557aaa60e00be7a59aef2cb02d9adb56dd5cb0fcd
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 8EC1D1722091930EDF6D463AC47443EBEA56AA27B131A1B7DD8B3DB4E1EF24C524D720

Function 0058FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: e9518cfa9c3523f6c7de818c66da247367bd3c558bbc07d66c4b2021599538d4
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 54C1DE722090930ADF6D563AC47043EBFA56AA6BB131A077DDCB2EB4D5EF24C524D720

Function 016CD5D0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1279315960.00000000016CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ca000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 6b3c6f962aad28982e77ce9eac1c2c3d78ef89b080f514f362894eab22dc6f1f
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 8E41C271D1051CEBCF48CFADC991AAEBBF2EF88201F548299D516AB345D730AB41DB80

Function 016CD460 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1279315960.00000000016CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ca000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b6af648c877ac6d6a76aa728722bf9b1b7a20dc0d1902be66db2f93aef2a5a
Instruction ID: ab1c05482bf583df5e3e9150778b23bffadc3df0df633c902e50f9ede13ef21e
Opcode Fuzzy Hash: 52b6af648c877ac6d6a76aa728722bf9b1b7a20dc0d1902be66db2f93aef2a5a
Instruction Fuzzy Hash: 6D019278A01209EFCB44DF98C9909AEF7B5FB48710F2085A9D909A7741E730AE41DB80

Function 016CD4C0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1279315960.00000000016CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ca000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1ed642c9e2cf619b0ca28225d8e547d23f1e0e217189ac3431c3358c2c8a8c
Instruction ID: 3594416ff04c39478e52d6146fd7eb18e509e65232e1825e3b3b8813d3adc119
Opcode Fuzzy Hash: ab1ed642c9e2cf619b0ca28225d8e547d23f1e0e217189ac3431c3358c2c8a8c
Instruction Fuzzy Hash: F8019278A01109EFCB44DF98C5909AEF7B5FB48710F6085A9D909A7741E730AE41DB80

Function 016CBE10 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1279315960.00000000016CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ca000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 005DD285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 005DD2DB
GetSysColorBrush.USER32(0000000F), ref: 005DD30C
GetSysColor.USER32(0000000F), ref: 005DD318
SetBkColor.GDI32(?,000000FF), ref: 005DD332
SelectObject.GDI32(?,00000000), ref: 005DD341
InflateRect.USER32(?,000000FF,000000FF), ref: 005DD36C
GetSysColor.USER32(00000010), ref: 005DD374
CreateSolidBrush.GDI32(00000000), ref: 005DD37B
FrameRect.USER32(?,?,00000000), ref: 005DD38A
DeleteObject.GDI32(00000000), ref: 005DD391
InflateRect.USER32(?,000000FE,000000FE), ref: 005DD3DC
FillRect.USER32(?,?,00000000), ref: 005DD40E
GetWindowLongW.USER32(?,000000F0), ref: 005DD439

Part of subcall function 005DD575: GetSysColor.USER32(00000012), ref: 005DD5AE
Part of subcall function 005DD575: SetTextColor.GDI32(?,?), ref: 005DD5B2
Part of subcall function 005DD575: GetSysColorBrush.USER32(0000000F), ref: 005DD5C8
Part of subcall function 005DD575: GetSysColor.USER32(0000000F), ref: 005DD5D3
Part of subcall function 005DD575: GetSysColor.USER32(00000011), ref: 005DD5F0
Part of subcall function 005DD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 005DD5FE
Part of subcall function 005DD575: SelectObject.GDI32(?,00000000), ref: 005DD60F
Part of subcall function 005DD575: SetBkColor.GDI32(?,00000000), ref: 005DD618
Part of subcall function 005DD575: SelectObject.GDI32(?,?), ref: 005DD625
Part of subcall function 005DD575: InflateRect.USER32(?,000000FF,000000FF), ref: 005DD644
Part of subcall function 005DD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005DD65B
Part of subcall function 005DD575: GetWindowLongW.USER32(00000000,000000F0), ref: 005DD670
Part of subcall function 005DD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005DD698

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: f27d4f103db68e9713a0414298871ae406e3528f13fa27e9ac91206d8cef8371
Instruction ID: b62085d25a28b8683552bccab11947caa535bdf0dd8e9867dfce5ecb8f1b2e8c
Opcode Fuzzy Hash: f27d4f103db68e9713a0414298871ae406e3528f13fa27e9ac91206d8cef8371
Instruction Fuzzy Hash: DA917F71408301BFCB109F64DC48E6BBBBAFF99325F100A1AF962D61A0D775D948DB62

Function 0058B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 0058B98B
DeleteObject.GDI32(00000000), ref: 0058B9CD
DeleteObject.GDI32(00000000), ref: 0058B9D8
DestroyIcon.USER32(00000000), ref: 0058B9E3
DestroyWindow.USER32(00000000), ref: 0058B9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 005ED2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 005ED2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 005ED711

Part of subcall function 0058B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0058B759,?,00000000,?,?,?,?,0058B72B,00000000,?), ref: 0058BA58

SendMessageW.USER32 ref: 005ED758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 005ED76F
ImageList_Destroy.COMCTL32(00000000), ref: 005ED785
ImageList_Destroy.COMCTL32(00000000), ref: 005ED790

Strings

0, xrefs: 005ED5A5

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: c72eec8ec7e8412fdcba8dedeb170eff710109f370ffdc7b7319c5d0862d0e91
Instruction ID: ca9d870a05c79937196f06269c9bcefa46325d22e3afee6868b78af0cc5987db
Opcode Fuzzy Hash: c72eec8ec7e8412fdcba8dedeb170eff710109f370ffdc7b7319c5d0862d0e91
Instruction Fuzzy Hash: A412AC706002419FDB28DF25C888BA9BFF5FF59304F144969E989DB262C731EC45DBA1

Function 005C9F50 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 005C9F83
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 005CA042
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 005CA080
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 005CA092
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 005CA0D8
GetClientRect.USER32(00000000,?), ref: 005CA0E4
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 005CA128
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 005CA137
GetStockObject.GDI32(00000011), ref: 005CA147
SelectObject.GDI32(00000000,00000000), ref: 005CA14B
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 005CA15B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005CA164
DeleteDC.GDI32(00000000), ref: 005CA16D
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005CA19B
SendMessageW.USER32(00000030,00000000,00000001), ref: 005CA1B2
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 005CA1ED
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 005CA201
SendMessageW.USER32(00000404,00000001,00000000), ref: 005CA212
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 005CA242
GetStockObject.GDI32(00000011), ref: 005CA24D
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005CA258
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 005CA262

Strings

msctls_progress32, xrefs: 005CA1E3
static, xrefs: 005CA122, 005CA23C
DISPLAY, xrefs: 005CA12D
AutoIt v3, xrefs: 005CA0D0

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 9fcc38384cda564f249f9014fe15bc82df7f12dbc36f5e512e63519af6d891f6
Instruction ID: e59cc3bf92c5be2d3e45780fc11d96d934834f9a6e6cf1259ce1fdefa699ba43
Opcode Fuzzy Hash: 9fcc38384cda564f249f9014fe15bc82df7f12dbc36f5e512e63519af6d891f6
Instruction Fuzzy Hash: 1CA15E71A00215AFEB14DBA4DC49FAEBBBAEF45710F004118F614EB2E0DB74AD01DB64

Function 005BDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005BDBD6
GetDriveTypeW.KERNEL32(?,0060DC54,?,\\.\,0060DC00), ref: 005BDCC3
SetErrorMode.KERNEL32(00000000,0060DC54,?,\\.\,0060DC00), ref: 005BDE29

Strings

iSCSI, xrefs: 005BDDCB
Network, xrefs: 005BDD01
SATA, xrefs: 005BDDD9
Unknown, xrefs: 005BDCE3, 005BDD8C
MMC, xrefs: 005BDDE7
1394, xrefs: 005BDDA8
Fixed, xrefs: 005BDD0B
RAMDisk, xrefs: 005BDCED
SSA, xrefs: 005BDDAF
SCSI, xrefs: 005BDD93
RAID, xrefs: 005BDDC4
ATA, xrefs: 005BDDA1
PhysicalDrive, xrefs: 005BDC67
SSD, xrefs: 005BDD50
Fibre, xrefs: 005BDDB6
Removable, xrefs: 005BDD15
USB, xrefs: 005BDDBD
CDROM, xrefs: 005BDCF7
SAS, xrefs: 005BDDD2
\\.\, xrefs: 005BDC2B
ATAPI, xrefs: 005BDD9A
FileBackedVirtual, xrefs: 005BDDF5
Virtual, xrefs: 005BDDEE

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: fc183f18097fcac1f1a6582920dc20d029b27ffb72ca78a7e2475398ffaab4ab
Instruction ID: 100edaacc9a7d5683c5d1be358a91b3ff21460927ef52ad44e4697b4e1f8edfb
Opcode Fuzzy Hash: fc183f18097fcac1f1a6582920dc20d029b27ffb72ca78a7e2475398ffaab4ab
Instruction Fuzzy Hash: AA51B430348B22AFC610DF10D8858A9FFB2FBA4701B214D19F4879B291EB64F945DB66

Function 0057CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0057CC68
__wcsnicmp.LIBCMT ref: 0057CC80
__wcsnicmp.LIBCMT ref: 0057CC98
__wcsnicmp.LIBCMT ref: 0057CCB0
__wcsnicmp.LIBCMT ref: 0057CCC8
__wcsnicmp.LIBCMT ref: 0057CCE0
__wcsnicmp.LIBCMT ref: 0057CCF8
__wcsnicmp.LIBCMT ref: 0057CD0C
__wcsnicmp.LIBCMT ref: 0057CD4D
__wcsnicmp.LIBCMT ref: 0057CD61
__wcsnicmp.LIBCMT ref: 0057CD75
__wcsnicmp.LIBCMT ref: 0057CD89

Strings

#include-once, xrefs: 0057CCC2
#comments-start, xrefs: 0057CCF2, 0057CD47
Cannot parse #include, xrefs: 005E2FA1
#OnAutoItStartRegister, xrefs: 0057CCAA
#cs, xrefs: 0057CD06, 0057CD5B
#include, xrefs: 0057CCDA
Unterminated group of comments, xrefs: 005E2FB4
#pragma compile, xrefs: 0057CC62
#notrayicon, xrefs: 0057CC7A
Bad directive syntax error, xrefs: 005E2ECB
#ce, xrefs: 0057CD83
#requireadmin, xrefs: 0057CC92
#comments-end, xrefs: 0057CD6F

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 3103ce1f91319c7188e23c2b234a67a04e82181e8f5c01bf92e813493db5af52
Instruction ID: 396ef83a5ad4ef5d69071655ee2c35a1b9867a965e0a93c5d13d001689d5a932
Opcode Fuzzy Hash: 3103ce1f91319c7188e23c2b234a67a04e82181e8f5c01bf92e813493db5af52
Instruction Fuzzy Hash: 9C81F9306402576BDB29AB65EC47FBF3F6DBF54300F048028F949AA1C6EB60D941E795

Function 005DC6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 005DC788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 005DC83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 005DC859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 005DCB15

Strings

0, xrefs: 005DC89C

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: bbb71c54be95f8098cf3b612f2e56e68160e834a816b82e882e1aaef7f2a74d7
Instruction ID: f76a582c68263b99e5eea1e24edfdd053f4f575e601c43f0bcd02ed3a3ac7f89
Opcode Fuzzy Hash: bbb71c54be95f8098cf3b612f2e56e68160e834a816b82e882e1aaef7f2a74d7
Instruction Fuzzy Hash: 05F1A071204302AFE7218F28C849BAABFE5FF4A354F04091BF599D63A1C774D945DBA1

Function 005D638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0060DC00), ref: 005D6449

Strings

TABRIGHT, xrefs: 005D64BD
CURRENTTAB, xrefs: 005D64DD
SENDCOMMANDID, xrefs: 005D67CA
GETSELECTED, xrefs: 005D66C1
GETLINECOUNT, xrefs: 005D66E4
FINDSTRING, xrefs: 005D6596
UNCHECK, xrefs: 005D66A1
TABLEFT, xrefs: 005D64A7
SETCURRENTSELECTION, xrefs: 005D65D6
CHECK, xrefs: 005D668B
GETCURRENTSELECTION, xrefs: 005D6603
ISVISIBLE, xrefs: 005D6455
GETCURRENTCOL, xrefs: 005D6724
ISENABLED, xrefs: 005D648C
ISCHECKED, xrefs: 005D6659
ADDSTRING, xrefs: 005D6536
EDITPASTE, xrefs: 005D675B
GETLINE, xrefs: 005D678B
SHOWDROPDOWN, xrefs: 005D6500
DELSTRING, xrefs: 005D6569
SELECTSTRING, xrefs: 005D6626
GETCURRENTLINE, xrefs: 005D6704
HIDEDROPDOWN, xrefs: 005D6520

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 0bce0d10c04e066b34bc2ddecbfbd76f40e7e1afc2e5fe7bdf5f98b57ba5126c
Instruction ID: 2509a9a15fbedf4849ebe12d81d31c568e3d25a831a08230990f7f54d606bcab
Opcode Fuzzy Hash: 0bce0d10c04e066b34bc2ddecbfbd76f40e7e1afc2e5fe7bdf5f98b57ba5126c
Instruction Fuzzy Hash: 1EC181306046568BCB14EF18D555A6E7FA6BFD5344F00485AF8866B3A3DF20ED4BCB82

Function 005DD575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 005DD5AE
SetTextColor.GDI32(?,?), ref: 005DD5B2
GetSysColorBrush.USER32(0000000F), ref: 005DD5C8
GetSysColor.USER32(0000000F), ref: 005DD5D3
CreateSolidBrush.GDI32(?), ref: 005DD5D8
GetSysColor.USER32(00000011), ref: 005DD5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 005DD5FE
SelectObject.GDI32(?,00000000), ref: 005DD60F
SetBkColor.GDI32(?,00000000), ref: 005DD618
SelectObject.GDI32(?,?), ref: 005DD625
InflateRect.USER32(?,000000FF,000000FF), ref: 005DD644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005DD65B
GetWindowLongW.USER32(00000000,000000F0), ref: 005DD670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005DD698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 005DD6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 005DD6DD
DrawFocusRect.USER32(?,?), ref: 005DD6E8
GetSysColor.USER32(00000011), ref: 005DD6F6
SetTextColor.GDI32(?,00000000), ref: 005DD6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 005DD712
SelectObject.GDI32(?,005DD2A5), ref: 005DD729
DeleteObject.GDI32(?), ref: 005DD734
SelectObject.GDI32(?,?), ref: 005DD73A
DeleteObject.GDI32(?), ref: 005DD73F
SetTextColor.GDI32(?,?), ref: 005DD745
SetBkColor.GDI32(?,?), ref: 005DD74F

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: a5da43e5c63a4cab12f6d1a80936f51d3e0ec193ddba41ec32f948f83f41d990
Instruction ID: 8e242f7e4df89bbe0232028a84cf97143b33b6709979ccb584a33be06e930e8a
Opcode Fuzzy Hash: a5da43e5c63a4cab12f6d1a80936f51d3e0ec193ddba41ec32f948f83f41d990
Instruction Fuzzy Hash: 03513D71900208AFDF10AFA8DC48EAE7B7AFF59320F104516F915EB2A1D7759A44EF60

Function 005DB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 005DB7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005DB7C1
CharNextW.USER32(0000014E), ref: 005DB7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 005DB831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 005DB847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005DB858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 005DB875
SetWindowTextW.USER32(?,0000014E), ref: 005DB8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 005DB8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 005DB90E
_memset.LIBCMT ref: 005DB933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 005DB97C
_memset.LIBCMT ref: 005DB9DB
SendMessageW.USER32 ref: 005DBA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 005DBA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 005DBB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 005DBB2C
GetMenuItemInfoW.USER32(?), ref: 005DBB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005DBBA3
DrawMenuBar.USER32(?), ref: 005DBBB2
SetWindowTextW.USER32(?,0000014E), ref: 005DBBDA

Strings

0, xrefs: 005DBB4F

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 0e6e3535476dc5c82f3ba126a21e5ac7c81d6ce2b06d91e85c3ccb66e3dcf50f
Instruction ID: 507e56813b31b4dcfe7b00fda38a535b41656d6e159378f3b106f9c8f156ff6d
Opcode Fuzzy Hash: 0e6e3535476dc5c82f3ba126a21e5ac7c81d6ce2b06d91e85c3ccb66e3dcf50f
Instruction Fuzzy Hash: ADE19E70900209EBEF209F69CC85AEE7F7AFF45750F108557F919AA290DB748A41DF60

Function 00572EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00572F7A
IsWindow.USER32(?), ref: 005E22FD

Strings

H+b, xrefs: 005E2184
L+b, xrefs: 005E21B2
CLASS, xrefs: 005E2128
REGEXPCLASS, xrefs: 005E2149
ACTIVE, xrefs: 005E20CC
TITLE, xrefs: 005E2292
P+b, xrefs: 005E21E0
HANDLE, xrefs: 005E20E2
ALL, xrefs: 005E2264
INSTANCE, xrefs: 005E223C
T+b, xrefs: 005E220E
LAST, xrefs: 005E20B6
REGEXPTITLE, xrefs: 005E20F8

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$H+b$HANDLE$INSTANCE$L+b$LAST$P+b$REGEXPCLASS$REGEXPTITLE$T+b$TITLE
API String ID: 62970417-3607071086
Opcode ID: 44cc685c1690f04aaa18229c0a366e87c2cc8a721c66a0c34719023e46b4e06c
Instruction ID: d9e942a03df48d54b3ab23d011fb96e71e2315b9c3502e42b40dcce31f2836ec
Opcode Fuzzy Hash: 44cc685c1690f04aaa18229c0a366e87c2cc8a721c66a0c34719023e46b4e06c
Instruction Fuzzy Hash: 68D12B305086839BCB08EF11D445A9ABFB9FF94340F008D1DF49A975A5DB30E95ADF91

Function 005D764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005D778A
GetDesktopWindow.USER32 ref: 005D779F
GetWindowRect.USER32(00000000), ref: 005D77A6
GetWindowLongW.USER32(?,000000F0), ref: 005D7808
DestroyWindow.USER32(?), ref: 005D7834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005D785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005D787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 005D78A1
SendMessageW.USER32(?,00000421,?,?), ref: 005D78B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 005D78C9
IsWindowVisible.USER32(?), ref: 005D78E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 005D7904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 005D7918
GetWindowRect.USER32(?,?), ref: 005D7930
MonitorFromPoint.USER32(?,?,00000002), ref: 005D7956
GetMonitorInfoW.USER32 ref: 005D7970
CopyRect.USER32(?,?), ref: 005D7987
SendMessageW.USER32(?,00000412,00000000), ref: 005D79F2

Strings

(, xrefs: 005D7965
0, xrefs: 005D7735
tooltips_class32, xrefs: 005D7856

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 9f1799efc8f27658b4fcdd25cc1557c58321218af5cfec6f24a31daf3b3dd380
Instruction ID: 9b800651641ed7255693f9491d6887fa55c081dec752e053504e4b5c708d0b20
Opcode Fuzzy Hash: 9f1799efc8f27658b4fcdd25cc1557c58321218af5cfec6f24a31daf3b3dd380
Instruction Fuzzy Hash: E4B19171608301AFDB14DF68C948B6ABFE5FF88310F00891EF5999B291E774E805DBA5

Function 005B6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 005B6CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 005B6D21
_wcscpy.LIBCMT ref: 005B6D4F
_wcscmp.LIBCMT ref: 005B6D5A
_wcscat.LIBCMT ref: 005B6D70
_wcsstr.LIBCMT ref: 005B6D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 005B6D97
_wcscat.LIBCMT ref: 005B6DE0
_wcscat.LIBCMT ref: 005B6DE7
_wcsncpy.LIBCMT ref: 005B6E12

Strings

%u.%u.%u.%u, xrefs: 005B6E75
DefaultLangCodepage, xrefs: 005B6DFA
04090000, xrefs: 005B6DCD
\VarFileInfo\Translation, xrefs: 005B6D8F
StringFileInfo\, xrefs: 005B6D6A

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 4f6bd928cbfdeaed061c9adcb6faafdf834526c5cc16298034cb3500c46c1ad6
Instruction ID: e1edc6e4ef3fe391211b0ec7bc2f64db64649642c625cf31cdf401a4d28abdef
Opcode Fuzzy Hash: 4f6bd928cbfdeaed061c9adcb6faafdf834526c5cc16298034cb3500c46c1ad6
Instruction Fuzzy Hash: 8641C471600212BFEB04BB649C4BEBF7F7DFF95710F040429F905A6182EB78AA4197A5

Function 0058A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0058A939
GetSystemMetrics.USER32(00000007), ref: 0058A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0058A96C
GetSystemMetrics.USER32(00000008), ref: 0058A974
GetSystemMetrics.USER32(00000004), ref: 0058A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0058A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0058A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0058A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0058AA0D
GetClientRect.USER32(00000000,000000FF), ref: 0058AA2B
GetStockObject.GDI32(00000011), ref: 0058AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 0058AA52

Part of subcall function 0058B63C: GetCursorPos.USER32(000000FF), ref: 0058B64F
Part of subcall function 0058B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0058B66C
Part of subcall function 0058B63C: GetAsyncKeyState.USER32(00000001), ref: 0058B691
Part of subcall function 0058B63C: GetAsyncKeyState.USER32(00000002), ref: 0058B69F

SetTimer.USER32(00000000,00000000,00000028,0058AB87), ref: 0058AA79

Strings

AutoIt v3 GUI, xrefs: 0058A9F1

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 11f2c0260ad567d96c3fc4c8420add264ee6aaad86aaf3afc2b6927933b464a4
Instruction ID: 2c6a502cef1522f1931a30f61d4be1638593d6a362a6f09a9fecb03ce5286438
Opcode Fuzzy Hash: 11f2c0260ad567d96c3fc4c8420add264ee6aaad86aaf3afc2b6927933b464a4
Instruction Fuzzy Hash: C9B17E7160020A9FEB14EFA8DC45BAD7FB5FB49310F114229FA15EB290DB74E841DB61

Function 005D3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005D3735
RegCreateKeyExW.ADVAPI32(?,?,00000000,0060DC00,00000000,?,00000000,?,?), ref: 005D37A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 005D37EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 005D3874
RegCloseKey.ADVAPI32(?), ref: 005D3B94
RegCloseKey.ADVAPI32(00000000), ref: 005D3BA1

Strings

REG_EXPAND_SZ, xrefs: 005D3811
REG_SZ, xrefs: 005D38B2
REG_QWORD, xrefs: 005D3AE2
REG_DWORD, xrefs: 005D3A65
REG_MULTI_SZ, xrefs: 005D395C
REG_BINARY, xrefs: 005D3B2F

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 47de9f26f48e18f5146501d641a817edc0f57343191e45e589f98b14cc323c01
Instruction ID: 09fb7b9615b871d2baa1f74b214ad364a5c788aecacf44bc4e11fe29aebb0236
Opcode Fuzzy Hash: 47de9f26f48e18f5146501d641a817edc0f57343191e45e589f98b14cc323c01
Instruction Fuzzy Hash: 25025F752046029FDB14EF18D859E2ABBE5FF88710F04885EF9899B3A1DB30ED41DB52

Function 005D6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005D6C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005D6D16

Strings

GETSUBITEMCOUNT, xrefs: 005D6CA1
GETSELECTED, xrefs: 005D6E3C
SELECT, xrefs: 005D6DA8
GETTEXT, xrefs: 005D6CBF
SELECTINVERT, xrefs: 005D6DDE
ISSELECTED, xrefs: 005D6D21
GETITEMCOUNT, xrefs: 005D6C84
DESELECT, xrefs: 005D6DFC
SELECTALL, xrefs: 005D6D75
VIEWCHANGE, xrefs: 005D6ECD
SELECTCLEAR, xrefs: 005D6D8D
GETSELECTEDCOUNT, xrefs: 005D6CF9
FINDITEM, xrefs: 005D6E81

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 0f0019365ee9079ff23ef98e7630b4ddd6367ffc98b53047b2c4c6d3b40d07a3
Instruction ID: 2dde4ea431b3b1831ac0b14f31e78f4eed2fedfe80d46c03d969858f616f40a4
Opcode Fuzzy Hash: 0f0019365ee9079ff23ef98e7630b4ddd6367ffc98b53047b2c4c6d3b40d07a3
Instruction Fuzzy Hash: 03A171346042429FCB24FF14D855A6ABFA6FF84314F14896AB85A6B3D6DF30EC06CB51

Function 005ACF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 005ACF91
__swprintf.LIBCMT ref: 005AD032
_wcscmp.LIBCMT ref: 005AD045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 005AD09A
_wcscmp.LIBCMT ref: 005AD0D6
GetClassNameW.USER32(?,?,00000400), ref: 005AD10D
GetDlgCtrlID.USER32(?), ref: 005AD15F
GetWindowRect.USER32(?,?), ref: 005AD195
GetParent.USER32(?), ref: 005AD1B3
ScreenToClient.USER32(00000000), ref: 005AD1BA
GetClassNameW.USER32(?,?,00000100), ref: 005AD234
_wcscmp.LIBCMT ref: 005AD248
GetWindowTextW.USER32(?,?,00000400), ref: 005AD26E
_wcscmp.LIBCMT ref: 005AD282

Strings

%s%u, xrefs: 005AD02C

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: e6f59d0cebe6b94f399be8454f39063e06a64cdef5db9ff9a468814ffa86b93e
Instruction ID: e2b2c6564b2ecd9686fb53fee7dc0681d07f540c30655e9933bb950e4ef6e68c
Opcode Fuzzy Hash: e6f59d0cebe6b94f399be8454f39063e06a64cdef5db9ff9a468814ffa86b93e
Instruction Fuzzy Hash: 8DA1E271604706AFDB15EF64C888BAEBFB9FF45344F008519F99AD2580DB30EA05CBA1

Function 005AD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 005AD8EB
_wcscmp.LIBCMT ref: 005AD8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 005AD924
CharUpperBuffW.USER32(?,00000000), ref: 005AD941
_wcscmp.LIBCMT ref: 005AD95F
_wcsstr.LIBCMT ref: 005AD970
GetClassNameW.USER32(00000018,?,00000400), ref: 005AD9A8
_wcscmp.LIBCMT ref: 005AD9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 005AD9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 005ADA28
_wcscmp.LIBCMT ref: 005ADA38
GetClassNameW.USER32(00000010,?,00000400), ref: 005ADA60
GetWindowRect.USER32(00000004,?), ref: 005ADAC9

Strings

@, xrefs: 005AD8C6
ThumbnailClass, xrefs: 005AD9B3, 005ADA33

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: bf5f61b4081ba41c8e539df5500b4b01b2c0779846ef0cb1f1741c0278622feb
Instruction ID: 6a37da579c845fccb9885ea13c338171ce4349bf639dcaa4e0565fe3c6ec374c
Opcode Fuzzy Hash: bf5f61b4081ba41c8e539df5500b4b01b2c0779846ef0cb1f1741c0278622feb
Instruction Fuzzy Hash: 81817C7110820A9FDB01EE10C885BAE7FB8FF85714F04846AFD8A9A496DB34DD45CBB1

Function 005AD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 005AD753

Strings

REGEXP=, xrefs: 005AD768
HANDLE=, xrefs: 005AD74C
[LAST, xrefs: 005AD800
ACTIVE, xrefs: 005AD72E
[REGEXPTITLE:, xrefs: 005AD77B
ALL, xrefs: 005AD7E7
[ALL, xrefs: 005AD7F9
CLASSNAME=, xrefs: 005AD790
[CLASS:, xrefs: 005AD7A3
[ACTIVE, xrefs: 005AD740
[HANDLE:, xrefs: 005AD75F
LAST, xrefs: 005AD718

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 537405cfa71f68181707a199db9e44126cc97f8977bc80edc523635eaa338dff
Instruction ID: 20b135f88d7a1dd822eb5a5291cf68477d90cefd5e1fc0f4ee6bb37a7fb33cab
Opcode Fuzzy Hash: 537405cfa71f68181707a199db9e44126cc97f8977bc80edc523635eaa338dff
Instruction Fuzzy Hash: E931EE31A04617AADB18FA10ED67FAEBF79BF61705F600028F446710D1EB61AB00DA21

Function 005AEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 005AEAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005AEAC2
SetWindowTextW.USER32(?,?), ref: 005AEAD9
GetDlgItem.USER32(?,000003EA), ref: 005AEAEE
SetWindowTextW.USER32(00000000,?), ref: 005AEAF4
GetDlgItem.USER32(?,000003E9), ref: 005AEB04
SetWindowTextW.USER32(00000000,?), ref: 005AEB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 005AEB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 005AEB45
GetWindowRect.USER32(?,?), ref: 005AEB4E
SetWindowTextW.USER32(?,?), ref: 005AEBB9
GetDesktopWindow.USER32 ref: 005AEBBF
GetWindowRect.USER32(00000000), ref: 005AEBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 005AEC12
GetClientRect.USER32(?,?), ref: 005AEC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 005AEC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 005AEC6F

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 626cb791b70491227c8953a47d0e45e1b158fe0de7464ada8015fe0c43e6928f
Instruction ID: b04302b40ac42cba61e5af88d93bb92106ec53ccb6ec537353f3d43a38802a38
Opcode Fuzzy Hash: 626cb791b70491227c8953a47d0e45e1b158fe0de7464ada8015fe0c43e6928f
Instruction Fuzzy Hash: 1F512C71900709EFDB219FA8CD8AB6EBFF5FF05705F004928E696E25A0D774A944DB20

Function 005C79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 005C79C6
LoadCursorW.USER32(00000000,00007F00), ref: 005C79D1
LoadCursorW.USER32(00000000,00007F03), ref: 005C79DC
LoadCursorW.USER32(00000000,00007F8B), ref: 005C79E7
LoadCursorW.USER32(00000000,00007F01), ref: 005C79F2
LoadCursorW.USER32(00000000,00007F81), ref: 005C79FD
LoadCursorW.USER32(00000000,00007F88), ref: 005C7A08
LoadCursorW.USER32(00000000,00007F80), ref: 005C7A13
LoadCursorW.USER32(00000000,00007F86), ref: 005C7A1E
LoadCursorW.USER32(00000000,00007F83), ref: 005C7A29
LoadCursorW.USER32(00000000,00007F85), ref: 005C7A34
LoadCursorW.USER32(00000000,00007F82), ref: 005C7A3F
LoadCursorW.USER32(00000000,00007F84), ref: 005C7A4A
LoadCursorW.USER32(00000000,00007F04), ref: 005C7A55
LoadCursorW.USER32(00000000,00007F02), ref: 005C7A60
LoadCursorW.USER32(00000000,00007F89), ref: 005C7A6B
GetCursorInfo.USER32(?), ref: 005C7A7B

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: c96505724e2013ab196e69e2f609f2bdb021fff5c97b99b6b4e6cb9bd7dd7fdf
Instruction ID: f585d496064baf724ba10fb1cd8864642bac21e604054d10a4d122ff8d00e8f9
Opcode Fuzzy Hash: c96505724e2013ab196e69e2f609f2bdb021fff5c97b99b6b4e6cb9bd7dd7fdf
Instruction Fuzzy Hash: 7D31D6B1D4831E6ADB509FB68C89D5FBEE8FF04750F50452AA50DE7180DA78A5008FA1

Function 0057C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 0058E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0057C8B7,?,00002000,?,?,00000000,?,0057419E,?,?,?,0060DC00), ref: 0058E984

Part of subcall function 0057660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005753B1,?,?,005761FF,?,00000000,00000001,00000000), ref: 0057662F

__wsplitpath.LIBCMT ref: 0057C93E

Part of subcall function 00591DFC: __wsplitpath_helper.LIBCMT ref: 00591E3C

_wcscpy.LIBCMT ref: 0057C953
_wcscat.LIBCMT ref: 0057C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0057C978
SetCurrentDirectoryW.KERNEL32(?), ref: 0057CABE

Part of subcall function 0057B337: _wcscpy.LIBCMT ref: 0057B36F

Strings

Unterminated string, xrefs: 005E3470
EA06, xrefs: 005E30C9
#include depth exceeded. Make sure there are no recursive includes, xrefs: 005E3098
Error opening the file, xrefs: 005E30B4, 005E313D
Bad directive syntax error, xrefs: 005E3429
AU3!, xrefs: 0057C90C
>>>AUTOIT SCRIPT<<<, xrefs: 005E311B

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: d9ba480b321a39be4cffd8bd81f27e16ab2e113f1485b2f06f3692da3cbc4c15
Instruction ID: 80bfd5c962ef548c2e1b236980c1e276b97e74a0245a92bc1c9148f0962c062e
Opcode Fuzzy Hash: d9ba480b321a39be4cffd8bd81f27e16ab2e113f1485b2f06f3692da3cbc4c15
Instruction Fuzzy Hash: 85125A715083429FC724EF24D889AAEBFE5BFD9300F40891DF589972A1DB30DA49DB52

Function 005DCE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005DCEFB
DestroyWindow.USER32(?,?), ref: 005DCF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 005DCFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 005DD016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005DD025
DestroyWindow.USER32(?), ref: 005DD042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00570000,00000000), ref: 005DD075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005DD094
GetDesktopWindow.USER32 ref: 005DD0A9
GetWindowRect.USER32(00000000), ref: 005DD0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005DD0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 005DD0DA

Part of subcall function 0058B526: GetWindowLongW.USER32(?,000000EB), ref: 0058B537

Strings

tooltips_class32, xrefs: 005DCFED, 005DD06E
0, xrefs: 005DCF1B

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 53bf4766d8f89d6f22873b4430307d0185143ee2fb320f3f15ebfc4bb8b6033c
Instruction ID: e01610539b093e122937b7be010f184973d307c135655bd65be10b1a96b9db42
Opcode Fuzzy Hash: 53bf4766d8f89d6f22873b4430307d0185143ee2fb320f3f15ebfc4bb8b6033c
Instruction Fuzzy Hash: 2A718C70140205AFD720CF68CC89F6A7BF6FB89704F04451AF9858B2A1EB75E946DB62

Function 005DF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0058B34E: GetWindowLongW.USER32(?,000000EB), ref: 0058B35F

DragQueryPoint.SHELL32(?,?), ref: 005DF37A

Part of subcall function 005DD7DE: ClientToScreen.USER32(?,?), ref: 005DD807
Part of subcall function 005DD7DE: GetWindowRect.USER32(?,?), ref: 005DD87D
Part of subcall function 005DD7DE: PtInRect.USER32(?,?,005DED5A), ref: 005DD88D

SendMessageW.USER32(?,000000B0,?,?), ref: 005DF3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005DF3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005DF411
_wcscat.LIBCMT ref: 005DF441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 005DF458
SendMessageW.USER32(?,000000B0,?,?), ref: 005DF471
SendMessageW.USER32(?,000000B1,?,?), ref: 005DF488
SendMessageW.USER32(?,000000B1,?,?), ref: 005DF4AA
DragFinish.SHELL32(?), ref: 005DF4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 005DF59C

Strings

@GUI_DRAGID, xrefs: 005DF510
@GUI_DRAGFILE, xrefs: 005DF54B
@GUI_DROPID, xrefs: 005DF4D1

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: b3f0fe719cf32d09f150597ce94d9516f2dfc4ce4106e2c4b94405ae9e273bb0
Instruction ID: 375c9f10409f5f54607c8b69c69b70648a26963fa3b0293b60456e16f0a8028d
Opcode Fuzzy Hash: b3f0fe719cf32d09f150597ce94d9516f2dfc4ce4106e2c4b94405ae9e273bb0
Instruction Fuzzy Hash: AE616871108301AFC711EF64D889DABBFF9FF89710F004A1EB595961A1DB709A09DB62

Function 005BAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 005BAB3D
VariantCopy.OLEAUT32(?,?), ref: 005BAB46
VariantClear.OLEAUT32(?), ref: 005BAB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005BAC40
__swprintf.LIBCMT ref: 005BAC70
VarR8FromDec.OLEAUT32(?,?), ref: 005BAC9C
VariantInit.OLEAUT32(?), ref: 005BAD4D
SysFreeString.OLEAUT32(00000016), ref: 005BADDF
VariantClear.OLEAUT32(?), ref: 005BAE35
VariantClear.OLEAUT32(?), ref: 005BAE44
VariantInit.OLEAUT32(00000000), ref: 005BAE80

Strings

Default, xrefs: 005BACFD
%4d%02d%02d%02d%02d%02d, xrefs: 005BAC6A

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 92322f572484fe57e47b6fbbad993a0eb98b8152c6d435ac37cb515c2e5efea5
Instruction ID: 80f59c17c04fc7f952fa474338a8a35adf03e9b603595deff4a0d656d25227c0
Opcode Fuzzy Hash: 92322f572484fe57e47b6fbbad993a0eb98b8152c6d435ac37cb515c2e5efea5
Instruction Fuzzy Hash: 5ED1C071600216DBDB209F69D889BB9FFBAFF84700F148855E855AB181DB74FC40DBA2

Function 005D716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005D71FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005D7247

Strings

COLLAPSE, xrefs: 005D728D
CHECK, xrefs: 005D7267
GETTOTALCOUNT, xrefs: 005D722A
GETITEMCOUNT, xrefs: 005D7311
GETSELECTED, xrefs: 005D733F
ISCHECKED, xrefs: 005D73B2
SELECT, xrefs: 005D73E0
EXISTS, xrefs: 005D72B0
UNCHECK, xrefs: 005D740B
GETTEXT, xrefs: 005D7382
EXPAND, xrefs: 005D72E1

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 503a9b5d53c6628bf69e2d296938f5c56137908bd564dfd668d2ce3f744c90f2
Instruction ID: fa9d1ab3d6472e55ced0b74f94c3d671a4214b564991c2e97422f0062e662e41
Opcode Fuzzy Hash: 503a9b5d53c6628bf69e2d296938f5c56137908bd564dfd668d2ce3f744c90f2
Instruction Fuzzy Hash: 739163342087469BCB14EF14D455A6EBFA1BF98310F00885EFC9A6B392DB30ED46DB91

Function 005ACB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,005ACF50), ref: 005ACE90

Strings

REGEXPCLASS, xrefs: 005ACC56
L+b, xrefs: 005ACD14
CLASSNN, xrefs: 005ACC33
TEXT, xrefs: 005ACDC7
NAME, xrefs: 005ACCC2
INSTANCE, xrefs: 005ACD9E
T+b, xrefs: 005ACD72
CLASS, xrefs: 005ACC10
4+b, xrefs: 005ACC96
P+b, xrefs: 005ACD43
H+b, xrefs: 005ACCE8

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ChildEnumWindows
String ID: 4+b$CLASS$CLASSNN$H+b$INSTANCE$L+b$NAME$P+b$REGEXPCLASS$T+b$TEXT
API String ID: 3555792229-3592434310
Opcode ID: bf0372684f48f0818568b3233217a13fda2a0bf15bc1dc2efac461501e56285d
Instruction ID: a1c252de928f08390c0e17d356c24e36755a0a9b4a4761e3137af2c303ba092c
Opcode Fuzzy Hash: bf0372684f48f0818568b3233217a13fda2a0bf15bc1dc2efac461501e56285d
Instruction Fuzzy Hash: 58917F30A00507ABCB19EF60C496BEEFF79BF46304F508519E85AA7151DF30695ADBA0

Function 005DE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005DE5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,005DBEAF), ref: 005DE607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005DE647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005DE68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005DE6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,005DBEAF), ref: 005DE6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005DE6DF
DestroyIcon.USER32(?,?,?,?,?,005DBEAF), ref: 005DE6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 005DE70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 005DE717

Part of subcall function 00590FA7: __wcsicmp_l.LIBCMT ref: 00591030

Strings

.dll, xrefs: 005DE564
.exe, xrefs: 005DE541
.icl, xrefs: 005DE521

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: fb392bb0c53481ec6e8d958a534fbb35c46a0bf1c3957622315de540d7e165bd
Instruction ID: b9473601deb3c2e018c0fcea64dfc96baa993228fc155bc3d64bb38ddfc1864b
Opcode Fuzzy Hash: fb392bb0c53481ec6e8d958a534fbb35c46a0bf1c3957622315de540d7e165bd
Instruction Fuzzy Hash: FD61C071500215BAEB20EF68EC46FBE7FB8BB18711F104506F915EA2D0EB74D980DB60

Function 005BD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0057936C: __swprintf.LIBCMT ref: 005793AB
Part of subcall function 0057936C: __itow.LIBCMT ref: 005793DF

CharLowerBuffW.USER32(?,?), ref: 005BD292
GetDriveTypeW.KERNEL32 ref: 005BD2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005BD327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005BD35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005BD38C

Strings

close cd wait, xrefs: 005BD377
closed, xrefs: 005BD2A6, 005BD2AF
open , xrefs: 005BD2EE
wait, xrefs: 005BD349
type cdaudio alias cd wait, xrefs: 005BD30A
open, xrefs: 005BD2B9
close, xrefs: 005BD298
set cd door , xrefs: 005BD32D

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: e0df9e484fe0d7cf6dbe9463a52b463dba209492423d1db27e185f55b733a774
Instruction ID: 178ea00051b7d886af48168a804202f5dff1f5bcc897bd4599ada0b7efbae7d2
Opcode Fuzzy Hash: e0df9e484fe0d7cf6dbe9463a52b463dba209492423d1db27e185f55b733a774
Instruction Fuzzy Hash: FA513871504616AFC700EF10D88596EBBF5FF98718F40886CF88967251EB31AE09DB52

Function 005B26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,005E3973,00000016,0000138C,00000016,?,00000016,0060DDB4,00000000,?), ref: 005B26F1
LoadStringW.USER32(00000000,?,005E3973,00000016), ref: 005B26FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,005E3973,00000016,0000138C,00000016,?,00000016,0060DDB4,00000000,?,00000016), ref: 005B271C
LoadStringW.USER32(00000000,?,005E3973,00000016), ref: 005B271F
__swprintf.LIBCMT ref: 005B276F
__swprintf.LIBCMT ref: 005B2780
_wprintf.LIBCMT ref: 005B2829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 005B2840

Strings

Line %d (File "%s"):, xrefs: 005B2769
^ ERROR, xrefs: 005B27D5
Line %d:, xrefs: 005B277A
%s (%d) : ==> %s: %s %s, xrefs: 005B2824
Error: , xrefs: 005B27F7

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: 332ef3f746d24da51ac9d043d15d1daf2891907aae4330889b95d8c2186e7502
Instruction ID: 5d9de1e46e1b089abd95a8e7d565eac656e8e7d3aab55c9f9f987300ac3e15f6
Opcode Fuzzy Hash: 332ef3f746d24da51ac9d043d15d1daf2891907aae4330889b95d8c2186e7502
Instruction Fuzzy Hash: 6241337280021AAACB14FBD0ED8ADEEBB79FF95340F504065B50976092EB746F49DB70

Function 005BD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005BD0D8
__swprintf.LIBCMT ref: 005BD0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 005BD137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 005BD15C
_memset.LIBCMT ref: 005BD17B
_wcsncpy.LIBCMT ref: 005BD1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 005BD1EC
CloseHandle.KERNEL32(00000000), ref: 005BD1F7
RemoveDirectoryW.KERNEL32(?), ref: 005BD200
CloseHandle.KERNEL32(00000000), ref: 005BD20A

Strings

:, xrefs: 005BD11B
\, xrefs: 005BD110
\??\%s, xrefs: 005BD0F4

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 58797bf0873a01f0579f7d8a7fc57252cf2e3049f27ce9dfc6bacae439a0ba6b
Instruction ID: ee8d32e7933954a0346508266701aa7bd67d837d3b476a05d3f7ced5dd612a9a
Opcode Fuzzy Hash: 58797bf0873a01f0579f7d8a7fc57252cf2e3049f27ce9dfc6bacae439a0ba6b
Instruction Fuzzy Hash: B1318DB690011AABDB219FA4DC49FEF7BBDBF89700F1040A6F509D21A0E774A645CB34

Function 005DE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,005DBEF4,?,?), ref: 005DE754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,005DBEF4,?,?,00000000,?), ref: 005DE76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,005DBEF4,?,?,00000000,?), ref: 005DE776
CloseHandle.KERNEL32(00000000,?,?,?,?,005DBEF4,?,?,00000000,?), ref: 005DE783
GlobalLock.KERNEL32(00000000), ref: 005DE78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,005DBEF4,?,?,00000000,?), ref: 005DE79B
GlobalUnlock.KERNEL32(00000000), ref: 005DE7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,005DBEF4,?,?,00000000,?), ref: 005DE7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,005DBEF4,?,?,00000000,?), ref: 005DE7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,005FD9BC,?), ref: 005DE7D5
GlobalFree.KERNEL32(00000000), ref: 005DE7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 005DE809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 005DE834
DeleteObject.GDI32(00000000), ref: 005DE85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005DE872

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 0556467fd8c429f271b06c150f2197d0b78fe2793647474bba75dc3a78988569
Instruction ID: 9f324424ce13c71448d7e4bab8d30bb6794114e73ecf08025daf12c446defdf3
Opcode Fuzzy Hash: 0556467fd8c429f271b06c150f2197d0b78fe2793647474bba75dc3a78988569
Instruction Fuzzy Hash: 84417A35600208EFDB21AF69CC88EAE7BBAFF99715F104059F905DB260C7349D04EB60

Function 005C05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 005C076F
_wcscat.LIBCMT ref: 005C0787
_wcscat.LIBCMT ref: 005C0799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005C07AE
SetCurrentDirectoryW.KERNEL32(?), ref: 005C07C2
GetFileAttributesW.KERNEL32(?), ref: 005C07DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 005C07F4
SetCurrentDirectoryW.KERNEL32(?), ref: 005C0806

Strings

*.*, xrefs: 005C0845

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 471961ee8a446d317fb4fc1836253cde4237312424df7a595f50b19c1588e060
Instruction ID: 6a6a5e2f8dd73a4908675303bcd633e1af416da21d93f46ad8b206dae948188b
Opcode Fuzzy Hash: 471961ee8a446d317fb4fc1836253cde4237312424df7a595f50b19c1588e060
Instruction Fuzzy Hash: A5817E71504301DFCB24DFA4C845E6ABBE8BBC8344F149C2EF889D7291E734D9958B92

Function 005DEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0058B34E: GetWindowLongW.USER32(?,000000EB), ref: 0058B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005DEF3B
GetFocus.USER32 ref: 005DEF4B
GetDlgCtrlID.USER32(00000000), ref: 005DEF56
_memset.LIBCMT ref: 005DF081
GetMenuItemInfoW.USER32 ref: 005DF0AC
GetMenuItemCount.USER32(00000000), ref: 005DF0CC
GetMenuItemID.USER32(?,00000000), ref: 005DF0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 005DF113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 005DF15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005DF193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 005DF1C8

Strings

0, xrefs: 005DF079

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 1e9e07469e32a45a8c7a8ef72fab170a80bd7a1ca37218f07f1a1e38573f5b29
Instruction ID: eb857583acff7f5bd0efab791a85f4d6d55ac110bd04ad1fa31ad5e3d47fff48
Opcode Fuzzy Hash: 1e9e07469e32a45a8c7a8ef72fab170a80bd7a1ca37218f07f1a1e38573f5b29
Instruction Fuzzy Hash: F3816971504302AFDB20DF58C889A6ABFE9FB89314F00492FF99697391D730D905CBA2

Function 005AA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005AABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 005AABD7
Part of subcall function 005AABBB: GetLastError.KERNEL32(?,005AA69F,?,?,?), ref: 005AABE1
Part of subcall function 005AABBB: GetProcessHeap.KERNEL32(00000008,?,?,005AA69F,?,?,?), ref: 005AABF0
Part of subcall function 005AABBB: HeapAlloc.KERNEL32(00000000,?,005AA69F,?,?,?), ref: 005AABF7
Part of subcall function 005AABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 005AAC0E

Part of subcall function 005AAC56: GetProcessHeap.KERNEL32(00000008,005AA6B5,00000000,00000000,?,005AA6B5,?), ref: 005AAC62
Part of subcall function 005AAC56: HeapAlloc.KERNEL32(00000000,?,005AA6B5,?), ref: 005AAC69
Part of subcall function 005AAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,005AA6B5,?), ref: 005AAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005AA8CB
_memset.LIBCMT ref: 005AA8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005AA8FF
GetLengthSid.ADVAPI32(?), ref: 005AA910
GetAce.ADVAPI32(?,00000000,?), ref: 005AA94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005AA969
GetLengthSid.ADVAPI32(?), ref: 005AA986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 005AA995
HeapAlloc.KERNEL32(00000000), ref: 005AA99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 005AA9BD
CopySid.ADVAPI32(00000000), ref: 005AA9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005AA9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005AAA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 005AAA2F

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 71dd1fc498a9de052e8c05ee55bb64f8175c3150d295529feb4cd51c4910ed4d
Instruction ID: 1480b9109aec67d3ae51b3370513fa4ea0e1da610fb063d19ae133892ef8fd65
Opcode Fuzzy Hash: 71dd1fc498a9de052e8c05ee55bb64f8175c3150d295529feb4cd51c4910ed4d
Instruction Fuzzy Hash: 65511A7590020AAFDF10DF94DD49AEEBBBABF45300F048119F915E6290EB359A09DB61

Function 005C9DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005C9E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 005C9E42
CreateCompatibleDC.GDI32(?), ref: 005C9E4E
SelectObject.GDI32(00000000,?), ref: 005C9E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 005C9EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 005C9EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 005C9F0F
SelectObject.GDI32(00000006,?), ref: 005C9F17
DeleteObject.GDI32(?), ref: 005C9F20
DeleteDC.GDI32(00000006), ref: 005C9F27
ReleaseDC.USER32(00000000,?), ref: 005C9F32

Strings

(, xrefs: 005C9ED7

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 7a83a35c8fb55451955fca8da0ba973c80beddf3dc66cbc9d6d24f611c04e8e0
Instruction ID: 63ee54cb0c6ded372b6743a06657a5f262d2c86618c60e9eb967d288ab6bbbf2
Opcode Fuzzy Hash: 7a83a35c8fb55451955fca8da0ba973c80beddf3dc66cbc9d6d24f611c04e8e0
Instruction Fuzzy Hash: 4F513975900309EFCB15CFA8C889EAEBBB9FF58710F14841DF95AA7210D735A945CBA0

Function 005BCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 005BCCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 005BCCC5
__swprintf.LIBCMT ref: 005BCD1E
__swprintf.LIBCMT ref: 005BCD37
_wprintf.LIBCMT ref: 005BCDED
_wprintf.LIBCMT ref: 005BCE0B

Strings

Line %d (File "%s"):, xrefs: 005BCD18, 005BCD31
^ ERROR, xrefs: 005BCD8F
"%s" (%d) : ==> %s:%s%s, xrefs: 005BCDE8
"%s" (%d) : ==> %s:, xrefs: 005BCE06
Error: , xrefs: 005BCDB5

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 4d9d9d8d3deb5736e2fa43dba82fdbd26e42f05c3d6757e5f4302e363e23e93d
Instruction ID: ca183501761d56b455e64752e869e77372fbb50366477e110dd8e93e7507d139
Opcode Fuzzy Hash: 4d9d9d8d3deb5736e2fa43dba82fdbd26e42f05c3d6757e5f4302e363e23e93d
Instruction Fuzzy Hash: 1A518E3180061AAACB15EBA0DD4AEEEBF79FF45300F104165F409760A1EB306F55EF60

Function 005BCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 005BCA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005BCAB0
__swprintf.LIBCMT ref: 005BCB09
__swprintf.LIBCMT ref: 005BCB22
_wprintf.LIBCMT ref: 005BCBCD
_wprintf.LIBCMT ref: 005BCBEB

Strings

Line %d (File "%s"):, xrefs: 005BCB03, 005BCB1C
^ ERROR , xrefs: 005BCB64
"%s" (%d) : ==> %s:%s%s, xrefs: 005BCBC8
"%s" (%d) : ==> %s:, xrefs: 005BCBE6
Error: , xrefs: 005BCB95

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: e976596055bf66beaad40c1426329c31c383c9dd064e44ed860d2bb4cbd0d6ea
Instruction ID: 6c2ce0f7bf70f8c3eab5d05dfddf74c34b3b630c27ec17408c73e94837c8304d
Opcode Fuzzy Hash: e976596055bf66beaad40c1426329c31c383c9dd064e44ed860d2bb4cbd0d6ea
Instruction Fuzzy Hash: 8B518E3180061AAACB15EBE0DD4AEEEBF79BF45300F504055B509760A2EB746F59EF60

Function 005D3C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,005D2BB5,?,?), ref: 005D3C1D

Strings

HKU, xrefs: 005D3D15
HKCC, xrefs: 005D3CD1
HKEY_CURRENT_USER, xrefs: 005D3CE2
$Eb, xrefs: 005D3C36
HKLM, xrefs: 005D3C81
HKCU, xrefs: 005D3CF3
HKEY_LOCAL_MACHINE, xrefs: 005D3C6C
HKCR, xrefs: 005D3CAB
HKEY_USERS, xrefs: 005D3D04
HKEY_CURRENT_CONFIG, xrefs: 005D3CC0
HKEY_CLASSES_ROOT, xrefs: 005D3C96

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: BuffCharUpper
String ID: $Eb$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-3998340613
Opcode ID: 66a9a21bbdf47e22c8227112f811b68a91b02b54312fd6f5b17c71a064448f73
Instruction ID: bf4c4419311fc4f42d9551dd2f5437931dc9e4fb4ef60504f30cf956c785be7a
Opcode Fuzzy Hash: 66a9a21bbdf47e22c8227112f811b68a91b02b54312fd6f5b17c71a064448f73
Instruction Fuzzy Hash: 7641423051424A8BDF10FF18E8556EA3F66BF52340F504816FC956B296EF70AE0ACF51

Function 005B55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005B55D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 005B5664
GetMenuItemCount.USER32(00631708), ref: 005B56ED
DeleteMenu.USER32(00631708,00000005,00000000,000000F5,?,?), ref: 005B577D
DeleteMenu.USER32(00631708,00000004,00000000), ref: 005B5785
DeleteMenu.USER32(00631708,00000006,00000000), ref: 005B578D
DeleteMenu.USER32(00631708,00000003,00000000), ref: 005B5795
GetMenuItemCount.USER32(00631708), ref: 005B579D
SetMenuItemInfoW.USER32(00631708,00000004,00000000,00000030), ref: 005B57D3
GetCursorPos.USER32(?), ref: 005B57DD
SetForegroundWindow.USER32(00000000), ref: 005B57E6
TrackPopupMenuEx.USER32(00631708,00000000,?,00000000,00000000,00000000), ref: 005B57F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005B5805

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 7980dcb120a61c7bbd6167efc65e10786d1faa3655bdd69c8559d1e8fc194486
Instruction ID: d36a70d19107755a307e080156d36a7886cd4195833f60dfaf6ea622a19d7037
Opcode Fuzzy Hash: 7980dcb120a61c7bbd6167efc65e10786d1faa3655bdd69c8559d1e8fc194486
Instruction Fuzzy Hash: C371F370640605BEEB289F54DC49FEABF66FF44364F244206F619AA1D1EBB17C10DBA0

Function 005B67E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 005B67FD
__swprintf.LIBCMT ref: 005B680A

Part of subcall function 0059172B: __woutput_l.LIBCMT ref: 00591784

FindResourceW.KERNEL32(?,?,0000000E), ref: 005B6834
LoadResource.KERNEL32(?,00000000), ref: 005B6840
LockResource.KERNEL32(00000000), ref: 005B684D
FindResourceW.KERNEL32(?,?,00000003), ref: 005B686D
LoadResource.KERNEL32(?,00000000), ref: 005B687F
SizeofResource.KERNEL32(?,00000000), ref: 005B688E
LockResource.KERNEL32(?), ref: 005B689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 005B68F9

Strings

5b, xrefs: 005B67F6

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: 5b
API String ID: 1433390588-3854325342
Opcode ID: 4b13290018e89f437e1f0cb17aabb9dcfcb37eb09f02f23eb686335a13090bb7
Instruction ID: 53e574bb9242b58a6e8f14a12f365862677e57b0806850b8ae447c508b0cbde3
Opcode Fuzzy Hash: 4b13290018e89f437e1f0cb17aabb9dcfcb37eb09f02f23eb686335a13090bb7
Instruction Fuzzy Hash: F6318E7590021AABDB119FA0DD59AFE7FB9FF08341F004825F912D6150E738E915DBB0

Function 005B25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,005E36F4,00000010,?,Bad directive syntax error,0060DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 005B25D6
LoadStringW.USER32(00000000,?,005E36F4,00000010), ref: 005B25DD
_wprintf.LIBCMT ref: 005B2610
__swprintf.LIBCMT ref: 005B2632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 005B26A1

Strings

Line %d (File "%s"):, xrefs: 005B2647
., xrefs: 005B2687
Error: , xrefs: 005B266F
Line %d:, xrefs: 005B262C
%s (%d) : ==> %s.: %s %s, xrefs: 005B260B

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: c61ae63da3d505757eb4bad3ec1d3ffed33043392067d68a391065ba2bc51111
Instruction ID: f1ab120649789570202efbc23d9f669548257b28597dde10778b9329784fb122
Opcode Fuzzy Hash: c61ae63da3d505757eb4bad3ec1d3ffed33043392067d68a391065ba2bc51111
Instruction Fuzzy Hash: 5D21413180022BAFCF11AF90DC4AEEE7F39BF18304F004455F509661A2EB75A618EF60

Function 005B7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 005B7B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 005B7B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005B7B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 005B7B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 005B7B8C

Strings

play PlayMe, xrefs: 005B7B87
status PlayMe mode, xrefs: 005B7B3D
open , xrefs: 005B7AF1
alias PlayMe, xrefs: 005B7B1B
play PlayMe wait, xrefs: 005B7B76
close PlayMe, xrefs: 005B7B53, 005B7B80

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: d3b6133228d8043874da5566c9bfbeb67afccc9a0398afada0412e291216377a
Instruction ID: 908e916662577601645fe4a298b7d18cdc037eee08a7b012935a88481fdb87be
Opcode Fuzzy Hash: d3b6133228d8043874da5566c9bfbeb67afccc9a0398afada0412e291216377a
Instruction Fuzzy Hash: 9C1190A0A4027A79DB20A761EC4ADFFBE7DFBD5B10F000429B415A61D1EFA01A45CDB0

Function 005B778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 005B7794

Part of subcall function 0058DC38: timeGetTime.WINMM(?,7707B400,005E58AB), ref: 0058DC3C

Sleep.KERNEL32(0000000A), ref: 005B77C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 005B77E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 005B7806
SetActiveWindow.USER32 ref: 005B7825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 005B7833
SendMessageW.USER32(00000010,00000000,00000000), ref: 005B7852
Sleep.KERNEL32(000000FA), ref: 005B785D
IsWindow.USER32 ref: 005B7869
EndDialog.USER32(00000000), ref: 005B787A

Strings

BUTTON, xrefs: 005B77F8

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 207a56d6d3fa6dbc6c83ee2d06055c6d0951de64fddc9d9e41390f5261f7e7e3
Instruction ID: dfca158c4ebc5b1f36f01c35e1266d6659d04772b3e7569ad5bff377f624c20e
Opcode Fuzzy Hash: 207a56d6d3fa6dbc6c83ee2d06055c6d0951de64fddc9d9e41390f5261f7e7e3
Instruction Fuzzy Hash: DE213EB0204249AFE7055B20EC8DBB63F7BFB98748F005414F506C6262DF69AD08EB61

Function 005C02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 0057936C: __swprintf.LIBCMT ref: 005793AB
Part of subcall function 0057936C: __itow.LIBCMT ref: 005793DF

CoInitialize.OLE32(00000000), ref: 005C034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 005C03DE
SHGetDesktopFolder.SHELL32(?), ref: 005C03F2
CoCreateInstance.OLE32(005FDA8C,00000000,00000001,00623CF8,?), ref: 005C043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 005C04AD
CoTaskMemFree.OLE32(?,?), ref: 005C0505
_memset.LIBCMT ref: 005C0542
SHBrowseForFolderW.SHELL32(?), ref: 005C057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 005C05A1
CoTaskMemFree.OLE32(00000000), ref: 005C05A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 005C05DF
CoUninitialize.OLE32(00000001,00000000), ref: 005C05E1

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: a6bb544f7e7ebfb7a83e0f473e3360b00b07c5da78bbaa84f8d4479dc61c5bc3
Instruction ID: 295b370f31762bd4c994dcb0d3356f078bf9aa4faa718b1bc31e3bcbf72f9634
Opcode Fuzzy Hash: a6bb544f7e7ebfb7a83e0f473e3360b00b07c5da78bbaa84f8d4479dc61c5bc3
Instruction Fuzzy Hash: 82B1DA75A00209EFDB14DFA4C888EAEBBB9FF88304B148499E809EB251D774ED45DF50

Function 005B2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 005B2ED6
SetKeyboardState.USER32(?), ref: 005B2F41
GetAsyncKeyState.USER32(000000A0), ref: 005B2F61
GetKeyState.USER32(000000A0), ref: 005B2F78
GetAsyncKeyState.USER32(000000A1), ref: 005B2FA7
GetKeyState.USER32(000000A1), ref: 005B2FB8
GetAsyncKeyState.USER32(00000011), ref: 005B2FE4
GetKeyState.USER32(00000011), ref: 005B2FF2
GetAsyncKeyState.USER32(00000012), ref: 005B301B
GetKeyState.USER32(00000012), ref: 005B3029
GetAsyncKeyState.USER32(0000005B), ref: 005B3052
GetKeyState.USER32(0000005B), ref: 005B3060

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: dd01bd447463ddc7a032a0b1c7c305cff898bdc289d00d3ca9a5296a7dd6af96
Instruction ID: a0db04fd882b727615d228678306183fad9d289e94fd6b70bcfe27449890b109
Opcode Fuzzy Hash: dd01bd447463ddc7a032a0b1c7c305cff898bdc289d00d3ca9a5296a7dd6af96
Instruction Fuzzy Hash: 8E51B760A0878929FB35EBA488557FABFF46F11340F08459DD5C25A1C2DA54BB8CCBB2

Function 005AED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 005AED1E
GetWindowRect.USER32(00000000,?), ref: 005AED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 005AED8E
GetDlgItem.USER32(?,00000002), ref: 005AED99
GetWindowRect.USER32(00000000,?), ref: 005AEDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 005AEE01
GetDlgItem.USER32(?,000003E9), ref: 005AEE0F
GetWindowRect.USER32(00000000,?), ref: 005AEE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 005AEE63
GetDlgItem.USER32(?,000003EA), ref: 005AEE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 005AEE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 005AEE9B

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: cac3a0b727612aa8f2efb0a7b27c70c4d56e6cd17bd3c2926daa7127f303c0d5
Instruction ID: 4c66ecdce2eb13750c30f447c10d84f9ba868f30c562d3efbe2feb62c9712d88
Opcode Fuzzy Hash: cac3a0b727612aa8f2efb0a7b27c70c4d56e6cd17bd3c2926daa7127f303c0d5
Instruction Fuzzy Hash: BA513171B00205AFDB18CF68DD8AAAEBBBAFB99300F14812DF519D7290D7749D04DB10

Function 0058B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0058B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0058B759,?,00000000,?,?,?,?,0058B72B,00000000,?), ref: 0058BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0058B72B), ref: 0058B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0058B72B,00000000,?,?,0058B2EF,?,?), ref: 0058B88D
DestroyAcceleratorTable.USER32(00000000), ref: 005ED8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0058B72B,00000000,?,?,0058B2EF,?,?), ref: 005ED8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0058B72B,00000000,?,?,0058B2EF,?,?), ref: 005ED8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0058B72B,00000000,?,?,0058B2EF,?,?), ref: 005ED90A
DeleteObject.GDI32(00000000), ref: 005ED91C

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: c81dca1c45b5e46b86c0c5095d566744d12eca16a3921bfa5db1ec83219142a5
Instruction ID: 874a6144d767e6452b8fd19cb0a232aaa639bd9c6acfbf7d406cb03ff4fd0018
Opcode Fuzzy Hash: c81dca1c45b5e46b86c0c5095d566744d12eca16a3921bfa5db1ec83219142a5
Instruction Fuzzy Hash: 7D618E30501741DFEB29AF55DD89B35BFFAFB96312F141519E882EA660C734A880DF90

Function 0058B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0058B526: GetWindowLongW.USER32(?,000000EB), ref: 0058B537

GetSysColor.USER32(0000000F), ref: 0058B438

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3a26e93fbe4b8ae651d2deb15a7a37ce8f4125d5a2065cd2e9683b9123a3d43c
Instruction ID: 7f04aca6aaf79054cb5cade148e77da837e85a5a8c5ec0f2eefde0ad00390239
Opcode Fuzzy Hash: 3a26e93fbe4b8ae651d2deb15a7a37ce8f4125d5a2065cd2e9683b9123a3d43c
Instruction Fuzzy Hash: 40418F30400140ABEF246F28988ABB93F6BBB56731F184261FDA59E1F6D7348C41E731

Function 005B690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 005B6923
_wcscpy.LIBCMT ref: 005B6934
__wsplitpath.LIBCMT ref: 005B6958
__wsplitpath.LIBCMT ref: 005B6979
_wcscpy.LIBCMT ref: 005B699B
_wcscpy.LIBCMT ref: 005B69B9
_wcscpy.LIBCMT ref: 005B69C7
_wcscat.LIBCMT ref: 005B69D6
_wcscat.LIBCMT ref: 005B6A2B
_wcscat.LIBCMT ref: 005B6A61
_wcscat.LIBCMT ref: 005B6A73

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 0bdf65563108e61b86b3b40ba52f0cc414717654cef555f02fcd0afcd0e60692
Instruction ID: 9a337f946f0c5ddc2c358bd92a24a228676c09dc0961122550b886432c702975
Opcode Fuzzy Hash: 0bdf65563108e61b86b3b40ba52f0cc414717654cef555f02fcd0afcd0e60692
Instruction Fuzzy Hash: 4E412E7688521DAECF61DB94CC45DDBB7BDFF84310F0045A6F659A2091EA30ABE48F50

Function 005BD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(0060DC00,0060DC00,0060DC00), ref: 005BD7CE
GetDriveTypeW.KERNEL32(?,00623A70,00000061), ref: 005BD898
_wcscpy.LIBCMT ref: 005BD8C2

Strings

unknown, xrefs: 005BD859
network, xrefs: 005BD82C
ramdisk, xrefs: 005BD842
removable, xrefs: 005BD800
cdrom, xrefs: 005BD7EA
all, xrefs: 005BD7D4
fixed, xrefs: 005BD816

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: a243bfb8d561287032151be9f6e26cbcad34c9a5cfe565faea400d92cce3a69a
Instruction ID: 30e469f8adde919d58e4ec7c74bbb51c89ac37509e17b7849e79a1e5858e7a90
Opcode Fuzzy Hash: a243bfb8d561287032151be9f6e26cbcad34c9a5cfe565faea400d92cce3a69a
Instruction Fuzzy Hash: A4518035508201AFC700EF14D896AAEBFB5FF84354F10892DF999672A2EB31ED05DB52

Function 0057936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 005793AB
__itow.LIBCMT ref: 005793DF

Part of subcall function 00591557: _xtow@16.LIBCMT ref: 00591578

Strings

%.15g, xrefs: 005793A5
True, xrefs: 005E4C8C
False, xrefs: 005E4C93
0x%p, xrefs: 005E4CAD

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 6be79f07ceb84a8f2896fb2256aab62d60e0aeb4d4396084c1f3671d31434859
Instruction ID: 55d35c97cd47900293ba8f6ab77e3bdc0356a22b05b66321a51807b2eacd15b4
Opcode Fuzzy Hash: 6be79f07ceb84a8f2896fb2256aab62d60e0aeb4d4396084c1f3671d31434859
Instruction Fuzzy Hash: EC41E6315006169BDB28EB74E946E697FE9FF88300F20886EE58DD71D1EA319D41DB60

Function 005DA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 005DA259
CreateCompatibleDC.GDI32(00000000), ref: 005DA260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 005DA273
SelectObject.GDI32(00000000,00000000), ref: 005DA27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 005DA286
DeleteDC.GDI32(00000000), ref: 005DA28F
GetWindowLongW.USER32(?,000000EC), ref: 005DA299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 005DA2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 005DA2B9

Strings

static, xrefs: 005DA1F1

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: b43fceb1949db9aacea31d6bab45dc4a71fff8028ab55941614873ff328645a6
Instruction ID: 5da980a15f21b2df833eab1620bc234be5681488683c8d363110d4af8e7f4d0a
Opcode Fuzzy Hash: b43fceb1949db9aacea31d6bab45dc4a71fff8028ab55941614873ff328645a6
Instruction Fuzzy Hash: 2D316931100115ABDF215FA9DC49FEB3F7AFF1A361F100216FA19E61A0C7399811EBA4

Function 005B6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005B6F1D
gethostname.WSOCK32(?,00000100), ref: 005B6F37
gethostbyname.WSOCK32(?), ref: 005B6F44
_wcscpy.LIBCMT ref: 005B6F6C
inet_ntoa.WSOCK32(?), ref: 005B6F8A
_strcat.LIBCMT ref: 005B6F98
_wcscpy.LIBCMT ref: 005B6FAF
WSACleanup.WSOCK32 ref: 005B6FBD
_wcscpy.LIBCMT ref: 005B6FCB

Strings

0.0.0.0, xrefs: 005B6F66

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: a6a5358f9ddcd6907ca04acb9dd70e084c2c9929cfdb5e043035c0a21f2e744c
Instruction ID: 36c0069308be49f8cbe9ee890206d4bfa5138ec491a355a573c73e2540e30d4d
Opcode Fuzzy Hash: a6a5358f9ddcd6907ca04acb9dd70e084c2c9929cfdb5e043035c0a21f2e744c
Instruction Fuzzy Hash: CE11D271504219AFCB24BB64AC4EEEA7FBCFF84710F010065F505E6081EF78AA85DB60

Function 0059500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00595047

Part of subcall function 00597C0E: __getptd_noexit.LIBCMT ref: 00597C0E

__gmtime64_s.LIBCMT ref: 005950E0
__gmtime64_s.LIBCMT ref: 00595116
__gmtime64_s.LIBCMT ref: 00595133
__allrem.LIBCMT ref: 00595189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005951A5
__allrem.LIBCMT ref: 005951BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005951DA
__allrem.LIBCMT ref: 005951F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0059520F
__invoke_watson.LIBCMT ref: 00595280

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: e1e98ceabe7f11d29960918a88047889891b5f34973280c4707982e9050e1e82
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: CC71F272A00F17ABEF169F78CC46B6EBBA8BF45764F14422AE510D6281F770D9508BD0

Function 005B4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005B4DF8
GetMenuItemInfoW.USER32(00631708,000000FF,00000000,00000030), ref: 005B4E59
SetMenuItemInfoW.USER32(00631708,00000004,00000000,00000030), ref: 005B4E8F
Sleep.KERNEL32(000001F4), ref: 005B4EA1
GetMenuItemCount.USER32(?), ref: 005B4EE5
GetMenuItemID.USER32(?,00000000), ref: 005B4F01
GetMenuItemID.USER32(?,-00000001), ref: 005B4F2B
GetMenuItemID.USER32(?,?), ref: 005B4F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005B4FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005B4FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005B4FEB

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 030ceb52a7a4965055d500b9fa8a913d0c8ffbd5b6f6e6d3fce080be178a116a
Instruction ID: d73c123161988f55294eb8c1ee971e68f0f08d31488a355c11ec7062c91fb9b1
Opcode Fuzzy Hash: 030ceb52a7a4965055d500b9fa8a913d0c8ffbd5b6f6e6d3fce080be178a116a
Instruction Fuzzy Hash: B76169B1900289AFDB21CFA4D888AFE7FBAFB45308F140459F841A7252E731AD45DF21

Function 005D9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005D9C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005D9C9B
GetWindowLongW.USER32(?,000000F0), ref: 005D9CBF
_memset.LIBCMT ref: 005D9CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005D9CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005D9D5A

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: de07d6038c1452d3ee4177b3b05c3e3a71ce419bce5f282cdb840f04a7545070
Instruction ID: 961cff84097c2976f063a926cf42b33fc70225601e18dff452f7dca6eb75f973
Opcode Fuzzy Hash: de07d6038c1452d3ee4177b3b05c3e3a71ce419bce5f282cdb840f04a7545070
Instruction Fuzzy Hash: 3F616C75900248AFDB20DFA8CC81EEE7BB9FB0A704F144556FA04EB3A1D774A941DB50

Function 005A94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 005A94FE
SafeArrayAllocData.OLEAUT32(?), ref: 005A9549
VariantInit.OLEAUT32(?), ref: 005A955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 005A957B
VariantCopy.OLEAUT32(?,?), ref: 005A95BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 005A95D2
VariantClear.OLEAUT32(?), ref: 005A95E7
SafeArrayDestroyData.OLEAUT32(?), ref: 005A95F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005A95FD
VariantClear.OLEAUT32(?), ref: 005A960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005A961A

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: ba89c79cfd2fa1bfb0104eb6403112bf382db1f1137d526c8439c5bcb9e741de
Instruction ID: c882939d2d38ad5c1feb7da0adc568df4e05a36caf89251a09b89dbe56a52768
Opcode Fuzzy Hash: ba89c79cfd2fa1bfb0104eb6403112bf382db1f1137d526c8439c5bcb9e741de
Instruction Fuzzy Hash: 9F415D31D00229AFCF01EFA4D8889EEBFB9FF58354F008065E901E3251DB75AA45DBA1

Function 005CBB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005CBB5C
VariantInit.OLEAUT32(?), ref: 005CBC2D
VariantInit.OLEAUT32(?), ref: 005CBD2E
VariantClear.OLEAUT32(?), ref: 005CBD38
VariantClear.OLEAUT32(?), ref: 005CBD99

Strings

|?b, xrefs: 005CBB34
h?b, xrefs: 005CBB2D
Incorrect Object type in FOR..IN loop, xrefs: 005CBD11
Null Object assignment in FOR..IN loop, xrefs: 005CBBBD, 005CBCEB, 005CBDA7

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?b$|?b
API String ID: 2862541840-17599561
Opcode ID: f3f8aa9aa8e68285c23009c5a0fc098162ea4b599a60f24386f4bd08b2f2f1de
Instruction ID: b55ca1fec46ea6ab5ad395316cb84cb3ffa28d87a7e72cfa38d35801b78c75d3
Opcode Fuzzy Hash: f3f8aa9aa8e68285c23009c5a0fc098162ea4b599a60f24386f4bd08b2f2f1de
Instruction Fuzzy Hash: 43916C71A00219AFEF24DF95D849FAEBBB8FF85710F10855DE516AB280D7709944CFA0

Function 005CADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 0057936C: __swprintf.LIBCMT ref: 005793AB
Part of subcall function 0057936C: __itow.LIBCMT ref: 005793DF

CoInitialize.OLE32 ref: 005CADF6
CoUninitialize.OLE32 ref: 005CAE01
CoCreateInstance.OLE32(?,00000000,00000017,005FD8FC,?), ref: 005CAE61
IIDFromString.OLE32(?,?), ref: 005CAED4
VariantInit.OLEAUT32(?), ref: 005CAF6E
VariantClear.OLEAUT32(?), ref: 005CAFCF

Strings

Invalid parameter, xrefs: 005CAEED
Failed to create object, xrefs: 005CAE6C, 005CAF22
NULL Pointer assignment, xrefs: 005CAEA6

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 135fa6b1d22af1ce5612056571dbab3c539700c1c79e7e16f295e744e6e95068
Instruction ID: 9e6071b8c4e9c049fa841cccf9fd44e2a9d54d285e33e1630212dd5e9d3a6bb3
Opcode Fuzzy Hash: 135fa6b1d22af1ce5612056571dbab3c539700c1c79e7e16f295e744e6e95068
Instruction Fuzzy Hash: E66167702086169FD711DF94D888F6ABFE8BF88718F00480DF9859B291D770ED48CBA2

Function 005C8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005C8168
inet_addr.WSOCK32(?,?,?), ref: 005C81AD
gethostbyname.WSOCK32(?), ref: 005C81B9
IcmpCreateFile.IPHLPAPI ref: 005C81C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005C8237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005C824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 005C82C2
WSACleanup.WSOCK32 ref: 005C82C8

Strings

Ping, xrefs: 005C81EB

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 8aaefec5a0dc27196c0901c86d7fc6d727e3e814200c74c61320543804170f63
Instruction ID: d349cd7494555e2f4132fc12d4145b334f414af5a05933d1c407803814cac026
Opcode Fuzzy Hash: 8aaefec5a0dc27196c0901c86d7fc6d727e3e814200c74c61320543804170f63
Instruction Fuzzy Hash: 66517C356046019FD720ABA4DC49F3ABFE5FF88310F048869F99ADB2A1DB74E805DB51

Function 005D9E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005D9E5B
CreateMenu.USER32 ref: 005D9E76
SetMenu.USER32(?,00000000), ref: 005D9E85
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005D9F12
IsMenu.USER32(?), ref: 005D9F28
CreatePopupMenu.USER32 ref: 005D9F32
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005D9F63
DrawMenuBar.USER32 ref: 005D9F71

Strings

0, xrefs: 005D9E54

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0
API String ID: 176399719-4108050209
Opcode ID: 9136e362a520194cc8d85c4d621b72bd966bc3d5b0ab6577cf72dadbf999e122
Instruction ID: c889d83a2366375567f45bbed209756f88d64f919f4b3e5d074ba0d2b355dccd
Opcode Fuzzy Hash: 9136e362a520194cc8d85c4d621b72bd966bc3d5b0ab6577cf72dadbf999e122
Instruction Fuzzy Hash: 794179B4A00206AFDB21DFA8D844BEABBB6FF49304F14411AF945D7350D734A914DFA1

Function 005BE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005BE396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 005BE40C
GetLastError.KERNEL32 ref: 005BE416
SetErrorMode.KERNEL32(00000000,READY), ref: 005BE483

Strings

READONLY, xrefs: 005BE44E
NOTREADY, xrefs: 005BE442
UNKNOWN, xrefs: 005BE43B
INVALID, xrefs: 005BE455
READY, xrefs: 005BE45C

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: ccdee07305c13424f058645e188d10fd8587b391a9e30382103e075b24a85177
Instruction ID: 8622cc45e6505f402ea1f2678c38f880913f674bba8e80ab63fc479bad008625
Opcode Fuzzy Hash: ccdee07305c13424f058645e188d10fd8587b391a9e30382103e075b24a85177
Instruction Fuzzy Hash: 4431A435A0021A9FDB01EF64D84AEFDBFB5FF54300F188455E505EB291DB74AA01DB91

Function 005AB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 005AB98C
GetDlgCtrlID.USER32 ref: 005AB997
GetParent.USER32 ref: 005AB9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 005AB9B6
GetDlgCtrlID.USER32(?), ref: 005AB9BF
GetParent.USER32(?), ref: 005AB9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 005AB9DE

Strings

ListBox, xrefs: 005AB949
ComboBox, xrefs: 005AB911

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 75700ccc4bf6cbf0e9b820a34ed670dec3bc01367d1c03a910fab8ab7b72434a
Instruction ID: 864387d69421bc309a984a4a813aff36c081f6634d67afb08290a86bd4182da8
Opcode Fuzzy Hash: 75700ccc4bf6cbf0e9b820a34ed670dec3bc01367d1c03a910fab8ab7b72434a
Instruction Fuzzy Hash: A521F470900105BFDB00ABA0DC85EBEBF75FB5A300B004119F655D7292DB794819EB70

Function 005AB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 005ABA73
GetDlgCtrlID.USER32 ref: 005ABA7E
GetParent.USER32 ref: 005ABA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 005ABA9D
GetDlgCtrlID.USER32(?), ref: 005ABAA6
GetParent.USER32(?), ref: 005ABAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 005ABAC5

Strings

ListBox, xrefs: 005ABA32
ComboBox, xrefs: 005AB9FA

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: da4e0cf0f9cdd4f1ee7e853773c6dfe69d48590fc675ae057b6af8f1bc66ace6
Instruction ID: 2dc103a5cd67ce55212fd0af1892c297115acbe813c318f1245b8566494cbb83
Opcode Fuzzy Hash: da4e0cf0f9cdd4f1ee7e853773c6dfe69d48590fc675ae057b6af8f1bc66ace6
Instruction Fuzzy Hash: 9D21BDB4A00109BBDB01ABA4DC85EBEBF7AFB4A300F004019F955E7192DB794819EB60

Function 005ABAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005ABAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 005ABAF8
_wcscmp.LIBCMT ref: 005ABB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 005ABB85

Strings

smallicons, xrefs: 005ABB4D
largeicons, xrefs: 005ABB19
list, xrefs: 005ABB67
details, xrefs: 005ABB33
SHELLDLL_DefView, xrefs: 005ABB04

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 162ce34ab4b7cfbbe2ddfc694531ab33ec119091003262bb1e497f858bbbc22b
Instruction ID: 67edf909d7da03ab4da19e73df38ea203f6d665c03c0f994597cc088a5ef4c95
Opcode Fuzzy Hash: 162ce34ab4b7cfbbe2ddfc694531ab33ec119091003262bb1e497f858bbbc22b
Instruction Fuzzy Hash: 75112C7660871BFFFA206630EC1BDAA3F9EBB62720B200011F904E40D7FF62595159B4

Function 005CB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005CB2D5
CoInitialize.OLE32(00000000), ref: 005CB302
CoUninitialize.OLE32 ref: 005CB30C
GetRunningObjectTable.OLE32(00000000,?), ref: 005CB40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 005CB539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 005CB56D
CoGetObject.OLE32(?,00000000,005FD91C,?), ref: 005CB590
SetErrorMode.KERNEL32(00000000), ref: 005CB5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 005CB623
VariantClear.OLEAUT32(005FD91C), ref: 005CB633

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 8e70d2bb36b8b834b0120b0331cab35257fbb5ea362bd9955646400f16f2c6de
Instruction ID: 182e614a26f197e011aa4652c4b6abfe89f6d64b5f9485c6f31a03c7fe9161fc
Opcode Fuzzy Hash: 8e70d2bb36b8b834b0120b0331cab35257fbb5ea362bd9955646400f16f2c6de
Instruction Fuzzy Hash: 62C113B1608301AFD704DFA8C885A2BBBE9BF89744F00495DF58ADB251DB71ED05CB62

Function 0059ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0059ACC1

Part of subcall function 00597CF4: __mtinitlocknum.LIBCMT ref: 00597D06
Part of subcall function 00597CF4: EnterCriticalSection.KERNEL32(00000000,?,00597ADD,0000000D), ref: 00597D1F

__calloc_crt.LIBCMT ref: 0059ACD2

Part of subcall function 00596986: __calloc_impl.LIBCMT ref: 00596995
Part of subcall function 00596986: Sleep.KERNEL32(00000000,000003BC,0058F507,?,0000000E), ref: 005969AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 0059ACED
GetStartupInfoW.KERNEL32(?,00626E28,00000064,00595E91,00626C70,00000014), ref: 0059AD46
__calloc_crt.LIBCMT ref: 0059AD91
GetFileType.KERNEL32(00000001), ref: 0059ADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0059AE11

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: b14c4079f84f4468beae042eacfb67f618126f1b66551e96de312b248ac84167
Instruction ID: 9fe38a0b5dd904f4ef8beb3511195a7f218ca555e88a5ba210e4cc41208cce5a
Opcode Fuzzy Hash: b14c4079f84f4468beae042eacfb67f618126f1b66551e96de312b248ac84167
Instruction Fuzzy Hash: 5A81E1709053468FDF14CF68C8845ADBFF5BF49324B24565DE4A6AB3D1D7389802CBA2

Function 005B4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005B4047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,005B30A5,?,00000001), ref: 005B405B
GetWindowThreadProcessId.USER32(00000000), ref: 005B4062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005B30A5,?,00000001), ref: 005B4071
GetWindowThreadProcessId.USER32(?,00000000), ref: 005B4083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,005B30A5,?,00000001), ref: 005B409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005B30A5,?,00000001), ref: 005B40AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,005B30A5,?,00000001), ref: 005B40F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,005B30A5,?,00000001), ref: 005B4108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,005B30A5,?,00000001), ref: 005B4113

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: f717011a7403a8a6c59608817c8706a52d8d51fc713a37d53aa230af4fc82a65
Instruction ID: 1a12e95d63b42f5a82082bf89a04838d6cd80032f07616c7968fc38acadf46f5
Opcode Fuzzy Hash: f717011a7403a8a6c59608817c8706a52d8d51fc713a37d53aa230af4fc82a65
Instruction Fuzzy Hash: EF319371900214AFDB20DF58DC4ABB97BBAFB64311F209006F905D6291CBB8AD84CFA0

Function 005EDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0058B496
SetTextColor.GDI32(?,000000FF), ref: 0058B4A0
SetBkMode.GDI32(?,00000001), ref: 0058B4B5
GetStockObject.GDI32(00000005), ref: 0058B4BD
GetClientRect.USER32(?), ref: 005EDD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 005EDD7A
GetWindowDC.USER32(?), ref: 005EDD86
GetPixel.GDI32(00000000,?,?), ref: 005EDD95
ReleaseDC.USER32(?,00000000), ref: 005EDDA7
GetSysColor.USER32(00000005), ref: 005EDDC5

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 26406d528411cae34e574f943af56601ee67ad53e6e2806c83f6c2acb8136a15
Instruction ID: 3de4b21da307cc0ef5caba557c3c8c3eea2c7f0ff908c1b7e67a4229a84e9e39
Opcode Fuzzy Hash: 26406d528411cae34e574f943af56601ee67ad53e6e2806c83f6c2acb8136a15
Instruction Fuzzy Hash: 69114931500205AFEB216BA4EC09FB97F76FB15325F208625FA66E90F2CB350945EB30

Function 00573093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 005730DC
CoUninitialize.OLE32(?,00000000), ref: 00573181
UnregisterHotKey.USER32(?), ref: 005732A9
DestroyWindow.USER32(?), ref: 005E5079
FreeLibrary.KERNEL32(?), ref: 005E50F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 005E5125

Strings

close all, xrefs: 005730D7

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 75a7cea2b5874d3f8db29f7e36834c2b11aaf34f2e6e6866dfcfc20d0389708d
Instruction ID: e35a2f81f0d126b20c2a52e0304e901f348256941629ed3fd8ad4775684ed213
Opcode Fuzzy Hash: 75a7cea2b5874d3f8db29f7e36834c2b11aaf34f2e6e6866dfcfc20d0389708d
Instruction Fuzzy Hash: 20915C342001428FC709EF14D899E68FBB4FF55314F5481A9E50EA7262DF30AE5AEF50

Function 0058CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0058CC15

Part of subcall function 0058CCCD: GetClientRect.USER32(?,?), ref: 0058CCF6
Part of subcall function 0058CCCD: GetWindowRect.USER32(?,?), ref: 0058CD37
Part of subcall function 0058CCCD: ScreenToClient.USER32(?,?), ref: 0058CD5F

GetDC.USER32 ref: 005ED137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 005ED14A
SelectObject.GDI32(00000000,00000000), ref: 005ED158
SelectObject.GDI32(00000000,00000000), ref: 005ED16D
ReleaseDC.USER32(?,00000000), ref: 005ED175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005ED200

Strings

U, xrefs: 005ED0D5

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: f6d69083dcaf6c242731d7a8054df234f2cc1d0d653b95982bf66556278ee857
Instruction ID: 910aaf547de511ec027021545dc31578c0574d325da4709be716c3abf24cc1f4
Opcode Fuzzy Hash: f6d69083dcaf6c242731d7a8054df234f2cc1d0d653b95982bf66556278ee857
Instruction Fuzzy Hash: 8471F230400245DFCF29AF65C885ABA7FB6FF89310F18466AED95AA2A5D7318C41DF70

Function 005DECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0058B34E: GetWindowLongW.USER32(?,000000EB), ref: 0058B35F

Part of subcall function 0058B63C: GetCursorPos.USER32(000000FF), ref: 0058B64F
Part of subcall function 0058B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0058B66C
Part of subcall function 0058B63C: GetAsyncKeyState.USER32(00000001), ref: 0058B691
Part of subcall function 0058B63C: GetAsyncKeyState.USER32(00000002), ref: 0058B69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 005DED3C
ImageList_EndDrag.COMCTL32 ref: 005DED42
ReleaseCapture.USER32 ref: 005DED48
SetWindowTextW.USER32(?,00000000), ref: 005DEDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 005DEE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 005DEEDC

Strings

@GUI_DRAGFILE, xrefs: 005DEE77
@GUI_DROPID, xrefs: 005DEE33

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 84dd062cc4818c2ace9696c3a00d50badf8a98aaf56f4185186c331289eb4dd2
Instruction ID: 0b22e564bd18748d636d647a9ec6892b150a3f21bce85b15e7931628b7476b87
Opcode Fuzzy Hash: 84dd062cc4818c2ace9696c3a00d50badf8a98aaf56f4185186c331289eb4dd2
Instruction Fuzzy Hash: B7518C70104301AFD710EF54DC5AF6A7BFAFB89704F00491EF9559B2A1DB709948DBA2

Function 005C45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005C45FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 005C462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 005C466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 005C4682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005C468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 005C46BF
InternetCloseHandle.WININET(00000000), ref: 005C4706

Part of subcall function 005C5052: GetLastError.KERNEL32(?,?,005C43CC,00000000,00000000,00000001), ref: 005C5067

Strings

, xrefs: 005C46B8

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: a41f926ee2d258e8e02ad51fa41ac644be602b425ee9488d35d388ff74247378
Instruction ID: 33a65803be717cff9bf3bc0deb89566e432ce0cafe33ab4858cb5fc5096c4ae1
Opcode Fuzzy Hash: a41f926ee2d258e8e02ad51fa41ac644be602b425ee9488d35d388ff74247378
Instruction Fuzzy Hash: A5417DB1501209BFEB119F90CC99FBB7BADFF09354F10401AFA05DA185E7B49984DBA4

Function 005CB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0060DC00), ref: 005CB715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0060DC00), ref: 005CB749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 005CB8C1
SysFreeString.OLEAUT32(?), ref: 005CB8EB

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 35378581cf964ff3155de1b130fafdccd1d919cb47472708a60ded45a0156232
Instruction ID: bbba4f3a6279a4dfe3571ee8692513bee6e25ff810abfd23705e8e235edfe393
Opcode Fuzzy Hash: 35378581cf964ff3155de1b130fafdccd1d919cb47472708a60ded45a0156232
Instruction Fuzzy Hash: E0F12B75A00109EFDF14DF94C889EAEBBBAFF89315F108498F905AB250DB71AE45CB50

Function 005D24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005D24F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005D2688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005D26AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005D26EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005D270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005D286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 005D28A1
CloseHandle.KERNEL32(?), ref: 005D28D0
CloseHandle.KERNEL32(?), ref: 005D2947

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: d340af918fdf3aa6bd457ce3363960a6f1e635556b9a0b849812b8fc2def4fa7
Instruction ID: 905a1021007a5fe36e9660a586ce884fd73f731a00834e9e11d5ff892a13bfc4
Opcode Fuzzy Hash: d340af918fdf3aa6bd457ce3363960a6f1e635556b9a0b849812b8fc2def4fa7
Instruction Fuzzy Hash: 43D19F356043019FCB24EF28D455A6ABFE5BF94310F14885EF8899B3A2DB31EC45CB52

Function 005DB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 005DB3F4

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 0411196fab07d0eb65340adc014c3cfd38d707140b514fc9cb60dcc42980b965
Instruction ID: f7beeac2b80a6c7c992276d743b30ee0581593e254601dbf52696560262987cd
Opcode Fuzzy Hash: 0411196fab07d0eb65340adc014c3cfd38d707140b514fc9cb60dcc42980b965
Instruction Fuzzy Hash: D4518E30500205EAFF309B2C9C89BAD3FA7BB45314F654917FA15E63A2DB71EA40EB51

Function 0058A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 005EDB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005EDB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005EDB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 005EDB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005EDB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0058A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 005EDBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 005EDBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0058A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 005EDBC8

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: ae6d6290b4b9ee4eae936f428037f85a864d004e6f7b7f1ffdaad01e71e858e5
Instruction ID: bf0fddf90f25e5f769bcf140927d75e55f5f88f107b1b0adb5dc09b9fcd20fbd
Opcode Fuzzy Hash: ae6d6290b4b9ee4eae936f428037f85a864d004e6f7b7f1ffdaad01e71e858e5
Instruction Fuzzy Hash: 16516070600209EFEB24DF65CC85FAA7BB9FB59750F100519F946EB290E774AD40EB60

Function 005B7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 005B6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005B5FA6,?), ref: 005B6ED8

Part of subcall function 005B6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005B5FA6,?), ref: 005B6EF1

Part of subcall function 005B72CB: GetFileAttributesW.KERNEL32(?,005B6019), ref: 005B72CC

lstrcmpiW.KERNEL32(?,?), ref: 005B75CA
_wcscmp.LIBCMT ref: 005B75E2
MoveFileW.KERNEL32(?,?), ref: 005B75FB

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: b1e7da756bbbe0370eb374079ab34230697f92ec53c543a0121230c3d05c7054
Instruction ID: 434e0479bfa1978f77328748142bab9887c08e7e572f6c428d0cb120475f7650
Opcode Fuzzy Hash: b1e7da756bbbe0370eb374079ab34230697f92ec53c543a0121230c3d05c7054
Instruction Fuzzy Hash: E45120B2A0921D5EDF64EB94D8859DE77BCAF8C310F00449AF605E3141EA74A6C9CF64

Function 0058EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,005EDAD1,00000004,00000000,00000000), ref: 0058EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,005EDAD1,00000004,00000000,00000000), ref: 0058EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,005EDAD1,00000004,00000000,00000000), ref: 005EDC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,005EDAD1,00000004,00000000,00000000), ref: 005EDCF2

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 4ef466041cbb1b43c6d0ab778d768c91abcdc49e46cbed4894c5dcd1cd11f163
Instruction ID: be793f616cb796fb18717b58332be136be9c7f7fc522355bc394077dae97b8e0
Opcode Fuzzy Hash: 4ef466041cbb1b43c6d0ab778d768c91abcdc49e46cbed4894c5dcd1cd11f163
Instruction Fuzzy Hash: C941EA70205280DBD73D77298D8FB3A7EB6BB52306F291819E88BA6561C674BC40D321

Function 005ABFF0 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 005AD342: GetWindowThreadProcessId.USER32(?,00000000), ref: 005AD362
Part of subcall function 005AD342: GetCurrentThreadId.KERNEL32 ref: 005AD369
Part of subcall function 005AD342: AttachThreadInput.USER32(00000000,?,005AC005,?,00000001), ref: 005AD370

MapVirtualKeyW.USER32(00000025,00000000), ref: 005AC010
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005AC02D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 005AC030
MapVirtualKeyW.USER32(00000025,00000000), ref: 005AC039
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 005AC057
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005AC05A
MapVirtualKeyW.USER32(00000025,00000000), ref: 005AC063
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 005AC07A
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005AC07D

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6e0697bd7b517cfdbd66466ae7bd05d49abf34bd803123b9ee042e3281b64bdf
Instruction ID: b57d641282881e16565644518e5be3082c9bc1b1185830055cf8c2c1ce559fbb
Opcode Fuzzy Hash: 6e0697bd7b517cfdbd66466ae7bd05d49abf34bd803123b9ee042e3281b64bdf
Instruction Fuzzy Hash: F3115AB5540618BAFB106B648C89F6E3E2EFB58755F100815B241AA0A0C9B65C41EAB4

Function 005AB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C), ref: 005AB26C
HeapAlloc.KERNEL32(00000000), ref: 005AB273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 005AB288
GetCurrentProcess.KERNEL32(?,00000000), ref: 005AB290
DuplicateHandle.KERNEL32(00000000), ref: 005AB293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002), ref: 005AB2A3
GetCurrentProcess.KERNEL32(?,00000000), ref: 005AB2AB
DuplicateHandle.KERNEL32(00000000), ref: 005AB2AE
CreateThread.KERNEL32(00000000,00000000,005AB2D4,00000000,00000000,00000000), ref: 005AB2C8

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 847ef0ffe7b98dcea6cc355e45c3ef324b01a3ffb7c83b5b36f66bc624de3353
Instruction ID: f33eb73e229f8345f0b1e06f3c2374416a30f41a9d8355b0381d954a1825c33c
Opcode Fuzzy Hash: 847ef0ffe7b98dcea6cc355e45c3ef324b01a3ffb7c83b5b36f66bc624de3353
Instruction Fuzzy Hash: E201B6B5280308BFE710ABA5DC49F6B7BADEB99711F018411FA05DB1A1CA799804DB71

Function 005CC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 005CC49E
NULL Pointer assignment, xrefs: 005CC876, 005CC887

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: bc54a5f6b6b1f9a7137ff02c846123c6abb2eacbe60ac996d3e8afc0eca6ab7e
Instruction ID: 44afa614e34a14db38f31341dcd1d56b8a27e7e397ba749ac471c66d28128a8b
Opcode Fuzzy Hash: bc54a5f6b6b1f9a7137ff02c846123c6abb2eacbe60ac996d3e8afc0eca6ab7e
Instruction Fuzzy Hash: 2CE18F71A0021AAFDF14DFA8D985FAE7FB5FB48314F14846DE909AB281D770AD41CB90

Function 005C16DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 0057936C: __swprintf.LIBCMT ref: 005793AB
Part of subcall function 0057936C: __itow.LIBCMT ref: 005793DF

Part of subcall function 0058C6F4: _wcscpy.LIBCMT ref: 0058C717

_wcstok.LIBCMT ref: 005C184E
_wcscpy.LIBCMT ref: 005C18DD
_memset.LIBCMT ref: 005C1910

Strings

X, xrefs: 005C1948
p2bl2b, xrefs: 005C1920

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$p2bl2b
API String ID: 774024439-2533266811
Opcode ID: ac7a4647055af336449a108ccff6bb415be32e33a2cc9ddeb72e7047219a0186
Instruction ID: 2478bfe5641272740e79c023a21b068a09146964d31e6039b4cf231250bc5693
Opcode Fuzzy Hash: ac7a4647055af336449a108ccff6bb415be32e33a2cc9ddeb72e7047219a0186
Instruction Fuzzy Hash: 8EC17D355047429FC724EF64D889E5ABBE4FF86350F00892DF889972A2DB30EC05DB96

Function 005D9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005D9B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 005D9B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005D9B47
_wcscat.LIBCMT ref: 005D9BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 005D9BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005D9BE7

Strings

SysListView32, xrefs: 005D9AEB

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: eb44c96b286239fa316930a10098cc6c3760ded86749f4183299b47548f4211d
Instruction ID: 8b02aa9051012279fc2217b9f4ea34b46f1f21d8336a95982fa8e29833ee2353
Opcode Fuzzy Hash: eb44c96b286239fa316930a10098cc6c3760ded86749f4183299b47548f4211d
Instruction Fuzzy Hash: A041A671A00308ABEB219F68DC85BEE7BB9FF48350F10082BF545E7291D6759D85CB60

Function 005D172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 005B6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 005B6554
Part of subcall function 005B6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 005B6564
Part of subcall function 005B6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 005B65F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 005D179A
GetLastError.KERNEL32 ref: 005D17AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 005D17D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 005D1855
GetLastError.KERNEL32(00000000), ref: 005D1860
CloseHandle.KERNEL32(00000000), ref: 005D1895

Strings

SeDebugPrivilege, xrefs: 005D17B8

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: cc18305bb93b4346ac1ff11eb576b8b249e51470d6cd9daa173519f3e45ed8c4
Instruction ID: 0d3735d345b0dfeb76b3d0fa09d6158c9b7ba2beecbd6ec3024cbc1d4584ca5a
Opcode Fuzzy Hash: cc18305bb93b4346ac1ff11eb576b8b249e51470d6cd9daa173519f3e45ed8c4
Instruction Fuzzy Hash: 9841AF71600202AFDB15EF58C899FBD7FA2BF94310F04849AF9069B3D2DB78A904DB55

Function 005B5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 005B58B8

Strings

stop, xrefs: 005B5889
blank, xrefs: 005B583A
question, xrefs: 005B5871
warning, xrefs: 005B58A1
info, xrefs: 005B5859

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 8cce6a86e0271f35670dbdaa02dd627161545e20bc15cae1766a8ca49b494e1e
Instruction ID: 43270faa7e9fdc942a94f288dd3401e082b87deed426412b8af59b85f152ffca
Opcode Fuzzy Hash: 8cce6a86e0271f35670dbdaa02dd627161545e20bc15cae1766a8ca49b494e1e
Instruction Fuzzy Hash: 5F110D31609B67BEEB095B54AC82FEA3F9DBF25310F30043AF501E52C1F7A4BA404664

Function 005BA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 005BA806

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 09659fd76b272c12b3085983568f78e4d8969be93c5577f3188a9ba2c8798621
Instruction ID: e292d4c5fc39e9fd110cc818aa868f2b7846c955ad121561782fee9adf751f5f
Opcode Fuzzy Hash: 09659fd76b272c12b3085983568f78e4d8969be93c5577f3188a9ba2c8798621
Instruction Fuzzy Hash: 0EC17975A0421ADFDB00DF98C485BEEBBF4FF08311F20846AE606E7241D774AA45CBA1

Function 005B6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 005B6B63
LoadStringW.USER32(00000000), ref: 005B6B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 005B6B80
LoadStringW.USER32(00000000), ref: 005B6B87
_wprintf.LIBCMT ref: 005B6BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 005B6BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 005B6BA8

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 51aefc3d0d8ef4e8e9fa8d175a7922b47506dce5cfd7b2c91713187498be81f3
Instruction ID: 7ed9a0e4b0955311bb9cab0cc13034b0c4155593a1c9245cf5d9d2848df69684
Opcode Fuzzy Hash: 51aefc3d0d8ef4e8e9fa8d175a7922b47506dce5cfd7b2c91713187498be81f3
Instruction Fuzzy Hash: FC0112F65002187FEB11AB949D89EFB767DE704304F004491B745D2041EA789E88DF74

Function 005D2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005D2BB5,?,?), ref: 005D3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005D2BF6

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 63ff1a2d177f6f0bfdd87683c7e11a01f9390b6fddce3f56959b66aef6c39c1a
Instruction ID: 1f50f7f095834fde1bdf4f171eeecf795edd44779dcb850557b3ad627145453a
Opcode Fuzzy Hash: 63ff1a2d177f6f0bfdd87683c7e11a01f9390b6fddce3f56959b66aef6c39c1a
Instruction Fuzzy Hash: 40914C712042019FC711EF18C899B6EBBE5FF94310F04885EF99A972A1DB34E946DB52

Function 005C95BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 005C9691
WSAGetLastError.WSOCK32(00000000), ref: 005C969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 005C96C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 005C96E9
WSAGetLastError.WSOCK32(00000000), ref: 005C96F8
htons.WSOCK32(?,?,?,00000000,?), ref: 005C97AA
inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0060DC00), ref: 005C9765

Part of subcall function 005AD2FF: _strlen.LIBCMT ref: 005AD309

_strlen.LIBCMT ref: 005C9800

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: e3e892a820143f519124f8fc1ec84f684eab672a56be4a53697f31896e49462e
Instruction ID: 0ebc908acde7386712eb4aa995fd009d48692ca52fe3f1d51bdb575ecab7a6d8
Opcode Fuzzy Hash: e3e892a820143f519124f8fc1ec84f684eab672a56be4a53697f31896e49462e
Instruction Fuzzy Hash: 2081AA31504201AFC714AFA4DC89F6ABFA9FBC5710F108A1DF5599B292EB309905CBA6

Function 0059A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0059A991

Part of subcall function 00597D7C: __FF_MSGBANNER.LIBCMT ref: 00597D91
Part of subcall function 00597D7C: __NMSG_WRITE.LIBCMT ref: 00597D98
Part of subcall function 00597D7C: __malloc_crt.LIBCMT ref: 00597DB8

__lock.LIBCMT ref: 0059A9A4
__lock.LIBCMT ref: 0059A9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00626DE0,00000018,005A5E7B,?,00000000,00000109), ref: 0059AA0C
EnterCriticalSection.KERNEL32(8000000C,00626DE0,00000018,005A5E7B,?,00000000,00000109), ref: 0059AA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 0059AA39

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 5dece4ea1c46b669c72c8b36e16e27f73c512bb728fcabcb4e33ca3e9abfa416
Instruction ID: 8115eecb8b09292211eaa6b9c9470f3b289a2fa424880279c6b37967b0d439f3
Opcode Fuzzy Hash: 5dece4ea1c46b669c72c8b36e16e27f73c512bb728fcabcb4e33ca3e9abfa416
Instruction Fuzzy Hash: 49413471A002069BEF10DF68DE4876CBFB1BF45335F258219E425AB2D1DB789944CBE2

Function 005D8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005D8EE4
GetDC.USER32(00000000), ref: 005D8EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005D8EF7
ReleaseDC.USER32(00000000,00000000), ref: 005D8F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 005D8F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 005D8F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,005DBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 005D8F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005D8FAA

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: c369c9f6e7039f79c2f66a0b9f7e5c11921d1a86fc3e329231b0181bb942c610
Instruction ID: 1ed9a9e5fd11a4ffbca70194be981bc66e99f9700adb6552c27f01b67ea2eff5
Opcode Fuzzy Hash: c369c9f6e7039f79c2f66a0b9f7e5c11921d1a86fc3e329231b0181bb942c610
Instruction Fuzzy Hash: 5A314B72100214BBEB218F548C49FBA3FAEFB59715F044066FE08DA291DA799841DB74

Function 005E0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0058B34E: GetWindowLongW.USER32(?,000000EB), ref: 0058B35F

GetSystemMetrics.USER32(0000000F), ref: 005E016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 005E038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 005E03AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 005E03D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 005E03FF
ShowWindow.USER32(00000003,00000000), ref: 005E0421
DefDlgProcW.USER32(?,00000005,?,?), ref: 005E0440

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: 0f970a76be7e9c656834f9f30eafc24af877780c9825709133dc290677970416
Instruction ID: dd49d2be455ce91c4956c3382c65249c387f846a8ff2653e2a0a96af9c8bcdd8
Opcode Fuzzy Hash: 0f970a76be7e9c656834f9f30eafc24af877780c9825709133dc290677970416
Instruction Fuzzy Hash: 1AA1DB34600656EBDF18CF69C9897BEBBB2BF08700F049515ED94AB290D7B4AD90CB90

Function 0058AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66de787c00e951715827634f87785a87f7988ee592ea6b3df14fb42b9cc07f00
Instruction ID: 6dcf7eb4f1b55772a6e3cc8c9710e2f67cac08a48c8f52570506cf45d65cce4b
Opcode Fuzzy Hash: 66de787c00e951715827634f87785a87f7988ee592ea6b3df14fb42b9cc07f00
Instruction Fuzzy Hash: 88717DB5900109EFDB04DF98CC89ABEBF79FF89314F248549FA15A6250D734AA41CF61

Function 005D2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005D225A
_memset.LIBCMT ref: 005D2323
ShellExecuteExW.SHELL32(?), ref: 005D2368

Part of subcall function 0057936C: __swprintf.LIBCMT ref: 005793AB
Part of subcall function 0057936C: __itow.LIBCMT ref: 005793DF

Part of subcall function 0058C6F4: _wcscpy.LIBCMT ref: 0058C717

CloseHandle.KERNEL32(00000000), ref: 005D242F
FreeLibrary.KERNEL32(00000000), ref: 005D243E

Strings

@, xrefs: 005D2334

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: d3e959b1768375a90a6949b693656e467b7023e0d96287111694c0e63d96b384
Instruction ID: 3bbe0d02e06f445eae8feb9a10d7de3103685ea9e59304f9a13d3a2f741ab07e
Opcode Fuzzy Hash: d3e959b1768375a90a6949b693656e467b7023e0d96287111694c0e63d96b384
Instruction Fuzzy Hash: 59718F7490061A9FCF14EF98D4859AEBFF5FF58310F10845AE859AB351DB34AD41CB90

Function 005B3DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 005B3DE7
GetKeyboardState.USER32(?), ref: 005B3DFC
SetKeyboardState.USER32(?), ref: 005B3E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 005B3E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 005B3EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 005B3EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 005B3F13

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 02a919695cbf0dfb1d5b24bd796799c2c23874d9d23d3875b5b84b2153257238
Instruction ID: 35ce493984661f7167d3e92936206e9b2f733f498f7137cd1b8588cae8dff26d
Opcode Fuzzy Hash: 02a919695cbf0dfb1d5b24bd796799c2c23874d9d23d3875b5b84b2153257238
Instruction Fuzzy Hash: CD51C3A0A047D53DFB3647288C46BF67EA97B06304F084589E1D5A68C3D798FEC8D760

Function 005B3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 005B3C02
GetKeyboardState.USER32(?), ref: 005B3C17
SetKeyboardState.USER32(?), ref: 005B3C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 005B3CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 005B3CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 005B3D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 005B3D26

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8a075013dacf4094c3a7f11dab255a5fd3e360e0d98a3f733b931b4585fa179b
Instruction ID: d8e57b27d33ec18bfe0d623fa7c9e11df27c87f160c374fed863a15fcf305b66
Opcode Fuzzy Hash: 8a075013dacf4094c3a7f11dab255a5fd3e360e0d98a3f733b931b4585fa179b
Instruction Fuzzy Hash: 3351E3A05487D53DFB3683648C55BFABFA97F06340F088588E0D56A8C3D694FE88E760

Function 005B7DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 005B7DBE
_wcsncpy.LIBCMT ref: 005B7DF3
_wcsncpy.LIBCMT ref: 005B7E25
_wcsncpy.LIBCMT ref: 005B7E58
_wcsncpy.LIBCMT ref: 005B7E9A
_wcsncpy.LIBCMT ref: 005B7ED4
_wcsncpy.LIBCMT ref: 005B7F03

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: aa41888c188e102585bd6b5638b17321e2d2550415b31d8609c3b2f56e41ca11
Instruction ID: edc662450bd38c7ad85ed12efd0b66c76e50469009b78a538e8043a5f6dba89d
Opcode Fuzzy Hash: aa41888c188e102585bd6b5638b17321e2d2550415b31d8609c3b2f56e41ca11
Instruction Fuzzy Hash: 3E416066C102197ACF10EBF4C84A9DFBBADBF85310F508966E505E3162F634E615C3A9

Function 005D3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 005D3DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005D3DCB
FreeLibrary.KERNEL32(00000000), ref: 005D3E80

Part of subcall function 005D3D72: RegCloseKey.ADVAPI32(?), ref: 005D3DE8
Part of subcall function 005D3D72: FreeLibrary.KERNEL32(?), ref: 005D3E3A
Part of subcall function 005D3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 005D3E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 005D3E25

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: f244c34d32c372b3c2c06efb897bfad136ffcce7f38e97dac5f13893dcb03d26
Instruction ID: 7fc3e2d763deeb470a0c6de38c3104c188cb129e8fec77420e3f11b6626eebca
Opcode Fuzzy Hash: f244c34d32c372b3c2c06efb897bfad136ffcce7f38e97dac5f13893dcb03d26
Instruction Fuzzy Hash: 4631DEB1901109BFDB259B94DC89AFF7BBDFB18340F00016BA512E2291EA749F49DB61

Function 005D8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005D8FE7
GetWindowLongW.USER32(0169F638,000000F0), ref: 005D901A
GetWindowLongW.USER32(0169F638,000000F0), ref: 005D904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 005D9081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 005D90AB
GetWindowLongW.USER32(00000000,000000F0), ref: 005D90BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 005D90D6

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 86b0de906e97656557f005847fe714849d3eb0caa7bf6e5edc1ad72c9b542778
Instruction ID: d5b13de33458bb759a88bbe38938dac4707c85cb70f9bbc7dfc0cb46e96fa980
Opcode Fuzzy Hash: 86b0de906e97656557f005847fe714849d3eb0caa7bf6e5edc1ad72c9b542778
Instruction Fuzzy Hash: C53114346002159FDB308F98EC89F647BA6FB5A714F140266F519CF2B1CB71A844EB91

Function 005B08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005B08F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005B0918
SysAllocString.OLEAUT32(00000000), ref: 005B091B
SysAllocString.OLEAUT32(?), ref: 005B0939
SysFreeString.OLEAUT32(?), ref: 005B0942
StringFromGUID2.OLE32(?,?,00000028), ref: 005B0967
SysAllocString.OLEAUT32(?), ref: 005B0975

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ba11da053504472ee54e820d97f4b663cb18c6d888034c5414aafb4019da2467
Instruction ID: 418ec1723271b238b67a7000ce2c3b1ea2ac712a32311a5a0b84205837116aaf
Opcode Fuzzy Hash: ba11da053504472ee54e820d97f4b663cb18c6d888034c5414aafb4019da2467
Instruction Fuzzy Hash: D2218176601219AFAF109FA8CC88DFB7BBCFB09360B008525F915DB191D674ED45CB60

Function 005B2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 005B2485
__wcsnicmp.LIBCMT ref: 005B24A6
__wcsnicmp.LIBCMT ref: 005B24C0

Strings

#notrayicon, xrefs: 005B247D
#OnAutoItStartRegister, xrefs: 005B24BA
#requireadmin, xrefs: 005B24A0

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 63b2c91a959cd16622863488cc972ef8a59cd8371d942b436329781c910fdfb8
Instruction ID: dced6a6a2d01ced20ba342790d273458025cd25549357af6255c0f75a1de0804
Opcode Fuzzy Hash: 63b2c91a959cd16622863488cc972ef8a59cd8371d942b436329781c910fdfb8
Instruction Fuzzy Hash: 4F217C311405127BCB30B6349C16FF77F99FFA8300F604429F846AB0C1E665A942C3B5

Function 005B0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005B09CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005B09F1
SysAllocString.OLEAUT32(00000000), ref: 005B09F4
SysAllocString.OLEAUT32 ref: 005B0A15
SysFreeString.OLEAUT32 ref: 005B0A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 005B0A38
SysAllocString.OLEAUT32(?), ref: 005B0A46

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: dc40b79faa8b49dae12087f728f2001b012aeb40b59ac4c2bbc65341de1a9798
Instruction ID: b215c738231e6254bc6bf2f40520ca654f1d1b7c4db95d7c9669d4ead06548eb
Opcode Fuzzy Hash: dc40b79faa8b49dae12087f728f2001b012aeb40b59ac4c2bbc65341de1a9798
Instruction Fuzzy Hash: 55216075200204AF9B10DBA8DC89DBB7BECFF483607008525F909CB2A1E674ED45DB64

Function 005DA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0058D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0058D1BA
Part of subcall function 0058D17C: GetStockObject.GDI32(00000011), ref: 0058D1CE
Part of subcall function 0058D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0058D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 005DA32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 005DA33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 005DA345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 005DA354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 005DA360

Strings

Msctls_Progress32, xrefs: 005DA2FE

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c24a6a38f19f38b8638096309d2e4e648534f9012fe481a86b4b4320aebe8878
Instruction ID: 0521a26cd9ad41484b5b95947be3c15d2be781c7f0b6ae82cc650911e80c2979
Opcode Fuzzy Hash: c24a6a38f19f38b8638096309d2e4e648534f9012fe481a86b4b4320aebe8878
Instruction Fuzzy Hash: 0C1186B1150219BEEF255F64CC86EE77F6EFF09798F014115FA04A61A0C7729C21DBA4

Function 0058CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0058CCF6
GetWindowRect.USER32(?,?), ref: 0058CD37
ScreenToClient.USER32(?,?), ref: 0058CD5F
GetClientRect.USER32(?,?), ref: 0058CE8C
GetWindowRect.USER32(?,?), ref: 0058CEA5

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: f0a7943b47ed58c732ebc1feb6b8239c1fa3bdfe89d196ba11d7a5526e82ee89
Instruction ID: 12657051f114ca70a447823726c7e7f23eaaa3f671142ee2f396bd258d42a2da
Opcode Fuzzy Hash: f0a7943b47ed58c732ebc1feb6b8239c1fa3bdfe89d196ba11d7a5526e82ee89
Instruction Fuzzy Hash: C4B1367990028ADBDB14DFA9C4847EEBFB5FF08300F149569EC99EB250DB30A950DB64

Function 005D1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 005D1C18
Process32FirstW.KERNEL32(00000000,?), ref: 005D1C26
__wsplitpath.LIBCMT ref: 005D1C54

Part of subcall function 00591DFC: __wsplitpath_helper.LIBCMT ref: 00591E3C

_wcscat.LIBCMT ref: 005D1C69
Process32NextW.KERNEL32(00000000,?), ref: 005D1CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 005D1CF1

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: 426e54f25d301a8017838c4f0259d8812764cfa810b07a0c26347231ca4f3fd6
Instruction ID: 11b92f8a7ea5e5edfa94486b2dc24e1eb735ed6f6fec35acdc1cd8aa9cfdda4f
Opcode Fuzzy Hash: 426e54f25d301a8017838c4f0259d8812764cfa810b07a0c26347231ca4f3fd6
Instruction Fuzzy Hash: F7517071104701AFD720EF24D845EABBBECFF88754F00491EF58A97251EB309905CBA6

Function 005D2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005D2BB5,?,?), ref: 005D3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005D30AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005D30EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 005D3112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 005D313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 005D317E
RegCloseKey.ADVAPI32(00000000), ref: 005D318B

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: 299a98ffe6475fb86b939824810a8efec418195657b2b646a58ea60d6cf6db07
Instruction ID: d641f87fecc7fb9dbb95e87deb13b415a66319c911ef9a5d84a7ee42406c3336
Opcode Fuzzy Hash: 299a98ffe6475fb86b939824810a8efec418195657b2b646a58ea60d6cf6db07
Instruction Fuzzy Hash: 54514A71104201AFC714EF68D889E6ABFF9FF89300F04895EF599872A1DB71EA05DB52

Function 005D84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 005D8540
GetMenuItemCount.USER32(00000000), ref: 005D8577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005D859F
GetMenuItemID.USER32(?,?), ref: 005D860E
GetSubMenu.USER32(?,?), ref: 005D861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 005D866D

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 87df86ee1f3787a33c3a476a73f68f552236d5368e8705eb0350bac3d7a99ea5
Instruction ID: a9ba33aa29a74b825f4faece5a8dd61c61b8ce152cde82574000b68ae50c999a
Opcode Fuzzy Hash: 87df86ee1f3787a33c3a476a73f68f552236d5368e8705eb0350bac3d7a99ea5
Instruction Fuzzy Hash: 61518B75A00215AFCF11EF68D845ABEBBB5FF98320F10449AE905BB351CB70AE41DB90

Function 005B4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005B4B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005B4B5B
IsMenu.USER32(00000000), ref: 005B4B7B
CreatePopupMenu.USER32 ref: 005B4BAF
GetMenuItemCount.USER32(000000FF), ref: 005B4C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 005B4C3E

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 51654a43064779ad80dfb10c2d307d82bf873e1adf25829b0ada5ff32e8e1e8d
Instruction ID: 730d1b6e3299b3fc454639a557a0e1d01908895f76f6d1611334a85cbcd5e59e
Opcode Fuzzy Hash: 51654a43064779ad80dfb10c2d307d82bf873e1adf25829b0ada5ff32e8e1e8d
Instruction Fuzzy Hash: 2B51AA7060124AABCF34CF68C888BEDBFF5BF44718F148559E5159A292E370AD44CF61

Function 005C8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0060DC00), ref: 005C8E7C
WSAGetLastError.WSOCK32(00000000), ref: 005C8E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 005C8EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 005C8EC5
_strlen.LIBCMT ref: 005C8EF7
WSAGetLastError.WSOCK32(00000000), ref: 005C8F6A

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 3743d42d8dc9da2096ec8e91b918f343eb89dda38eecf9614b1f893928ce88d9
Instruction ID: 0618d62491059701c75fe80d1c42342264099c532a20004c2e5fdd92dd35029f
Opcode Fuzzy Hash: 3743d42d8dc9da2096ec8e91b918f343eb89dda38eecf9614b1f893928ce88d9
Instruction Fuzzy Hash: BA416F71500105AFCB14EBA4D989FAEBBBAFF99310F10855DF51A97291DF30AE04DB60

Function 0058ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0058B34E: GetWindowLongW.USER32(?,000000EB), ref: 0058B35F

BeginPaint.USER32(?,?,?), ref: 0058AC2A
GetWindowRect.USER32(?,?), ref: 0058AC8E
ScreenToClient.USER32(?,?), ref: 0058ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0058ACBC
EndPaint.USER32(?,?,?,?,?), ref: 0058AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005EE673

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 1be64b4c67125720d1e2e1eb5593ff2206423bc02d124f26fb5095a8064bc387
Instruction ID: e9e3155a0abfb724f8269685e88bcd2ca026d53cc7430d53fbaf3c06f53e3896
Opcode Fuzzy Hash: 1be64b4c67125720d1e2e1eb5593ff2206423bc02d124f26fb5095a8064bc387
Instruction Fuzzy Hash: EA41BE701002019FD710EF64DC89F7A7FB9BB5A320F04062AF9A4DB2A1C730AC44DBA2

Function 005DE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00631628,00000000,00631628,00000000,00000000,00631628,?,005EDC5D,00000000,?,00000000,00000000,00000000,?,005EDAD1,00000004), ref: 005DE40B
EnableWindow.USER32(00000000,00000000), ref: 005DE42F
ShowWindow.USER32(00631628,00000000), ref: 005DE48F
ShowWindow.USER32(00000000,00000004), ref: 005DE4A1
EnableWindow.USER32(00000000,00000001), ref: 005DE4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 005DE4E8

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 48e785e5b958d07efa47a1c88cc6204dffd4bfdb6f30bbb3929a7f8374bcd10c
Instruction ID: 0bdf761229298129c6d7873d84eed48a1624722dae906d21ae124ceafb95bb38
Opcode Fuzzy Hash: 48e785e5b958d07efa47a1c88cc6204dffd4bfdb6f30bbb3929a7f8374bcd10c
Instruction Fuzzy Hash: 00414F30601141EFDF22DF28C49AB947FF1BB05304F1881ABEA58DF2A2C775A855DB61

Function 005B98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 005B98D1

Part of subcall function 0058F4EA: std::exception::exception.LIBCMT ref: 0058F51E
Part of subcall function 0058F4EA: __CxxThrowException@8.LIBCMT ref: 0058F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 005B9908
EnterCriticalSection.KERNEL32(?), ref: 005B9924
LeaveCriticalSection.KERNEL32(?), ref: 005B999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 005B99B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 005B99D2

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: baebac4873c17182556b99d4832064d5af523428a0d700793d05940f55acd916
Instruction ID: 886f8e9180cff9cdc66846184dda1a1a5b712959fdf00d7444ca4993c79bfa2b
Opcode Fuzzy Hash: baebac4873c17182556b99d4832064d5af523428a0d700793d05940f55acd916
Instruction Fuzzy Hash: 5B316F31900105ABDB10AFA5DC8AEAEBB79FF85310B1480A9F904EB256D774DA14DBA0

Function 005C9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,005C77F4,?,?,00000000,00000001), ref: 005C9B53

Part of subcall function 005C6544: GetWindowRect.USER32(?,?), ref: 005C6557

GetDesktopWindow.USER32 ref: 005C9B7D
GetWindowRect.USER32(00000000), ref: 005C9B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 005C9BB6

Part of subcall function 005B7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 005B7AD0

GetCursorPos.USER32(?), ref: 005C9BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005C9C44

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 14fb188ef1fabc1b8f1290a396099d349ea4b704a4b38e2ccc281bb0c02d2753
Instruction ID: 884fbeeaac5e2c88b261f26b286d0582e495db793e97306cde0a68f9eca9db40
Opcode Fuzzy Hash: 14fb188ef1fabc1b8f1290a396099d349ea4b704a4b38e2ccc281bb0c02d2753
Instruction Fuzzy Hash: 5E31C37210830AAFC710DF54D849FABBBE9FF88314F000919F585E7181D635E908CB91

Function 005DEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0058AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0058AFE3
Part of subcall function 0058AF83: SelectObject.GDI32(?,00000000), ref: 0058AFF2
Part of subcall function 0058AF83: BeginPath.GDI32(?), ref: 0058B009
Part of subcall function 0058AF83: SelectObject.GDI32(?,00000000), ref: 0058B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 005DEC20
LineTo.GDI32(00000000,00000003,?), ref: 005DEC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 005DEC42
LineTo.GDI32(00000000,00000000,?), ref: 005DEC52
EndPath.GDI32(00000000), ref: 005DEC62
StrokePath.GDI32(00000000), ref: 005DEC72

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: caf632b4690f51879b65f437511efd52bcd19afb9ffe99e0b4dce8a9cd0a6f74
Instruction ID: 9db474323a3c535b8cd36f6882b4063b0b8d30c18bf3d81e6bbb42a633398ffb
Opcode Fuzzy Hash: caf632b4690f51879b65f437511efd52bcd19afb9ffe99e0b4dce8a9cd0a6f74
Instruction Fuzzy Hash: 8B111B7600014DBFEF129F94DD89EEA7F6EEB19350F048112BE0899170D7719E59EBA0

Function 005AE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005AE1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 005AE1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005AE1D8
ReleaseDC.USER32(00000000,00000000), ref: 005AE1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 005AE1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 005AE209

Part of subcall function 005A9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,005A9A05,00000000,00000000,?,005A9DDB), ref: 005AA53A

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 2502ae3792b1adbe64d9ab6e9d8e7560ec189d1916a03281ebba802925b9d2f7
Instruction ID: 8e60bbb3624599b27e05a1fc6382cfbca8ca2d4afeadf8621f481e9330988f85
Opcode Fuzzy Hash: 2502ae3792b1adbe64d9ab6e9d8e7560ec189d1916a03281ebba802925b9d2f7
Instruction Fuzzy Hash: 260184B5A00315BFEB109BA59C4AF5EBFB9EB59751F004066EA04E7290DA709C01DB60

Function 00597B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00597B47

Part of subcall function 0059123A: __initp_misc_winsig.LIBCMT ref: 0059125E
Part of subcall function 0059123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00597F51
Part of subcall function 0059123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00597F65
Part of subcall function 0059123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00597F78
Part of subcall function 0059123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00597F8B
Part of subcall function 0059123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00597F9E
Part of subcall function 0059123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00597FB1
Part of subcall function 0059123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00597FC4
Part of subcall function 0059123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00597FD7
Part of subcall function 0059123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00597FEA
Part of subcall function 0059123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00597FFD
Part of subcall function 0059123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00598010
Part of subcall function 0059123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00598023
Part of subcall function 0059123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00598036
Part of subcall function 0059123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00598049
Part of subcall function 0059123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0059805C
Part of subcall function 0059123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0059806F

__mtinitlocks.LIBCMT ref: 00597B4C

Part of subcall function 00597E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0062AC68,00000FA0,?,?,00597B51,00595E77,00626C70,00000014), ref: 00597E41

__mtterm.LIBCMT ref: 00597B55

Part of subcall function 00597BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00597B5A,00595E77,00626C70,00000014), ref: 00597D3F
Part of subcall function 00597BBD: _free.LIBCMT ref: 00597D46
Part of subcall function 00597BBD: DeleteCriticalSection.KERNEL32(0062AC68,?,?,00597B5A,00595E77,00626C70,00000014), ref: 00597D68

__calloc_crt.LIBCMT ref: 00597B7A
GetCurrentThreadId.KERNEL32 ref: 00597BA3

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 873038f2f004b4beb5e03bbdb43d91474902ca80f96fb13ae6924c33bb6c37cb
Instruction ID: a29eb5f3fed06b7a3c8f519e0e5042fb32ca4e2e4b487bace1361b00838f244f
Opcode Fuzzy Hash: 873038f2f004b4beb5e03bbdb43d91474902ca80f96fb13ae6924c33bb6c37cb
Instruction Fuzzy Hash: F3F0963253D71B1AEF2577747C0AA4A2F9ABF49730B204A9BF864C50D1FF2588428164

Function 005727EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0057281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00572825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00572830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0057283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00572843
MapVirtualKeyW.USER32(00000012,00000000), ref: 0057284B

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 6b0bcca3aa254e50ec616a8126538d2b6eb0868057777030ca714d3ca2bce0d9
Instruction ID: 46d7a32b03fccd3a36ead76b6cc54bafad3bf103f4eb980c22d844b06857ed72
Opcode Fuzzy Hash: 6b0bcca3aa254e50ec616a8126538d2b6eb0868057777030ca714d3ca2bce0d9
Instruction Fuzzy Hash: FF016CB0901B597DE3008F6A8C85B52FFB8FF15354F00411B915C87941C7F5A864CBE5

Function 005B9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 14d4f69b36276fa9b8e0ed70e60b9e1d0242b9306ba090367e364d742ee5c409
Instruction ID: 749f9f24e98ae9ba513253a198a1ff8feca31a6509dd7aa493a2e893f4961d48
Opcode Fuzzy Hash: 14d4f69b36276fa9b8e0ed70e60b9e1d0242b9306ba090367e364d742ee5c409
Instruction Fuzzy Hash: 4301A936101212ABD7151B58EC49EFF7B7BFF997017140429F603D2090DB78A804EBA0

Function 005B7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005B7C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 005B7C1D
GetWindowThreadProcessId.USER32(?,?), ref: 005B7C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005B7C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005B7C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005B7C4C

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 2ea8f9503e6a387ba373aa52b52bbbbeda6e2f8bac1a7559c770843021a9b054
Instruction ID: fd6b072dfd5d6aa239f2123a17c7fff3aa6db426a837ccfbcca1a89d2505591a
Opcode Fuzzy Hash: 2ea8f9503e6a387ba373aa52b52bbbbeda6e2f8bac1a7559c770843021a9b054
Instruction Fuzzy Hash: ECF03A72241158BBE7215B529C0EEFF7F7DEFDAB15F000018FA01D1091DBA85A49E6B5

Function 005B9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 005B9A33
EnterCriticalSection.KERNEL32(?,?,?,?,005E5DEE,?,?,?,?,?,0057ED63), ref: 005B9A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,005E5DEE,?,?,?,?,?,0057ED63), ref: 005B9A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,005E5DEE,?,?,?,?,?,0057ED63), ref: 005B9A5E

Part of subcall function 005B93D1: CloseHandle.KERNEL32(?,?,005B9A6B,?,?,?,005E5DEE,?,?,?,?,?,0057ED63), ref: 005B93DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 005B9A71
LeaveCriticalSection.KERNEL32(?,?,?,?,005E5DEE,?,?,?,?,?,0057ED63), ref: 005B9A78

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ce22c7050f77651ba17e95369ccb6ee3297e55cca7f8316b6a29cf32382eb25f
Instruction ID: d52da11f7260db254a93a9b8b8738b29ed3467a7e35ba7138da85efb4d535522
Opcode Fuzzy Hash: ce22c7050f77651ba17e95369ccb6ee3297e55cca7f8316b6a29cf32382eb25f
Instruction Fuzzy Hash: ADF05E3A141211ABD7111BA8EC8DEFE7B7BFF95301B140425F603D10A0DB79A805FBA0

Function 00571CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 0058F4EA: std::exception::exception.LIBCMT ref: 0058F51E
Part of subcall function 0058F4EA: __CxxThrowException@8.LIBCMT ref: 0058F533

__swprintf.LIBCMT ref: 00571EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00571D49

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: da4431e84013339847a1b1b7ea2145059332e8f169d69308fc33711c3b5d8c77
Instruction ID: cda1d79536518c191d0d674debfd9749387dbaa8ab00a765a46071ecf18237d6
Opcode Fuzzy Hash: da4431e84013339847a1b1b7ea2145059332e8f169d69308fc33711c3b5d8c77
Instruction Fuzzy Hash: BD915B711046429FDB28EF29D899C6ABFA8FFC5700F00891DF889972A1DB30ED05DB52

Function 005CAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005CB006
CharUpperBuffW.USER32(?,?), ref: 005CB115
VariantClear.OLEAUT32(?), ref: 005CB298

Part of subcall function 005B9DC5: VariantInit.OLEAUT32(00000000), ref: 005B9E05
Part of subcall function 005B9DC5: VariantCopy.OLEAUT32(?,?), ref: 005B9E0E
Part of subcall function 005B9DC5: VariantClear.OLEAUT32(?), ref: 005B9E1A

Strings

Incorrect Parameter format, xrefs: 005CB03E, 005CB20B
AUTOIT.ERROR, xrefs: 005CB11B

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 8f70b09409a09a82cbe569db8e3c5e084753f1b1c42ff67caa63223fade1ed05
Instruction ID: ad8bfff62da79b6c50a20ce35db6066c15d8da14a8bce2883e7835ae9dbc396c
Opcode Fuzzy Hash: 8f70b09409a09a82cbe569db8e3c5e084753f1b1c42ff67caa63223fade1ed05
Instruction Fuzzy Hash: 3B9137746083029FCB10DF64D489E5ABBF5BFC9704F04886EF89A9B261DB31E945CB52

Function 005B5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0058C6F4: _wcscpy.LIBCMT ref: 0058C717

_memset.LIBCMT ref: 005B5438
GetMenuItemInfoW.USER32(?), ref: 005B5467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005B5513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 005B553D

Strings

0, xrefs: 005B5430

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 2178918cf7b3658eb837818821f4a2b220a822600137ea6292ab352b4ceedded
Instruction ID: 6b2475a4d02529ee6ddbb12415d3e0bc29cb3710d7346a28f0d5e93013d6446d
Opcode Fuzzy Hash: 2178918cf7b3658eb837818821f4a2b220a822600137ea6292ab352b4ceedded
Instruction Fuzzy Hash: 8951F1711047019BD7299F28D8457EBBFE9FF85351F080A29F895D71D0E7A0ED448B92

Function 005B0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 005B027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 005B02B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 005B02C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005B0344

Strings

DllGetClassObject, xrefs: 005B02B7

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: df47a9b4f89a50bc09d52e90bc9e28f96c097f19c5ebf859cd6189a9936fbd28
Instruction ID: 7a1c9149d4a98fea4a6b27c0b7ac644ca84347c24bcd405e5d8a410ee18a9514
Opcode Fuzzy Hash: df47a9b4f89a50bc09d52e90bc9e28f96c097f19c5ebf859cd6189a9936fbd28
Instruction Fuzzy Hash: 8D416A71600205AFDB05CF54C888AAF7FFAFF44311B1494A9A909DF286D7B5E944DBA0

Function 005B5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005B5075
GetMenuItemInfoW.USER32 ref: 005B5091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 005B50D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00631708,00000000), ref: 005B5120

Strings

0, xrefs: 005B506D

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: b2fbc3ee9d6436fc393e700731ff627e08d1a376671dc49e3941f8c7787e2577
Instruction ID: e540dbdc20849f867951e5c4c3e2bb8613d807bb44e10ce622d3415b305483b2
Opcode Fuzzy Hash: b2fbc3ee9d6436fc393e700731ff627e08d1a376671dc49e3941f8c7787e2577
Instruction Fuzzy Hash: EB41D2712047029FD724DF28D884BAABFE4BF89324F144A1EF99597291E770F904CB62

Function 005BE698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 005BE742
GetLastError.KERNEL32(?,00000000), ref: 005BE768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005BE78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005BE7B9

Strings

p1Mw`KNw, xrefs: 005BE78D

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID: p1Mw`KNw
API String ID: 3321077145-3626030660
Opcode ID: 93a4e8de54cf8706ff0f43faf1ed3a3814228bdc4c00c61a4ebd08947e3be254
Instruction ID: f041021df53d5cb795078fec7945082e3ca7f6e83ee6155dc820ef697a6524a7
Opcode Fuzzy Hash: 93a4e8de54cf8706ff0f43faf1ed3a3814228bdc4c00c61a4ebd08947e3be254
Instruction Fuzzy Hash: 4F4127396006519FCB11AF14C44999DBBF5FF99710B19C488E90AAB3A2CB34FC00DBA1

Function 005D0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 005D0587

Strings

cdecl, xrefs: 005D05DE
winapi, xrefs: 005D05F8
stdcall, xrefs: 005D0609
none, xrefs: 005D0662

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: c551fe9657c0d635b99fcf2c82fc0ddb6e1f37c671da92df4e5dce55a987bbe6
Instruction ID: 2727b68e72bcf266584786ad7f7e252a29ec120ab0ced74b60595480876a2048
Opcode Fuzzy Hash: c551fe9657c0d635b99fcf2c82fc0ddb6e1f37c671da92df4e5dce55a987bbe6
Instruction Fuzzy Hash: 6731C330500516AFCF10EF58D841AAEBBB5FF95310F00862AF826A76D1DB71E915CB50

Function 005AB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 005AB88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 005AB8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 005AB8D1

Strings

ListBox, xrefs: 005AB84D
ComboBox, xrefs: 005AB815

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 8fa2141faa4d16d22125cbaf5578eea36ca67102a7d4ee455a139df3938054ec
Instruction ID: caf20f1764ea8d75dae837846e5e64cd305b01fada3df5d652638da78c4ea5d9
Opcode Fuzzy Hash: 8fa2141faa4d16d22125cbaf5578eea36ca67102a7d4ee455a139df3938054ec
Instruction Fuzzy Hash: 2121B671900106BFEB04AB78D88ADBE7F7DFF46350B104519F415A61E2DB784D0AA760

Function 005751AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0057522F
_wcscpy.LIBCMT ref: 00575283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00575293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005E3CB0

Strings

Line: , xrefs: 005E3CD9

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 016be4ac147de1e08bc22a8ddbd5e2bf61a6b64bf0e6e9c70e07587b78bd883d
Instruction ID: cffee3bd8bcb25bb84234166d448002d0ebe983570ea3909671e8c53f0b40e48
Opcode Fuzzy Hash: 016be4ac147de1e08bc22a8ddbd5e2bf61a6b64bf0e6e9c70e07587b78bd883d
Instruction Fuzzy Hash: 4F31B2714087416ED324EB60EC4AFDE7FD8BF85310F40891AF58D96092EBB4A648DBD2

Function 005C43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005C4401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005C4427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005C4457
InternetCloseHandle.WININET(00000000), ref: 005C449E

Part of subcall function 005C5052: GetLastError.KERNEL32(?,?,005C43CC,00000000,00000000,00000001), ref: 005C5067

Strings

, xrefs: 005C4450

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 2546e27efc3a5e7cccbcb4cd4b103632e33026932ed48826c891ae0746dbfd8b
Instruction ID: 26838b0fa31cd4122cd530fd04b98e1647d36741fd6442399b7d0ba26d604c84
Opcode Fuzzy Hash: 2546e27efc3a5e7cccbcb4cd4b103632e33026932ed48826c891ae0746dbfd8b
Instruction Fuzzy Hash: 8A217FB1500208BEEB15AB94CCD5FBFBAFDFB98758F20841EF105E6140EA649D059BB1

Function 005D90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0058D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0058D1BA
Part of subcall function 0058D17C: GetStockObject.GDI32(00000011), ref: 0058D1CE
Part of subcall function 0058D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0058D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 005D915C
LoadLibraryW.KERNEL32(?), ref: 005D9163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 005D9178
DestroyWindow.USER32(?), ref: 005D9180

Strings

SysAnimate32, xrefs: 005D9137

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 1ab4a310500db177f5bad8cf5623e46c400d00cbe52edc5dfd07c5ea5f544d8e
Instruction ID: e39e5fd0b31a9dbfa04a9229dac33c2b936a1fb17648a7e4c598ba863e72fbf9
Opcode Fuzzy Hash: 1ab4a310500db177f5bad8cf5623e46c400d00cbe52edc5dfd07c5ea5f544d8e
Instruction Fuzzy Hash: F0215E71200206BBEF204EA89C89EFA3BA9FF99364F10461BF954D6290C771DC52E761

Function 005B9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005B9588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005B95B9
GetStdHandle.KERNEL32(0000000C), ref: 005B95CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 005B9605

Strings

nul, xrefs: 005B9600

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: a6d6a6ca40dfc55a3ab065465a67a45c7c9e86c0cb659820f9b7ef213595a672
Instruction ID: 7ed97143c639364cd68a0a55d35998bcf87fe53dc23aace0d654265e3c66156e
Opcode Fuzzy Hash: a6d6a6ca40dfc55a3ab065465a67a45c7c9e86c0cb659820f9b7ef213595a672
Instruction Fuzzy Hash: EC218E7064020AABDB219F25DC05ADABFF9BF94720F204A19FAA1D72D0D770E944CB60

Function 005B9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005B9653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005B9683
GetStdHandle.KERNEL32(000000F6), ref: 005B9694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 005B96CE

Strings

nul, xrefs: 005B96C9

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: c6a47e7950fbc2a171000b8bf1797feb8a59844f602818690ea5a6e5ec808064
Instruction ID: 4147d4414c9888322014fc04a982ea3b9b1a3f5dab2fc535e3d2aee355703df2
Opcode Fuzzy Hash: c6a47e7950fbc2a171000b8bf1797feb8a59844f602818690ea5a6e5ec808064
Instruction Fuzzy Hash: 642183715002069BDB209F699C45EDABBF9BF95734F200A19FAA1D72D0D770E845CB60

Function 005BDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005BDB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 005BDB5E
__swprintf.LIBCMT ref: 005BDB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,0060DC00), ref: 005BDBB5

Strings

%lu, xrefs: 005BDB71

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: c980309f18fcf7ce00787cbf561448ca8724bc8edad66eadc778f9442ccf5845
Instruction ID: 5d6e0cbfe20417dca80a528be7ab9537eb99f067bcc540d7ed47ae0d85642330
Opcode Fuzzy Hash: c980309f18fcf7ce00787cbf561448ca8724bc8edad66eadc778f9442ccf5845
Instruction Fuzzy Hash: 58217135600109AFCB10EFA4D985DEEBFB9FF89704B004069F509D7251DB74EA05DB61

Function 005AC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005AC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 005AC84A
Part of subcall function 005AC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005AC85D
Part of subcall function 005AC82D: GetCurrentThreadId.KERNEL32 ref: 005AC864
Part of subcall function 005AC82D: AttachThreadInput.USER32(00000000), ref: 005AC86B

GetFocus.USER32 ref: 005ACA05

Part of subcall function 005AC876: GetParent.USER32(?), ref: 005AC884

GetClassNameW.USER32(?,?,00000100), ref: 005ACA4E
EnumChildWindows.USER32(?,005ACAC4), ref: 005ACA76
__swprintf.LIBCMT ref: 005ACA90

Strings

%s%d, xrefs: 005ACA8A

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: 2b42de97950a6ad45903410a9939d6096ad7548160fdfa1ca2aa5db989aa5c42
Instruction ID: 91e63d040acf17e6d76d7254b538cfedb51617059d94d20b588ea90945bbce43
Opcode Fuzzy Hash: 2b42de97950a6ad45903410a9939d6096ad7548160fdfa1ca2aa5db989aa5c42
Instruction Fuzzy Hash: 8311727550020ABBDB11BFA09C89FBD3F79BF85714F008066FA19AA186CB749945DB70

Function 00597A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00597AD8

Part of subcall function 00597CF4: __mtinitlocknum.LIBCMT ref: 00597D06
Part of subcall function 00597CF4: EnterCriticalSection.KERNEL32(00000000,?,00597ADD,0000000D), ref: 00597D1F

InterlockedIncrement.KERNEL32(?), ref: 00597AE5
__lock.LIBCMT ref: 00597AF9
___addlocaleref.LIBCMT ref: 00597B17

Strings

`_, xrefs: 00597AA3

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID: `_
API String ID: 1687444384-3048338563
Opcode ID: 0fe50e6f8f3ae28809858e76b12355a2fc8c802ab59072a8c02a478a7b12c74a
Instruction ID: a5cfef2b242043dc1f15f8eeb23a9a87717e9b5c705b35a26cbcd0966c185011
Opcode Fuzzy Hash: 0fe50e6f8f3ae28809858e76b12355a2fc8c802ab59072a8c02a478a7b12c74a
Instruction Fuzzy Hash: 8601AD71400B06EFDB20DF75D90A74ABBF1FF94321F20880EA49A872A0DBB4A644CF01

Function 005DE32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005DE33D
_memset.LIBCMT ref: 005DE34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00633D00,00633D44), ref: 005DE37B
CloseHandle.KERNEL32 ref: 005DE38D

Strings

D=c, xrefs: 005DE346

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: D=c
API String ID: 3277943733-914457682
Opcode ID: 05e7eb6f579cc3a7bac4499adaeaa6ea9c7f57f8798b1b88dd4f0d1ecf41f9b0
Instruction ID: e090e36dfe84b89dcfc27b2bada9756ccc21a8940b12d8b9cb8fd492bbd3afc2
Opcode Fuzzy Hash: 05e7eb6f579cc3a7bac4499adaeaa6ea9c7f57f8798b1b88dd4f0d1ecf41f9b0
Instruction Fuzzy Hash: 40F054F1540324BEE7101B64AC49F777E6DEF05754F005421BE04D62A2D7795D0096F4

Function 005D1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 005D19F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 005D1A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 005D1B49
CloseHandle.KERNEL32(?), ref: 005D1BBF

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 000102a99dfdc352d285bd880ecb135813fa80098d865b3984a8bdb74556da72
Instruction ID: 1c8126fcd71c55c17fc45865525444c14207c51cb5bde8453f83877803732d7d
Opcode Fuzzy Hash: 000102a99dfdc352d285bd880ecb135813fa80098d865b3984a8bdb74556da72
Instruction Fuzzy Hash: 88814F70600605ABDF20AF64C89ABADBFE5FF44720F14845AF905BF382D7B5A941CB94

Function 005DE062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 005DE1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 005DE20D
IsDlgButtonChecked.USER32(?,00000001), ref: 005DE248
GetWindowLongW.USER32(?,000000EC), ref: 005DE269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 005DE281

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: b5327c0b22895a43da2016a0a1fcfbd6279b8e4f9c87ed35006bf18e8fe77322
Instruction ID: b1a92610941f4b1f9623e666a7ae5d20f2396340eea186315d47ec49f3bf92f3
Opcode Fuzzy Hash: b5327c0b22895a43da2016a0a1fcfbd6279b8e4f9c87ed35006bf18e8fe77322
Instruction Fuzzy Hash: F7617F34700204AFDB31EF98C896FAA7FBABB8A300F14445BE9599F391C771A941DB50

Function 005B1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005B1CB4
VariantClear.OLEAUT32(00000013), ref: 005B1D26
VariantClear.OLEAUT32(00000000), ref: 005B1D81
VariantClear.OLEAUT32(?), ref: 005B1DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 005B1E26

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 2f2a64a9ce23ba136ddcb754d011dca516a7a521b91f56038f5cd11093208d2e
Instruction ID: 997a2f1d23bd871f1497c62df6a61162d90e9e66391b3dffcea9813a8983191a
Opcode Fuzzy Hash: 2f2a64a9ce23ba136ddcb754d011dca516a7a521b91f56038f5cd11093208d2e
Instruction Fuzzy Hash: 9E516AB5A00609EFCB14CF58C894AAABBB9FF4C314B158559ED49DB300E334EA11CFA4

Function 005D0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0057936C: __swprintf.LIBCMT ref: 005793AB
Part of subcall function 0057936C: __itow.LIBCMT ref: 005793DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 005D06EE
GetProcAddress.KERNEL32(00000000,?), ref: 005D077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 005D079B
GetProcAddress.KERNEL32(00000000,?), ref: 005D07E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 005D07FB

Part of subcall function 0058E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,005BA574,?,?,00000000,00000008), ref: 0058E675
Part of subcall function 0058E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,005BA574,?,?,00000000,00000008), ref: 0058E699

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 1a573d08246220eee68b4d6388fa7aae319454a0f5835fbd6248734579d04281
Instruction ID: da506e7ed0f2ae59036e93a12ba10abc1d9212567ec152ae76a4004422eb5d36
Opcode Fuzzy Hash: 1a573d08246220eee68b4d6388fa7aae319454a0f5835fbd6248734579d04281
Instruction Fuzzy Hash: 10512975A00206DFCB10EFA8D485EADBBB5FF59310F04805AE919AB392DB30ED46DB51

Function 005D2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005D2BB5,?,?), ref: 005D3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005D2EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005D2F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 005D2F75
RegCloseKey.ADVAPI32(?,?), ref: 005D2FA1
RegCloseKey.ADVAPI32(00000000), ref: 005D2FAE

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: 6d7f4ea7df171b41e2b11e2e3e525409136d953c46877793792e51ae16504f1c
Instruction ID: 291ce27334f1abeab672e92e5ccbb7a5e320a25d924f8c33a3a99796c56610de
Opcode Fuzzy Hash: 6d7f4ea7df171b41e2b11e2e3e525409136d953c46877793792e51ae16504f1c
Instruction Fuzzy Hash: B5515C71208206AFD714EF58C886E6ABBF9FF98304F00885EF59997291DB30E905DB52

Function 005DCCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17faae94beda638c60eb6fb16678d8427d8025c47a44081d210ad6ec4796221d
Instruction ID: ea15aa80a690c6f3cf92b96946ba5259b2911d9555cfd5ad5d870542217f5f37
Opcode Fuzzy Hash: 17faae94beda638c60eb6fb16678d8427d8025c47a44081d210ad6ec4796221d
Instruction Fuzzy Hash: 40419279900146ABCB31EF6C8C48FA9BF7AFB0A310F140667E959E73D1C674AD01D6A0

Function 005C1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 005C12B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 005C12DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 005C131C

Part of subcall function 0057936C: __swprintf.LIBCMT ref: 005793AB
Part of subcall function 0057936C: __itow.LIBCMT ref: 005793DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 005C1341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 005C1349

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: f8baea1f9ae3e7bda57a1938cee897451b7e7c156ff6e574ac8bbd1b4d3af0dc
Instruction ID: 6784d5db47722c72b0084a396408318a336d183056bad6dccc7c10229d47eaf6
Opcode Fuzzy Hash: f8baea1f9ae3e7bda57a1938cee897451b7e7c156ff6e574ac8bbd1b4d3af0dc
Instruction Fuzzy Hash: 00410935A00505DFCB01EF64C985AAEBBF5FF49314B14C499E90AAB3A2CB31ED01DB64

Function 0058B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0058B64F
ScreenToClient.USER32(00000000,000000FF), ref: 0058B66C
GetAsyncKeyState.USER32(00000001), ref: 0058B691
GetAsyncKeyState.USER32(00000002), ref: 0058B69F

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 4250a44a334f333a3aef0c27f136570900a4ba934f7140e7fc4e3c0ce597f1a7
Instruction ID: 0a52e8a4d5b1f36f96e530e3e418523653e3add906bc64ecde48005faa06634c
Opcode Fuzzy Hash: 4250a44a334f333a3aef0c27f136570900a4ba934f7140e7fc4e3c0ce597f1a7
Instruction Fuzzy Hash: B1418031504115BBDF19DF65C848AE9BF79FB05320F10435AE869A6290D730AD94EFA1

Function 005AB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005AB369
PostMessageW.USER32(?,00000201,00000001), ref: 005AB413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 005AB41B
PostMessageW.USER32(?,00000202,00000000), ref: 005AB429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 005AB431

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 124e1c4fcba4b113a4b8bb26a5f525ce2cc819d54b2d50aabfa3001ba2c7c566
Instruction ID: c096966d1b8edbd433799de0ef3aada12b787a2c24d9dd8247432274650c8375
Opcode Fuzzy Hash: 124e1c4fcba4b113a4b8bb26a5f525ce2cc819d54b2d50aabfa3001ba2c7c566
Instruction Fuzzy Hash: FB31C071900219EBEF04CF68D94DAAE3FB6FB05315F104A29F921EA1D2C7B49914DBA0

Function 005ADBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 005ADBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 005ADBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 005ADC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 005ADC52
_wcsstr.LIBCMT ref: 005ADC5C

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 4909d2908c7a37030fc8da4e437d7425650abae314fcbe11363e67e6b7b57753
Instruction ID: f5e7352197203ee8bb735eca54407d904840bff11e65c8fe8ff7f98248fbec2e
Opcode Fuzzy Hash: 4909d2908c7a37030fc8da4e437d7425650abae314fcbe11363e67e6b7b57753
Instruction Fuzzy Hash: 8221D371204104ABEB156B299C4DE7E7FB9FF8A760F104029F80ADA191EAA58C01E7B0

Function 005DDE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 0058B34E: GetWindowLongW.USER32(?,000000EB), ref: 0058B35F

GetWindowLongW.USER32(?,000000F0), ref: 005DDEB0
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 005DDED4
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 005DDEEC
GetSystemMetrics.USER32(00000004), ref: 005DDF14
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,005C3A1E,00000000), ref: 005DDF32

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 0d22ae069820f004fab10bc0673ae3bd4a13805dd330813547a8e808923dfcca
Instruction ID: d92be5743b9bd6254d4a5847cc3417052aadcf7bf7d624078e42968f9e4ebefa
Opcode Fuzzy Hash: 0d22ae069820f004fab10bc0673ae3bd4a13805dd330813547a8e808923dfcca
Instruction Fuzzy Hash: A2218E71611212AFCB305F7C9C48B6A7FB9FB66324B150726F926CA6E0D7709850DBA0

Function 005ABC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005ABC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005ABCC2
__itow.LIBCMT ref: 005ABCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005ABD00
__itow.LIBCMT ref: 005ABD11

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 7c6aeafe5138a13b23bc18a1f7efac15d16775cdcdbf1ac92c107bc977edf257
Instruction ID: 69d2d5d7e4b48642c4aa085eae6383eed1dc62b4188ea6b52e2dca6ce670a56c
Opcode Fuzzy Hash: 7c6aeafe5138a13b23bc18a1f7efac15d16775cdcdbf1ac92c107bc977edf257
Instruction Fuzzy Hash: C721C935600619BAEB10AE659C4AFDE7E69BF9A750F004424FA05EB182DB708D0597E1

Function 005B6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 005750E6: _wcsncpy.LIBCMT ref: 005750FA

GetFileAttributesW.KERNEL32(?,?,?,?,005B60C3), ref: 005B6369
GetLastError.KERNEL32(?,?,?,005B60C3), ref: 005B6374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,005B60C3), ref: 005B6388
_wcsrchr.LIBCMT ref: 005B63AA

Part of subcall function 005B6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,005B60C3), ref: 005B63E0

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 8028b8ddff8dad380206747f8063e3d3438e9d47cf30f577569a1cdeb28595d8
Instruction ID: 1ecc75d8831ea54b5c769ae22fd908420f19171fdbef60d12893549ee9f86e74
Opcode Fuzzy Hash: 8028b8ddff8dad380206747f8063e3d3438e9d47cf30f577569a1cdeb28595d8
Instruction Fuzzy Hash: 4621D5315046169BDF15AB78AC4AFFE2BECBF193A0F100C65F446D70C0EB68E9849A64

Function 005C8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005CA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 005CA84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 005C8BD3
WSAGetLastError.WSOCK32(00000000), ref: 005C8BE2
connect.WSOCK32(00000000,?,00000010), ref: 005C8BFE

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 4bca7de86f61d1974cd4ab7b1ce1752237663f779c412b2e0b949b017c6a7bcf
Instruction ID: 03332df2152ce59b7e0306db5df4a1b433e6a9dca96b5cb84bdbd8ce02cfe4a0
Opcode Fuzzy Hash: 4bca7de86f61d1974cd4ab7b1ce1752237663f779c412b2e0b949b017c6a7bcf
Instruction Fuzzy Hash: 672190312002159FCB14AF68CC89F7E7BA9FF98710F04845DF956EB292CB74AC059B61

Function 005C8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 005C8441
GetForegroundWindow.USER32 ref: 005C8458
GetDC.USER32(00000000), ref: 005C8494
GetPixel.GDI32(00000000,?,00000003), ref: 005C84A0
ReleaseDC.USER32(00000000,00000003), ref: 005C84DB

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 647d6c9d14715711a4f6712802fb7c4467063289e5ad5de01f3fe4f751e61ba3
Instruction ID: 2e68474cc54e4639ad3242efacf9ed5cfb8576fbe2ffb5b5e5ee5aa389c289b9
Opcode Fuzzy Hash: 647d6c9d14715711a4f6712802fb7c4467063289e5ad5de01f3fe4f751e61ba3
Instruction Fuzzy Hash: 5121A435A00205AFDB04EFA4D888EAEBBF9FF88301F048479E849D7251DB74AC04DB60

Function 0058AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0058AFE3
SelectObject.GDI32(?,00000000), ref: 0058AFF2
BeginPath.GDI32(?), ref: 0058B009
SelectObject.GDI32(?,00000000), ref: 0058B033

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 0265ed95d1a3b4f7708b8df92d2399d08183949a9d2437f49b2aebd7efc5fcdd
Instruction ID: 010cb69dfd64cdfe74549d4dac1baa58850136869b9950a5ad20a322939dcee2
Opcode Fuzzy Hash: 0265ed95d1a3b4f7708b8df92d2399d08183949a9d2437f49b2aebd7efc5fcdd
Instruction Fuzzy Hash: 8121A170800249EFEB10EF95ED49BAA7F7EBB26355F14531AE820AA0A0D3705955DBE0

Function 0059217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 005921A9
CreateThread.KERNEL32(?,?,005922DF,00000000,?,?), ref: 005921ED
GetLastError.KERNEL32 ref: 005921F7
_free.LIBCMT ref: 00592200
__dosmaperr.LIBCMT ref: 0059220B

Part of subcall function 00597C0E: __getptd_noexit.LIBCMT ref: 00597C0E

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 0758ea12e58c120aa2c3433bb411e3a17329a0dbfc4f87d33f4bae99012fb1c2
Instruction ID: 2febe6ea25ac5007512eefa038402bd02fd56c7744392839dd8caf3b2aad9c86
Opcode Fuzzy Hash: 0758ea12e58c120aa2c3433bb411e3a17329a0dbfc4f87d33f4bae99012fb1c2
Instruction Fuzzy Hash: 3811A13210870BAF9F11AFA59D45DAF3FA9FF85760B10042AFA1486192EB719811DAA1

Function 005AABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 005AABD7
GetLastError.KERNEL32(?,005AA69F,?,?,?), ref: 005AABE1
GetProcessHeap.KERNEL32(00000008,?,?,005AA69F,?,?,?), ref: 005AABF0
HeapAlloc.KERNEL32(00000000,?,005AA69F,?,?,?), ref: 005AABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 005AAC0E

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 0f1dd987e83c694f727b55894b51f3af7942a668aa69a9949bbdf3c54d1f9b00
Instruction ID: bfc77527fa2dd19e4f0d1610b6ef63a531a01ed29c797036868903432244e32c
Opcode Fuzzy Hash: 0f1dd987e83c694f727b55894b51f3af7942a668aa69a9949bbdf3c54d1f9b00
Instruction Fuzzy Hash: CA014670200204BFEB104FA9DC58DAB3EBEFF8A3647100429F909C2260DB718C44EA71

Function 005B7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 005B7A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 005B7A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005B7A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 005B7A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 005B7AD0

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 928b497e8894e871cc8a69701beaca7306736e157aa85c92817db6f292f8397d
Instruction ID: 69a3ae5426a71aaa8aa8573b47ff256add73e55d837d9d072092ebda7377c23c
Opcode Fuzzy Hash: 928b497e8894e871cc8a69701beaca7306736e157aa85c92817db6f292f8397d
Instruction Fuzzy Hash: EE015331C0862DABCF00AFE4DC49AEDBB79FB5C701F000445E402F2250DB38A654E7A1

Function 005A9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 005A9ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 005A9AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 005A9B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 005A9B15
CLSIDFromString.OLE32(?,?), ref: 005A9B21

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b253605aac9b404fb42037a38ce9d2153fa014915e55330028b5cc785e1f2152
Instruction ID: fd07227d50970b7bda669e67de95f8c16ec3ea891e4cdf7b2361ba80217b8bdf
Opcode Fuzzy Hash: b253605aac9b404fb42037a38ce9d2153fa014915e55330028b5cc785e1f2152
Instruction Fuzzy Hash: 8F018B76600228BFDB104F68EC44BAEBEFEEB95392F248024F905D2210D774DD04ABB0

Function 005AAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005AAA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005AAA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005AAA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005AAA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005AAAAF

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 406e8ca3c607a66f074621979224e0bff966c2dd10fb16bd7ad077dbfddbe389
Instruction ID: bacd761d19702c7483e017894e7ec3ced3da570086fd0ec9a60d699c2be91218
Opcode Fuzzy Hash: 406e8ca3c607a66f074621979224e0bff966c2dd10fb16bd7ad077dbfddbe389
Instruction Fuzzy Hash: C4F03771200204AFEB115FA4EC89EBB3BBDFB4A754B004429FA41C61A0DB659C45EA71

Function 005AAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005AAADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005AAAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005AAAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005AAAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005AAB10

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7f00043b230da00f59c90f2b97e944de6990a4525d5bf723abb3fc5a121f8e70
Instruction ID: 1079b3a66309312e823bcff1f03ed2d9149c8599a5b4bf238beea27b82a39620
Opcode Fuzzy Hash: 7f00043b230da00f59c90f2b97e944de6990a4525d5bf723abb3fc5a121f8e70
Instruction Fuzzy Hash: 41F04F712002086FEB110FA4EC88E7B3BBEFF46754F00042AF941C7190DB659805EA71

Function 005AEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 005AEC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 005AECAB
MessageBeep.USER32(00000000), ref: 005AECC3
KillTimer.USER32(?,0000040A), ref: 005AECDF
EndDialog.USER32(?,00000001), ref: 005AECF9

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 80058a10fde16067b268a0588b74e43957169b7476769fd56058227eb3f8341d
Instruction ID: b7bdcaae0b8e285e6c9e8d41c6e808f2f3213757cc405d0c3a0449041b0e55bf
Opcode Fuzzy Hash: 80058a10fde16067b268a0588b74e43957169b7476769fd56058227eb3f8341d
Instruction Fuzzy Hash: C6018130500705ABEB246B10DE5FBAABBB9FB11715F000559B582E54E1DBF4AE48DB50

Function 0058B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0058B0BA
StrokeAndFillPath.GDI32(?,?,005EE680,00000000,?,?,?), ref: 0058B0D6
SelectObject.GDI32(?,00000000), ref: 0058B0E9
DeleteObject.GDI32 ref: 0058B0FC
StrokePath.GDI32(?), ref: 0058B117

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: c9f83b5a85eb1db44bc80fb5d2370acec8288dbd7492d4621241fea742ffe1c2
Instruction ID: dac22868ee47f7255a02024646f27d1309508febb6b590f994f9cce1e7aa8cc3
Opcode Fuzzy Hash: c9f83b5a85eb1db44bc80fb5d2370acec8288dbd7492d4621241fea742ffe1c2
Instruction Fuzzy Hash: 1FF0CD34000644DFD721AFA5ED0E7653F7ABB13361F18A315E825990F0C7354559DFA0

Function 005BF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005BF2DA
CoCreateInstance.OLE32(005FDA7C,00000000,00000001,005FD8EC,?), ref: 005BF2F2
CoUninitialize.OLE32 ref: 005BF555

Strings

.lnk, xrefs: 005BF28B, 005BF290, 005BF29E

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: cac983335dadc89560766735af0bc63c5e67c59b138af1b0d28e1adc7673eeae
Instruction ID: 56cc65ae6e3ae10561c9704c97ee02049b5b7594af8883c08c4ca923ba8706eb
Opcode Fuzzy Hash: cac983335dadc89560766735af0bc63c5e67c59b138af1b0d28e1adc7673eeae
Instruction Fuzzy Hash: 39A12971104202AFD300EF64D885DABBBE8FFD8314F40895DF55997192EB70AA49CB62

Function 005BE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 0057660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005753B1,?,?,005761FF,?,00000000,00000001,00000000), ref: 0057662F

CoInitialize.OLE32(00000000), ref: 005BE85D
CoCreateInstance.OLE32(005FDA7C,00000000,00000001,005FD8EC,?), ref: 005BE876
CoUninitialize.OLE32 ref: 005BE893

Part of subcall function 0057936C: __swprintf.LIBCMT ref: 005793AB
Part of subcall function 0057936C: __itow.LIBCMT ref: 005793DF

Strings

.lnk, xrefs: 005BE83B, 005BE84D

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 752964806399a1a4e067f8b8210d320fe91e731744d7d7859c0a1e966e2b8598
Instruction ID: 6c3a183a69c227879e763496a6e9165b964274037bfd001ac3c1415864e5d5ec
Opcode Fuzzy Hash: 752964806399a1a4e067f8b8210d320fe91e731744d7d7859c0a1e966e2b8598
Instruction Fuzzy Hash: 1FA124756043029FCB14DF14C4899AEBBE5FF89310F148958F99A9B3A1CB31ED45CB91

Function 0059325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 005932ED

Part of subcall function 0059E0D0: __87except.LIBCMT ref: 0059E10B

Strings

pow, xrefs: 005932C5, 005932E2

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 18042eed3df0774a8a69b3b6e4c50bf9313d3f428066f30ae78d6bc0f3dc6b65
Instruction ID: 7e6d8480a843dde7515de7f3491c50860c32265296d0bd8da07297782e150270
Opcode Fuzzy Hash: 18042eed3df0774a8a69b3b6e4c50bf9313d3f428066f30ae78d6bc0f3dc6b65
Instruction Fuzzy Hash: 3E515735A48202D6DF11F714C90A37A2F95FB80710F248D69F4D6822E9EF358E88EA46

Function 00571F21 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

+, xrefs: 00571F5D
#, xrefs: 00571F64

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 57331410ee79c71c8827d09e4f268505785913273c8bc6f8d332387aa71d7109
Instruction ID: e53c36a467f015624849fb99621dd73ffaf14e516630fa9d2cef85da90e00e6c
Opcode Fuzzy Hash: 57331410ee79c71c8827d09e4f268505785913273c8bc6f8d332387aa71d7109
Instruction Fuzzy Hash: 915121755002869FDF29DF29D448AFA3FA4FF65310F188065E8C5AB290D7349E82DB60

Function 005B4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0060DC50,?,0000000F,0000000C,00000016,0060DC50,?), ref: 005B4645

Part of subcall function 0057936C: __swprintf.LIBCMT ref: 005793AB
Part of subcall function 0057936C: __itow.LIBCMT ref: 005793DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 005B46C5

Strings

REMOVE, xrefs: 005B4676
THIS, xrefs: 005B4703

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: 60b6b59cd2f22f1f83e494d1e8383a3ca932fe2f88fc2b4e61e04788b34ffa9b
Instruction ID: b24ccf9cc85efb4f47c296e38cc67a7480067b32661bf8d81d874ce0cd93baef
Opcode Fuzzy Hash: 60b6b59cd2f22f1f83e494d1e8383a3ca932fe2f88fc2b4e61e04788b34ffa9b
Instruction Fuzzy Hash: 5241A134A0021A9FCF10DF54C885AADBFB5FF85304F148459E91AAB252DB34ED06DF50

Function 005AC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005B430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005ABC08,?,?,00000034,00000800,?,00000034), ref: 005B4335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 005AC1D3

Part of subcall function 005B42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005ABC37,?,?,00000800,?,00001073,00000000,?,?), ref: 005B4300

Part of subcall function 005B422F: GetWindowThreadProcessId.USER32(?,?), ref: 005B425A
Part of subcall function 005B422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,005ABBCC,00000034,?,?,00001004,00000000,00000000), ref: 005B426A
Part of subcall function 005B422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,005ABBCC,00000034,?,?,00001004,00000000,00000000), ref: 005B4280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005AC240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005AC28D

Strings

@, xrefs: 005AC2A5

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 3f631513565549ff1ed9e013cf95b6b579314a9262a5e8f032685962b2b91802
Instruction ID: a8604e6a3f5737b99ec7235ae7c923ae92c894ab67b845e4a1721e27ef8cd109
Opcode Fuzzy Hash: 3f631513565549ff1ed9e013cf95b6b579314a9262a5e8f032685962b2b91802
Instruction Fuzzy Hash: 18414976900219AFDB10DBA4CD85BEEBBB8FF49300F004495FA85B7181DA716E85DB61

Function 005DA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0060DC00,00000000,?,?,?,?), ref: 005DA6D8
GetWindowLongW.USER32 ref: 005DA6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005DA705

Strings

SysTreeView32, xrefs: 005DA6AA

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e02918168366d0ae7c9e6c6e2040ce8c33dbf0c3dd692bcd224feba694c55a5f
Instruction ID: 6f89806a4445aa1836ab6d8bdf2794c2b64574f1d0ae8717aa18b32ce34d09a2
Opcode Fuzzy Hash: e02918168366d0ae7c9e6c6e2040ce8c33dbf0c3dd692bcd224feba694c55a5f
Instruction Fuzzy Hash: 30319D31600206ABDB219E78CC45BEB7BAAFB49364F244716F875A22E0D774E850DB51

Function 005C5180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005C5190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 005C51C6

Strings

|, xrefs: 005C51B5
D\, xrefs: 005C522E

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$D\
API String ID: 1413715105-4265793118
Opcode ID: 62c2bdc2938c9e5952f17b7b8dd5abe169a72321b4b9144567e43278000fc9fe
Instruction ID: 44596723714c0983a98b50573443bb572b1f8508bc491a0d1c396f31181b07f2
Opcode Fuzzy Hash: 62c2bdc2938c9e5952f17b7b8dd5abe169a72321b4b9144567e43278000fc9fe
Instruction Fuzzy Hash: 0031197580011AAFCF01AFE4DC45EEE7FB9FF58740F004059E819A6166EB31AA46DBA0

Function 005DA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 005DA15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 005DA172
SendMessageW.USER32(?,00001002,00000000,?), ref: 005DA196

Strings

SysMonthCal32, xrefs: 005DA129

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: e0c20cf60042d9b7c190030991d3711315c241ed93aecf6837ab21b239527c60
Instruction ID: e3b35450b37b0b4fc4327412758bb947df32187107926c25993c9b4aabb7f5ab
Opcode Fuzzy Hash: e0c20cf60042d9b7c190030991d3711315c241ed93aecf6837ab21b239527c60
Instruction Fuzzy Hash: B321B132500218ABDF219F94CC46FEA3B7AFF48714F110115FA55AB2D0D7B5AC55DBA0

Function 005DA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 005DA941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 005DA94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005DA956

Strings

msctls_updown32, xrefs: 005DA8BB

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: ff068eaa0cf596da2ce310c6e306d7f34da679725e676579a654d1c390acba23
Instruction ID: 36662f9f4e0726a51f5ebc6e3ad5ab8a8d38cbaa1831fc1c7e17378fe3e3441c
Opcode Fuzzy Hash: ff068eaa0cf596da2ce310c6e306d7f34da679725e676579a654d1c390acba23
Instruction Fuzzy Hash: 57215EB560020AAFDB10DF58DC96D773BADFF5A3A4B05055AFA049B361CA30EC11DB61

Function 005D99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005D9A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005D9A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 005D9A65

Strings

Listbox, xrefs: 005D99FD

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 3716f2265ebf7debc74141e5882bcb0cf69d438359ec5f4bd89af06bb28d9345
Instruction ID: 141393fcc4fdc9c9ca06c6a71e6e2628913ccf449e61512e5150176da3df281c
Opcode Fuzzy Hash: 3716f2265ebf7debc74141e5882bcb0cf69d438359ec5f4bd89af06bb28d9345
Instruction Fuzzy Hash: CD21C232610118BFDB218F58CC85EBB3BBAFF89754F01812AF9449B2A0CA719C11D7A0

Function 005DA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 005DA46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 005DA482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 005DA48F

Strings

msctls_trackbar32, xrefs: 005DA444

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c46ca959c4e47fc8bcd5f024a60369c691e3b13a95307e824fc3dd417a347400
Instruction ID: 47faa61a5a3ed4fd8096ca26587fd8717994bc19600c198dee7228d50f320850
Opcode Fuzzy Hash: c46ca959c4e47fc8bcd5f024a60369c691e3b13a95307e824fc3dd417a347400
Instruction Fuzzy Hash: A2110D71100208BEDF205F64CC49FA73B69FFC9754F01451AFA45961D1D6B1D811DB20

Function 00592287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00592350,?), ref: 005922A1
GetProcAddress.KERNEL32(00000000), ref: 005922A8

Strings

RoInitialize, xrefs: 00592290
combase.dll, xrefs: 0059229C

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 12550c3f355497704fb50e5ba617745f258572d3c153fb76decbe4698cb2c24b
Instruction ID: 4d27a5f43790cf70fd3cfabae30783b26947657766fc1c4c7c254c5b045e5fc0
Opcode Fuzzy Hash: 12550c3f355497704fb50e5ba617745f258572d3c153fb76decbe4698cb2c24b
Instruction Fuzzy Hash: D9E04F74694300ABEF205FB0EC4DB243A77B715706F1060A0F242D50E0CBF94049EF68

Function 0059235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00592276), ref: 00592376
GetProcAddress.KERNEL32(00000000), ref: 0059237D

Strings

RoUninitialize, xrefs: 00592365
combase.dll, xrefs: 00592371

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: c4c0fb931de3fe1660a01c4941273b7e5dbc7eb07dacacce1df14a77a37e580c
Instruction ID: b2cc279755a3a256150d980a42b14bbe43e9ded23c8d1ece79ce8db6d628ea90
Opcode Fuzzy Hash: c4c0fb931de3fe1660a01c4941273b7e5dbc7eb07dacacce1df14a77a37e580c
Instruction Fuzzy Hash: 48E0BD74684304BBEB206FA0ED1DB243A77B71070AF102824F209E20B0CBB99418EAA5

Function 005EAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005EAC60
__swprintf.LIBCMT ref: 005EAC94

Strings

%.3d, xrefs: 005EAC6E
WIN_XPe, xrefs: 005EACD3

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 1b3939241e3c5893d1f0f76bec111f81867f56239310991dd5244df9d93c762b
Instruction ID: 3bcfbbf208194adadf72ac9b8d51dc561c274ddf9a13a4f1e214f13471068cff
Opcode Fuzzy Hash: 1b3939241e3c5893d1f0f76bec111f81867f56239310991dd5244df9d93c762b
Instruction Fuzzy Hash: B6E012B1804AA9DBCB1497A1DD05DF97BBDBB04741F200CD2F94AE1000D635AF84EB22

Function 005D2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005D21FB,?,005D23EF), ref: 005D2213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 005D2225

Strings

GetProcessId, xrefs: 005D221F
kernel32.dll, xrefs: 005D220E

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: ac3b3eb4b3ef24846f4216a71c731fe89631b0ae0df63bccb8a82e20a65f7955
Instruction ID: db0d1f33174ae80d55e4e5b816adc20ea1599fb1a9a95d9ade679daa33c45102
Opcode Fuzzy Hash: ac3b3eb4b3ef24846f4216a71c731fe89631b0ae0df63bccb8a82e20a65f7955
Instruction Fuzzy Hash: 59D05E78400B239FC7214F24B808A127AE6AF24310F01441BA895E2250DA74D884EE60

Function 005742F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,005742EC,?,005742AA,?), ref: 00574304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00574316

Strings

Wow64RevertWow64FsRedirection, xrefs: 00574310
kernel32.dll, xrefs: 005742FF

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 0aec0f168c6e8af7b4ce95f513ed13147ab90a7832c80b4d5e8f4427409f85d1
Instruction ID: 07cfcbd5d7d07e362eb4de97fb4adde10893e51a6ed2a040f56de2091c40f0b3
Opcode Fuzzy Hash: 0aec0f168c6e8af7b4ce95f513ed13147ab90a7832c80b4d5e8f4427409f85d1
Instruction Fuzzy Hash: 67D0A770810F23AFC7204F20F80CA127AE6BF14301B018819E589D2660E7B4C8C4EE20

Function 0057434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,005741BB,00574341,?,0057422F,?,005741BB,?,?,?,?,005739FE,?,00000001), ref: 00574359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0057436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 00574365
kernel32.dll, xrefs: 00574354

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 6fb928da94db5ad69155b4203a04b832cb471b024adcb64c9bfd5f41ec01bccf
Instruction ID: f5f5534056aa2a810754a52624bec95b837f798fd778aafef7683f014cac347c
Opcode Fuzzy Hash: 6fb928da94db5ad69155b4203a04b832cb471b024adcb64c9bfd5f41ec01bccf
Instruction Fuzzy Hash: 41D0A770840B23AFD7214F30F848A137AE6BF20715B018919E4D9D2250E7B4D8C4EE20

Function 005B0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,005B052F,?,005B06D7), ref: 005B0572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 005B0584

Strings

UnRegisterTypeLibForUser, xrefs: 005B057E
oleaut32.dll, xrefs: 005B056D

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 1d6d0bad5543fbef20a379127e56df16518ff3b968c29e79915c75057eb4c2db
Instruction ID: 31a0ea12cca4e4330039c6fccfc49e45a4aebd83bcda28ae72104fc0af38d118
Opcode Fuzzy Hash: 1d6d0bad5543fbef20a379127e56df16518ff3b968c29e79915c75057eb4c2db
Instruction Fuzzy Hash: 9BD05E70440722AAD7205F20A808A637BF6BB14300B118419E841D2590D674D484CE30

Function 005B0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,005B051D,?,005B05FE), ref: 005B0547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 005B0559

Strings

RegisterTypeLibForUser, xrefs: 005B0553
oleaut32.dll, xrefs: 005B0542

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 893a19f17170be0085ab559f49933fb13323f08a13b750997ca73580c49dc6cd
Instruction ID: 6739d7eab22ca605f7f0937824dd1c7ad3065e0af2e71268a86cfcfec93a7abf
Opcode Fuzzy Hash: 893a19f17170be0085ab559f49933fb13323f08a13b750997ca73580c49dc6cd
Instruction Fuzzy Hash: 91D0A730440B23AFC7308F20F808A537AF6BB14301F11C41DE446D25D0D674D884CE20

Function 005CECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005CECBE,?,005CEBBB), ref: 005CECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 005CECE8

Strings

GetSystemWow64DirectoryW, xrefs: 005CECE2
kernel32.dll, xrefs: 005CECD1

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 0abd44dd055707772f66bb5bf0d0f4c40ca16a1ca2e5a4c2ae7cf66270546383
Instruction ID: 717704fb1dcff2beecbd219e6d62f7bf32c885de7eb359f1523df3513e654981
Opcode Fuzzy Hash: 0abd44dd055707772f66bb5bf0d0f4c40ca16a1ca2e5a4c2ae7cf66270546383
Instruction Fuzzy Hash: EDD05E75400B23AECB205BA0A849B127AE6AB10300B01841DA885D2150DA74C884EA20

Function 005CBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,005CBAD3,00000001,005CB6EE,?,0060DC00), ref: 005CBAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 005CBAFD

Strings

GetModuleHandleExW, xrefs: 005CBAF7
kernel32.dll, xrefs: 005CBAE6

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 83a57083b55551f7fddd59ec3557a37c1a9c89f40e1d314fcb4e7249278ace30
Instruction ID: c81f5ba67d6c3e90e58c4af9dc381d96d701e79d09e90d116003af03efca108d
Opcode Fuzzy Hash: 83a57083b55551f7fddd59ec3557a37c1a9c89f40e1d314fcb4e7249278ace30
Instruction Fuzzy Hash: E7D05EB0800B239FD7305F60B849F227AE6BB10304F01441DA883D2150DB74C884DA20

Function 005D3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,005D3BD1,?,005D3E06), ref: 005D3BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005D3BFB

Strings

RegDeleteKeyExW, xrefs: 005D3BF5
advapi32.dll, xrefs: 005D3BE4

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 315126f95e8365e7d96c38e2454ec0224957f2e0de41d791dccbb56c0c2ba414
Instruction ID: 412b0fea9faeb8f25b1dc56ce7a5e1fa3de7a3b846f09c52e6b99934b0b21db2
Opcode Fuzzy Hash: 315126f95e8365e7d96c38e2454ec0224957f2e0de41d791dccbb56c0c2ba414
Instruction Fuzzy Hash: 65D05E70410B229AC7205B64E808A13BEB6AF11314B11846BE445E2260DAB4C884CE21

Function 005A9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb5546370a508209bb60f2a7671261fd722719362ba471a91f97bf2964058040
Instruction ID: 105a028455c045c03c8689ad2ff9013371db07b0067fb263ded07e7adb7f9000
Opcode Fuzzy Hash: fb5546370a508209bb60f2a7671261fd722719362ba471a91f97bf2964058040
Instruction Fuzzy Hash: C9C13F75A0022AEFDF14DF94C894AAEBBB9FF89710F104598E905EB251D730DE41DBA0

Function 005CAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005CAAB4
CoUninitialize.OLE32 ref: 005CAABF

Part of subcall function 005B0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 005B027B

VariantInit.OLEAUT32(?), ref: 005CAACA
VariantClear.OLEAUT32(?), ref: 005CAD9D

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: ab0624cbc30f3f8357b6c86bedc96b315732562986a424d4fe5b81854851a8b1
Instruction ID: c1886022a9a927b66d1e11b63ad88053be72879247e3e5d70dc707c91b97e0b1
Opcode Fuzzy Hash: ab0624cbc30f3f8357b6c86bedc96b315732562986a424d4fe5b81854851a8b1
Instruction Fuzzy Hash: 44A116352047069FDB10EF54C485B1ABBE5BF88714F14884DFA9A9B3A2CB30ED44DB96

Function 005A91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005A91DD
SysAllocString.OLEAUT32(?), ref: 005A9286
VariantCopy.OLEAUT32 ref: 005A92B5
VariantClear.OLEAUT32(?), ref: 005A92DC

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 1a6842c20209b25166382d9184abcbf71b44681d460eb6d61287df83875e4ebd
Instruction ID: e6ff4c0ab0ab6dbbb37cb89608954ac2cea3b27b4de69910cd8d85670cd47ce2
Opcode Fuzzy Hash: 1a6842c20209b25166382d9184abcbf71b44681d460eb6d61287df83875e4ebd
Instruction Fuzzy Hash: D05191346003169BDF20AF6AD499A6EBBF5FF8A310F208C1FE54ADB2D1DB7498409715

Function 0059365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 005936B7
_memcpy_s.LIBCMT ref: 00593729
__filbuf.LIBCMT ref: 005937AA
_memset.LIBCMT ref: 005937EE

Part of subcall function 00597C0E: __getptd_noexit.LIBCMT ref: 00597C0E

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: a32841e21c94ba03f055ff493876e028efb4bcfd563e1a5a4fd39750b68e66b5
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: 4A51A3B0A00306EBDF249FA9C9856AE7FA5FF40320F248729F835962D0D7749F548B40

Function 005DC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(016A7EF8,?), ref: 005DC544
ScreenToClient.USER32(?,00000002), ref: 005DC574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 005DC5DA

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b868991b142d1d6140bfa7c354d13242a74ee21922fc9de9229fa3fee165968f
Instruction ID: 429343ef27923457284aa3df65eb76c61f72f7532d4576665705cb64acd2a5f2
Opcode Fuzzy Hash: b868991b142d1d6140bfa7c354d13242a74ee21922fc9de9229fa3fee165968f
Instruction Fuzzy Hash: CB510875900206AFCF20DF6CD881AAE7FB6BB55320F24865AF9659B290D730E941CB90

Function 005AC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 005AC462
__itow.LIBCMT ref: 005AC49C

Part of subcall function 005AC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 005AC753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 005AC505
__itow.LIBCMT ref: 005AC55A

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: ccb1f1bdec424e8ff21d3142b1e37fd9e5293b9fee13efc926b5aa255e622236
Instruction ID: 70f412f64161895bd1b84d23965ac1c029fcf52aea459df2dfaf2952e972a33b
Opcode Fuzzy Hash: ccb1f1bdec424e8ff21d3142b1e37fd9e5293b9fee13efc926b5aa255e622236
Instruction Fuzzy Hash: 53410A70A0060A6FDF25EF54D855FEE7FB9BF8A700F004019F909A7181DB709A45CBA5

Function 005B390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 005B3966
SetKeyboardState.USER32(00000080,?,00000001), ref: 005B3982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 005B39EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 005B3A4D

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 33fc526b78e8d0238cc5d0de56784edd96b6a431ee860a09440a52bd010f7030
Instruction ID: 40fbd3fbb738a6f0cf1385a3ff9adc1f2747d57b4fd964de9a0452118b7ebc66
Opcode Fuzzy Hash: 33fc526b78e8d0238cc5d0de56784edd96b6a431ee860a09440a52bd010f7030
Instruction Fuzzy Hash: C141F570A44248AEEF208F65C80ABFDBFB9BB55310F14015AE4C1B62C1C7B4AE89D765

Function 005DB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005DB5D1

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 422a6d76c3b5dbe8cbf9296db1c525a02d6706fd7e02d6ef8f1bfddf3b694bff
Instruction ID: f4cbb9460dceebdc515e458cf1a387bfd61011c2a92cc834904bd8546f46fb29
Opcode Fuzzy Hash: 422a6d76c3b5dbe8cbf9296db1c525a02d6706fd7e02d6ef8f1bfddf3b694bff
Instruction Fuzzy Hash: 02319974601205EBFB308A5D9889BA87FA6BB06350F624503FA11D63E1E730E940DB91

Function 005DD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 005DD807
GetWindowRect.USER32(?,?), ref: 005DD87D
PtInRect.USER32(?,?,005DED5A), ref: 005DD88D
MessageBeep.USER32(00000000), ref: 005DD8FE

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 454cb1176959c326cafb274f526ada19485e3dd479011e90c7e8848becc23f42
Instruction ID: 46fa4d143dbbc71b88f3b57dfdaa4df95eca39e9f7e17dab1c94122e3a97f01a
Opcode Fuzzy Hash: 454cb1176959c326cafb274f526ada19485e3dd479011e90c7e8848becc23f42
Instruction Fuzzy Hash: B5417C70A00219DFCB22DF9CD885A69BBB6BB46310F1881ABE415DB355D730E945EB60

Function 005B3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 005B3AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 005B3AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 005B3B34
SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 005B3B92

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: df1f5f8185a5d055f19204a3e03c13180846a3a8e5c22500c12b81ae7eb50016
Instruction ID: 76aa5e5aed6e8836a03f35fe473ef66761f0a9c0a23a375be554808b6ba83c73
Opcode Fuzzy Hash: df1f5f8185a5d055f19204a3e03c13180846a3a8e5c22500c12b81ae7eb50016
Instruction Fuzzy Hash: BC310530A00258AEEF308B648819BFE7FBABB55310F04065AE481A32D5CB74BF45D761

Function 005A4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 005A4038
__isleadbyte_l.LIBCMT ref: 005A4066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 005A4094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 005A40CA

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 6199d5e20cfa666b05e7b48677955561062ae3dce42209c7d2cc39eea210546e
Instruction ID: 32b5f679db5f5c5608452edff8bfdcdf419699992eac1e95bc28a5c530127bf1
Opcode Fuzzy Hash: 6199d5e20cfa666b05e7b48677955561062ae3dce42209c7d2cc39eea210546e
Instruction Fuzzy Hash: 4A31A131600246EFDB219FB4C849B7E7FA5BF82310F158429E6658B191E7B1E891EF90

Function 005D7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005D7CB9

Part of subcall function 005B5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 005B5F6F
Part of subcall function 005B5F55: GetCurrentThreadId.KERNEL32 ref: 005B5F76
Part of subcall function 005B5F55: AttachThreadInput.USER32(00000000,?,005B781F), ref: 005B5F7D

GetCaretPos.USER32(?), ref: 005D7CCA
ClientToScreen.USER32(00000000,?), ref: 005D7D03
GetForegroundWindow.USER32 ref: 005D7D09

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c07837d3f298893a5f93055603b673b4e2ec310adf58df99d1015e529d0d984c
Instruction ID: 63c63b55effffa3e39b03c6d7eea52bdecb5ef52bb013854724cdf6f1719bd2a
Opcode Fuzzy Hash: c07837d3f298893a5f93055603b673b4e2ec310adf58df99d1015e529d0d984c
Instruction Fuzzy Hash: 04310C71900109AFDB10EFA9D8859FFBFF9FF98310B10846AE815E7211DA359E05DBA0

Function 005DF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0058B34E: GetWindowLongW.USER32(?,000000EB), ref: 0058B35F

GetCursorPos.USER32(?), ref: 005DF211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,005EE4C0,?,?,?,?,?), ref: 005DF226
GetCursorPos.USER32(?), ref: 005DF270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,005EE4C0,?,?,?), ref: 005DF2A6

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5bfc8d5847889a168e767e7c0c425388f69a31e05a6234d1f4417864d1b49542
Instruction ID: a9793affed573989a8115f5c71e27e6e5f12ada7b00fa51f153ba71d5eec71e5
Opcode Fuzzy Hash: 5bfc8d5847889a168e767e7c0c425388f69a31e05a6234d1f4417864d1b49542
Instruction Fuzzy Hash: 2D218C3D500018EFCB259F98CC59EAA7FBAFB4A310F44406AF9068B2A1D3349951DBA0

Function 005C431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005C4358

Part of subcall function 005C43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005C4401
Part of subcall function 005C43E2: InternetCloseHandle.WININET(00000000), ref: 005C449E

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 8e1f9f3875c544446d6111434980ccbb2cb5eec8fc27ec1ac3abe358c5d365f5
Instruction ID: 9300b94855d9453e1603a905914c8c82dbfbb16d30ebdffdaeb628a57288afbd
Opcode Fuzzy Hash: 8e1f9f3875c544446d6111434980ccbb2cb5eec8fc27ec1ac3abe358c5d365f5
Instruction Fuzzy Hash: C9210431200601BFDB119FA08C10F7BBFBAFFD4B10F10481EBA05D6550D7719864ABA0

Function 005C8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 005C8AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 005C8AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 005C8AFF
WSAGetLastError.WSOCK32(00000000), ref: 005C8B16

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: af7bd120f973b9985946230cf5ebf0351f1073b9c43a9c76f6ca33629cc1bf6b
Instruction ID: 39796b4b294b25d16a43f1e06fe572e673cfdc4058f7afb12bb7b99b077dca6c
Opcode Fuzzy Hash: af7bd120f973b9985946230cf5ebf0351f1073b9c43a9c76f6ca33629cc1bf6b
Instruction Fuzzy Hash: B1218472A001249FC711AF69C885AAEBFFCEF59310F004169F849D7251DB749D45CFA0

Function 005D8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 005D8AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005D8AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005D8ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005D8ADC

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 40b8112b08b7294f5046396028081dd8c96a0583c299521214de4661e321025e
Instruction ID: bc8e3c592837b304da34d8a1a1ebc2ef71869aecad2523fa6ed690c0cfd74247
Opcode Fuzzy Hash: 40b8112b08b7294f5046396028081dd8c96a0583c299521214de4661e321025e
Instruction Fuzzy Hash: 6A117231205111AFDB15AB18DC09FBA7BA9BF95320F14411AF916C72E2CBB4AD01D7A4

Function 005B0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 005B1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,005B0ABB,?,?,?,005B187A,00000000,000000EF,00000119,?,?), ref: 005B1E77
Part of subcall function 005B1E68: lstrcpyW.KERNEL32(00000000,?,?,005B0ABB,?,?,?,005B187A,00000000,000000EF,00000119,?,?,00000000), ref: 005B1E9D
Part of subcall function 005B1E68: lstrcmpiW.KERNEL32(00000000,?,005B0ABB,?,?,?,005B187A,00000000,000000EF,00000119,?,?), ref: 005B1ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,005B187A,00000000,000000EF,00000119,?,?,00000000), ref: 005B0AD4
lstrcpyW.KERNEL32(00000000,?,?,005B187A,00000000,000000EF,00000119,?,?,00000000), ref: 005B0AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,005B187A,00000000,000000EF,00000119,?,?,00000000), ref: 005B0B2E

Strings

cdecl, xrefs: 005B0B25

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 3995faa7445f29974376c5752eb1c03e954484db34738c6e1037c0d1fb5b4ee5
Instruction ID: 63b052c442e29a06464b156962c8d8721675fe3aa7bc920aba29d74386e6547e
Opcode Fuzzy Hash: 3995faa7445f29974376c5752eb1c03e954484db34738c6e1037c0d1fb5b4ee5
Instruction Fuzzy Hash: 01119336200305AFDB25AF24DC55DBE7BB9FF49354B90506AE806CB2A0EB71E950D7A0

Function 005A2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005A2FB5

Part of subcall function 0059395C: __FF_MSGBANNER.LIBCMT ref: 00593973
Part of subcall function 0059395C: __NMSG_WRITE.LIBCMT ref: 0059397A
Part of subcall function 0059395C: RtlAllocateHeap.NTDLL(01680000,00000000,00000001,00000001,00000000,?,?,0058F507,?,0000000E), ref: 0059399F

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 55b27c1c34aeeeff417f0d71294ffc29ff6812ff6c5ad98c3a86aece1147ce6a
Instruction ID: 5562c7c75aa8c2a6cf7db18c8ad8aacd6f407a62c24c828092443e34333e1826
Opcode Fuzzy Hash: 55b27c1c34aeeeff417f0d71294ffc29ff6812ff6c5ad98c3a86aece1147ce6a
Instruction Fuzzy Hash: 3E11A332509617AFDF213B74AC0E66E3FA4BF9A364F204926F949DA191DB34CD409A90

Function 005B058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 005B05AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 005B05C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005B05DD
FreeLibrary.KERNEL32(?), ref: 005B0632

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 850a6becaf386ae86b29077c64435aa97c1910e67eeeb932bf6170d0045c4f74
Instruction ID: e0d8f1caf0ec49eab658ab5bbdff665e727897965b1b79bdbd2ef68f075521b0
Opcode Fuzzy Hash: 850a6becaf386ae86b29077c64435aa97c1910e67eeeb932bf6170d0045c4f74
Instruction Fuzzy Hash: 95216D71900209EBDB208F95DC88AEBBFB8FF40700F0098A9E516D2090D774FA59EF60

Function 005B6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 005B6733
_memset.LIBCMT ref: 005B6754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 005B67A6
CloseHandle.KERNEL32(00000000), ref: 005B67AF

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: b656ea3ad727e8ff70e6a58f833716bbce8ccb190124ee29b606c6097ead22d9
Instruction ID: 080c4806b58a07083f0ffb41bce7cad3aaf9fcdca184fabd07ac2445a74833a7
Opcode Fuzzy Hash: b656ea3ad727e8ff70e6a58f833716bbce8ccb190124ee29b606c6097ead22d9
Instruction Fuzzy Hash: CC11E7759012287AE72057A5AC4DFEBBABCEF44724F10459AF504E71C0D6745E84CBB4

Function 005AB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005AAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005AAA79
Part of subcall function 005AAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005AAA83
Part of subcall function 005AAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005AAA92
Part of subcall function 005AAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005AAA99
Part of subcall function 005AAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005AAAAF

GetLengthSid.ADVAPI32(?,00000000,005AADE4,?,?), ref: 005AB21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005AB227
HeapAlloc.KERNEL32(00000000), ref: 005AB22E
CopySid.ADVAPI32(?,00000000,?), ref: 005AB247

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: a52ded6b47685897c4097b680545b3dfba7fc5c9e1184b6f7fdf1b4db0dbc7b2
Instruction ID: d0c9856ae4c79858f3627fe3bc401c84b6476b5c52b317b7fc314a320c2bb10f
Opcode Fuzzy Hash: a52ded6b47685897c4097b680545b3dfba7fc5c9e1184b6f7fdf1b4db0dbc7b2
Instruction Fuzzy Hash: EA118275A00205EFDB149F54DC45BBEBBBAFF96304B14802EE542D7211D7359E44DB60

Function 005AB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 005AB498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005AB4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005AB4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005AB4DB

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e3a9dccc1d0b1395458951534330bf381c47608e3a83b57514ec9979916bcfd0
Instruction ID: 0cd8fa469248e4f01df50e02254b6dda64a5adf3dec46e9c7a11904ec3d1f28c
Opcode Fuzzy Hash: e3a9dccc1d0b1395458951534330bf381c47608e3a83b57514ec9979916bcfd0
Instruction Fuzzy Hash: DA11487A900218FFEF11DFA8C885E9DBBB5FB09700F204091E604B7291D771AE10DB94

Function 0058B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0058B34E: GetWindowLongW.USER32(?,000000EB), ref: 0058B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0058B5A5
GetClientRect.USER32(?,?), ref: 005EE69A
GetCursorPos.USER32(?), ref: 005EE6A4
ScreenToClient.USER32(?,?), ref: 005EE6AF

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 84b73a9343b856c7f4ad76bff5022817fb54d78384599e8d75b818b08d392748
Instruction ID: 5e0d82f9d5cee3e2920b545dccb086fea1d2cf0663136f133f5bd7886b6833ad
Opcode Fuzzy Hash: 84b73a9343b856c7f4ad76bff5022817fb54d78384599e8d75b818b08d392748
Instruction Fuzzy Hash: A211363190002ABBDB14EF98E84A9BE7BB9FB59304F100451E941E7240E734AA85DBB5

Function 005B732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005B7352
MessageBoxW.USER32(?,?,?,?), ref: 005B7385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 005B739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 005B73A2

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 446d55b35d4b1cd34805eb25ce88226b2989b9140fb37deb4ab97e97a4162451
Instruction ID: 6b0ad849745d169693a29bdc5e6f24e05dd5adabbb22f47f8bdbb26cb417dfdf
Opcode Fuzzy Hash: 446d55b35d4b1cd34805eb25ce88226b2989b9140fb37deb4ab97e97a4162451
Instruction Fuzzy Hash: FC11E572A04218ABC7019BA89C09EEF7FEEAB89310F044255F921D3391D6709A04A7B0

Function 0058D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0058D1BA
GetStockObject.GDI32(00000011), ref: 0058D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 0058D1D8

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: b13672e857e3ae34fe0e520f56b684fc53a5cc76df74d8b04bedbe2c2d462215
Instruction ID: a26c6b9f7ff4989dcb96ff9229b66e503d99c884e32f9447050138a88f2f1d67
Opcode Fuzzy Hash: b13672e857e3ae34fe0e520f56b684fc53a5cc76df74d8b04bedbe2c2d462215
Instruction Fuzzy Hash: 6B11AD72501509BFEB026F909C59EEABFBAFF19364F040102FE04A6090CB359C60EBB0

Function 005A4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 005A4E16

Part of subcall function 005A54F5: __fltout2.LIBCMT ref: 005A551E

__cftog_l.LIBCMT ref: 005A4E3C
__cftoe_l.LIBCMT ref: 005A4E6E

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: afc54b833c99bab4f0ac65fa257227ed3c8a361839fc1b3ecd0831c787cf1e77
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 85014B3200014ABBCF125EC4DC05CEE3F2ABB9A350B598455FA1859031D376CAB1AF82

Function 00597452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00597A0D: __getptd_noexit.LIBCMT ref: 00597A0E

__lock.LIBCMT ref: 0059748F
InterlockedDecrement.KERNEL32(?), ref: 005974AC
_free.LIBCMT ref: 005974BF
InterlockedIncrement.KERNEL32(016A9DA8), ref: 005974D7

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: ef3582d775efb8959b0141608c6ca31065467043637de065efdb5a82eff4cb7c
Instruction ID: c68b5b0131dbca4079f30f51579ecc66a418e73d6bd64ff4d3049677d3ac92b3
Opcode Fuzzy Hash: ef3582d775efb8959b0141608c6ca31065467043637de065efdb5a82eff4cb7c
Instruction Fuzzy Hash: B601D631915B2BA7CF21AF64A90979DBF71BF48710F194006F818A3682CB745D41CFD6

Function 005DDFDE Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005DDFF7
ScreenToClient.USER32(?,?), ref: 005DE00F
ScreenToClient.USER32(?,?), ref: 005DE033
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 005DE04E

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 459c29817dea0175698f440b461be9a91d1eb00a201cb4b08748e7e78837a730
Instruction ID: 50efd3c3c3fa0957aab8cfded65db880661c15e7618c676ae6f3165524820bef
Opcode Fuzzy Hash: 459c29817dea0175698f440b461be9a91d1eb00a201cb4b08748e7e78837a730
Instruction Fuzzy Hash: 6E1120B9D00209EFDB41DF98C8849EEBBF9FB18310F108166E925E3210D735AA59DF61

Function 005DEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0058AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0058AFE3
Part of subcall function 0058AF83: SelectObject.GDI32(?,00000000), ref: 0058AFF2
Part of subcall function 0058AF83: BeginPath.GDI32(?), ref: 0058B009
Part of subcall function 0058AF83: SelectObject.GDI32(?,00000000), ref: 0058B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 005DEA8E
LineTo.GDI32(00000000,?,?), ref: 005DEA9B
EndPath.GDI32(00000000), ref: 005DEAAB
StrokePath.GDI32(00000000), ref: 005DEAB9

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: b33a809448b5183bb5713f0f657fea1de8e41f5195f7cc63ee89e5bd97977e64
Instruction ID: 4b8945c604e8f8ab935eb228e224c039c1835bbe394823b8d908b63fe8884ce7
Opcode Fuzzy Hash: b33a809448b5183bb5713f0f657fea1de8e41f5195f7cc63ee89e5bd97977e64
Instruction Fuzzy Hash: 03F0823100525ABBDB12AF94AD0EFDE3F2AAF17311F084102FE11A91E18B785655DBF5

Function 005AC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 005AC84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 005AC85D
GetCurrentThreadId.KERNEL32 ref: 005AC864
AttachThreadInput.USER32(00000000), ref: 005AC86B

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 0ca1e23dd84bebdb16459648ecc40d91c7637aed84e99499de65cd3af1bcd0f7
Instruction ID: 05fed50acece3f1cda88e39ff364d53a8fa4df63be446da36444e334d1b9d621
Opcode Fuzzy Hash: 0ca1e23dd84bebdb16459648ecc40d91c7637aed84e99499de65cd3af1bcd0f7
Instruction Fuzzy Hash: 61E03971141228BADB201BA29C0DEEB7F6DFF267A1F008021B609D4460C6B98584EBF0

Function 005AB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 005AB0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,005AAC9D), ref: 005AB0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005AAC9D), ref: 005AB0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,005AAC9D), ref: 005AB0F1

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: bbaf326544c5df07190d68da4e8ba8d0be386d18ff3eb1799fb5bf7778bf64f2
Instruction ID: 286a9c67a553783948fa5bf17bba1c1cf07bf7907deae7c9f958310b1b3287f9
Opcode Fuzzy Hash: bbaf326544c5df07190d68da4e8ba8d0be386d18ff3eb1799fb5bf7778bf64f2
Instruction Fuzzy Hash: 9BE04F32601211ABE7205FB15C0CB6F3BBDBF66791F018818A641D6080EA288405D770

Function 0058B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0058B496
SetTextColor.GDI32(?,000000FF), ref: 0058B4A0
SetBkMode.GDI32(?,00000001), ref: 0058B4B5
GetStockObject.GDI32(00000005), ref: 0058B4BD
GetWindowDC.USER32(?,00000000), ref: 005EDE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 005EDE38
GetPixel.GDI32(00000000,?,00000000), ref: 005EDE51
GetPixel.GDI32(00000000,00000000,?), ref: 005EDE6A
GetPixel.GDI32(00000000,?,?), ref: 005EDE8A
ReleaseDC.USER32(?,00000000), ref: 005EDE95

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: d9ff50b144530b34d352a3644e2f7b262469f4b89863148dd151f892d3d70b3e
Instruction ID: 989a41803862bf33b1e9c1fb502a4d152bc614024f1709e27a849b8e9141d651
Opcode Fuzzy Hash: d9ff50b144530b34d352a3644e2f7b262469f4b89863148dd151f892d3d70b3e
Instruction Fuzzy Hash: C5E0E531500240AADF215B65AC0DFE83F26AB62335F14C656FAA5980E1C7754545EB21

Function 005AB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 005AB2DF
UnloadUserProfile.USERENV(?,?), ref: 005AB2EB
CloseHandle.KERNEL32(?), ref: 005AB2F4
CloseHandle.KERNEL32(?), ref: 005AB2FC

Part of subcall function 005AAB24: GetProcessHeap.KERNEL32(00000000,?,005AA848), ref: 005AAB2B
Part of subcall function 005AAB24: HeapFree.KERNEL32(00000000), ref: 005AAB32

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9d2abd6361e61d503e9a8748c3d59acec03035abbc7c705bbb2f099293b96397
Instruction ID: bbe70ee1e55c1917cff4a0739b5891ba5693a41c1bb77d2a211bb4ea564e7d2d
Opcode Fuzzy Hash: 9d2abd6361e61d503e9a8748c3d59acec03035abbc7c705bbb2f099293b96397
Instruction Fuzzy Hash: 10E02F3A104405BBDB016B95DC0886DFF77FF993213108621F615C15B5DB369475FBA1

Function 005EB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005EB29A
GetDC.USER32(00000000), ref: 005EB2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 005EB2C3
ReleaseDC.USER32 ref: 005EB2E2

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ce76c87b060a8bef55ca8cad565251c164c158f99440b00ec412c6bd0f063109
Instruction ID: d577383f276e1acf50240702906297fd34d3501094131a1a4d2a8e09e8e2a89b
Opcode Fuzzy Hash: ce76c87b060a8bef55ca8cad565251c164c158f99440b00ec412c6bd0f063109
Instruction Fuzzy Hash: F5E0EEB5100204AFEB006F60884CA3E7FBAFB58351F11880AED5ADB250DA789845AB60

Function 005EB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005EB2AE
GetDC.USER32(00000000), ref: 005EB2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 005EB2C3
ReleaseDC.USER32 ref: 005EB2E2

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 341f6856ff5bb3d8416b0a9a25b979617348f291b333da64b708ed20d475b70b
Instruction ID: 60daf7b8a87d71a74f12ec0770b8cdf8060e94149d6103ee9a44896a7d0112f6
Opcode Fuzzy Hash: 341f6856ff5bb3d8416b0a9a25b979617348f291b333da64b708ed20d475b70b
Instruction Fuzzy Hash: 52E012B1500200AFDB006F70884CA3D7FBAFB5C351F118809FD5ADB250DB789805EB20

Function 005ADCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 005ADEAA

Strings

Container, xrefs: 005ADE29
AutoIt3GUI, xrefs: 005ADE22

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 41bdc47c7d20547265dadb85938a61eb0735f3d0266e3e78f699f897c54691f5
Instruction ID: e42d5fcf6729d53943a3f7c826d583690fcf7521c924e021c34329e1cf62778b
Opcode Fuzzy Hash: 41bdc47c7d20547265dadb85938a61eb0735f3d0266e3e78f699f897c54691f5
Instruction Fuzzy Hash: 14912974600602AFDB14DF64C888F6ABBF9BF49710F10896DF94ADB691DB71E841CB60

Function 005BDE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0058C6F4: _wcscpy.LIBCMT ref: 0058C717

Part of subcall function 0057936C: __swprintf.LIBCMT ref: 005793AB
Part of subcall function 0057936C: __itow.LIBCMT ref: 005793DF

__wcsnicmp.LIBCMT ref: 005BDEFD
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 005BDFC6

Strings

LPT, xrefs: 005BDEF7

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 1d673cc142d5b0e6f37a3e2afa38ab177b381fadf572e561f8f0cfe80a3e0868
Instruction ID: 8b217632566ef603cd53f13ea384e656823fa329cc70433676ef8de62ff002aa
Opcode Fuzzy Hash: 1d673cc142d5b0e6f37a3e2afa38ab177b381fadf572e561f8f0cfe80a3e0868
Instruction Fuzzy Hash: 23618375A00119AFCB14EF98C89AEFEBBB5BF48310F054469F546AB291D770AE40DB60

Function 005B290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 005B2A72

Strings

I/^, xrefs: 005B29FC, 005B2A64, 005B2A12
I/^, xrefs: 005B297F

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: _wcscpy
String ID: I/^$I/^
API String ID: 3048848545-4092781349
Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction ID: b47ef7933965a393cc7ebb42136f1ff3c760ecad03ca97abb3d5a6a882d04e9c
Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction Fuzzy Hash: 7141F831900216AACF25EF98D4819FDBF70FF48710F54905AE885A7191EB707E82D770

Function 0058BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0058BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 0058BCF3

Strings

@, xrefs: 0058BCE8

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 73d51cbadb60603e738d637f9e7a7a55174623cbfae6520cbcb0aa206e1eacfb
Instruction ID: 5127e379d3ffe42aaa1b6ce7f68075f0fd47859936657a9aae277e304c8ceef7
Opcode Fuzzy Hash: 73d51cbadb60603e738d637f9e7a7a55174623cbfae6520cbcb0aa206e1eacfb
Instruction Fuzzy Hash: 2F511871408745ABE320AF14DC8ABBFBFE8FBD4354F41484DF5C8520A6DB7089A98B56

Function 005BC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 005744ED: __fread_nolock.LIBCMT ref: 0057450B

_wcscmp.LIBCMT ref: 005BC65D
_wcscmp.LIBCMT ref: 005BC670

Strings

FILE, xrefs: 005BC5A5

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: bad86403ac58d740c3e6dc30b5a5a8ff94971b7cad91b2394e7b7fc66dd0835f
Instruction ID: 58fd5817cf19b2b67931fcf188d94daed44ff775cd14e10781feb95f381e990b
Opcode Fuzzy Hash: bad86403ac58d740c3e6dc30b5a5a8ff94971b7cad91b2394e7b7fc66dd0835f
Instruction Fuzzy Hash: 2841E672A0021BBADF209AA49C46FEF7FB9BF89700F004469F615EB181D770AA04DB54

Function 005DA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 005DA85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005DA86F

Strings

', xrefs: 005DA7C3

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 8051f5ceae2f42d38e623fe640be4b62bf47a2e6ffd91ff23735faacdf2fbfd8
Instruction ID: 189a51001945512b0514d51e708a428bfd0ecdc9365966ebc8f7992bd449fa81
Opcode Fuzzy Hash: 8051f5ceae2f42d38e623fe640be4b62bf47a2e6ffd91ff23735faacdf2fbfd8
Instruction Fuzzy Hash: 9441E774A013099FDB64CFA8D881BDA7BB9FB09300F14156BE905EB341D770A942DFA1

Function 005D975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 005D980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 005D984A

Strings

static, xrefs: 005D97AA

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 803679c6a7d9ed5e749d7cafc87778b450f046c0639f0e333c33e269f9204d88
Instruction ID: 8e4f0cc14f9a06e5da2bd4e1f0310fa82853cf79fa917666225ab120da3dcd5b
Opcode Fuzzy Hash: 803679c6a7d9ed5e749d7cafc87778b450f046c0639f0e333c33e269f9204d88
Instruction Fuzzy Hash: 87317071110604AADB209F78CC85BFB7BB9FF99764F00861AF8A9D7290CB35AC41D760

Function 005B5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005B51C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005B5201

Strings

0, xrefs: 005B51BF

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 81b40de7718f55c5d24a0ddd7bd05cd5baf424e509fa8d9ef68a2977a96ce054
Instruction ID: 30a49f1ec43afa3e294026bf1a25522134de405d59d31ce189318f3973f79538
Opcode Fuzzy Hash: 81b40de7718f55c5d24a0ddd7bd05cd5baf424e509fa8d9ef68a2977a96ce054
Instruction Fuzzy Hash: 0D31C1396017059FEB28CF99E849BEEFFF5BF85350F144419E981A61A0F770AA44CB50

Function 005C658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 005C6608

Strings

AUTOITCALLVARIABLE%d, xrefs: 005C65FA
, $, xrefs: 005C6648

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 7b63bd68954b928b259b32c0b12a204ec94f07d6c3f6796ebaeef51f38a31270
Instruction ID: c7c7ffe0f12a24a2d2701b427b4815839a129c15185c7f0d31fcdff49252d974
Opcode Fuzzy Hash: 7b63bd68954b928b259b32c0b12a204ec94f07d6c3f6796ebaeef51f38a31270
Instruction Fuzzy Hash: 7D21937160022AAFCF10EFA4E885FAE7BB5BF85700F40445DF409AB241DB70EA45DBA1

Function 005D93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 005D945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005D9467

Strings

Combobox, xrefs: 005D9429

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 390af0131c5212e14ebecd32d9a0b13cb87df1e7501e20972c6b32a43f8e688d
Instruction ID: 7c79832a58f740b74870f8e43dd2d1b1bc7cfe662f0ba6c436e3b7cd65282e85
Opcode Fuzzy Hash: 390af0131c5212e14ebecd32d9a0b13cb87df1e7501e20972c6b32a43f8e688d
Instruction Fuzzy Hash: 4711B6713001096FEF219E58DC81EBB3B6FFB983A4F104527F91897391D6719C5287A0

Function 005DDA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0058B34E: GetWindowLongW.USER32(?,000000EB), ref: 0058B35F

GetActiveWindow.USER32 ref: 005DDA7B
EnumChildWindows.USER32(?,005DD75F,00000000), ref: 005DDAF5

Strings

T1\, xrefs: 005DDAFB

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T1\
API String ID: 3814560230-812926227
Opcode ID: d8ed6b18d4e9d4a377ceef618891522a186417296b434efbaf1390d08476c923
Instruction ID: f409885558bd3a19220028725e1f6bfdbcf38e96e5913c246d1e9ef8580744fa
Opcode Fuzzy Hash: d8ed6b18d4e9d4a377ceef618891522a186417296b434efbaf1390d08476c923
Instruction Fuzzy Hash: 06212E35604201DFDB24DF6CD851AA57BF6FB5B320F15161AE8668B3E0D730A800CFA0

Function 005D98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0058D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0058D1BA
Part of subcall function 0058D17C: GetStockObject.GDI32(00000011), ref: 0058D1CE
Part of subcall function 0058D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0058D1D8

GetWindowRect.USER32(00000000,?), ref: 005D9968
GetSysColor.USER32(00000012), ref: 005D9982

Strings

static, xrefs: 005D9945

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 64a83d6d0f23e25ad0ebdd0d0a11da632dcef085440093b1be8695b3a902c906
Instruction ID: 584d4f5ab06e651bbb76a59ba91afb9a32e84a0300da570673e67146cc2d82f1
Opcode Fuzzy Hash: 64a83d6d0f23e25ad0ebdd0d0a11da632dcef085440093b1be8695b3a902c906
Instruction Fuzzy Hash: 5311477251020AAFDB14DFB8CC45AFA7BB9FB08304F011A2AF955E6250D634E811DB60

Function 005D9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005D9699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005D96A8

Strings

edit, xrefs: 005D967D

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: a9614fd8c2363cc839018cdb0c2c12cd06c0193ac160a9b3d210fb71c3545aa0
Instruction ID: dd9e0bb0a2d61e5ba95b2958135b3c94a6de0aad526c98a916b591575dc7c44e
Opcode Fuzzy Hash: a9614fd8c2363cc839018cdb0c2c12cd06c0193ac160a9b3d210fb71c3545aa0
Instruction Fuzzy Hash: 52116A71100109AAEB205FA8DC44AEB3B6AFB153B8F104716F965D72E0C735DC51E7A0

Function 005B5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005B52D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 005B52F4

Strings

0, xrefs: 005B52CE

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 08cd5772708a0a9ed23ed36b1fe84700adaee0c085c1fd5cb337e27d021a9cbf
Instruction ID: 66c2921ba6656caea6142ae1584ab7f02fb196d541cac771ca5ccca77ea6f8df
Opcode Fuzzy Hash: 08cd5772708a0a9ed23ed36b1fe84700adaee0c085c1fd5cb337e27d021a9cbf
Instruction Fuzzy Hash: 2511D076901614ABDF28DE98D904BEDBBF9BB06750F080425E901EB290E3B0BD05C7A0

Function 005C4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 005C4DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 005C4E1E

Strings

<local>, xrefs: 005C4DE6

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: b63f4bd3a205c11c38e264d79b9e3211a4dbc9db34590216bc475a0af97209dd
Instruction ID: 2cc0423f9bbfb4a2f8fbb27be67d63ea136aaf0fd6637f85af098938ed68b1b5
Opcode Fuzzy Hash: b63f4bd3a205c11c38e264d79b9e3211a4dbc9db34590216bc475a0af97209dd
Instruction Fuzzy Hash: 94119E74501221BFDB259F9188A8FFBFEA8FF16755F10862EF50696140D3706944DAE0

Function 0059A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 005A37A7
___raise_securityfailure.LIBCMT ref: 005A388E

Strings

(c, xrefs: 005A3889

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (c
API String ID: 3761405300-2819260645
Opcode ID: fb3b4f65fb51e301ba1055879b96d0774696fd24854c04ca0d16121d2d57b8fe
Instruction ID: c0ae6c3f7aafe8d65db12780330111d9b993b82c3585b917a6147ed3a454d4fa
Opcode Fuzzy Hash: fb3b4f65fb51e301ba1055879b96d0774696fd24854c04ca0d16121d2d57b8fe
Instruction Fuzzy Hash: 8E2112B5600204DBE714DF55EDA66043BF6FB4C314F10A86AE5048A7B0E3F1AA88CBC5

Function 005CA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 005CA84E
htons.WSOCK32(00000000,?,00000000), ref: 005CA88B

Strings

255.255.255.255, xrefs: 005CA866

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 0814511cc8fedcd29e26ee61ba9b2d9747162c4ac905fa124feb199d8ae58fcd
Instruction ID: bb206652a880b650876fd2a49fc49f1ed42ac6e95aa324fab8d2258e52cffd50
Opcode Fuzzy Hash: 0814511cc8fedcd29e26ee61ba9b2d9747162c4ac905fa124feb199d8ae58fcd
Instruction Fuzzy Hash: 10010435200309AFCB11AFA4C84AFADBF65FF45714F10846AF515AB291C735E805C752

Function 005AB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 005AB7EF

Strings

ListBox, xrefs: 005AB7B9
ComboBox, xrefs: 005AB78B

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 28736da617377d4acb80f984ef75949d4dc94b87e2e382963c38602344521cd2
Instruction ID: de85e42af0efaf81c89068e0814fadbb72a3f6d6c189b7ed6aea2740fb6cd313
Opcode Fuzzy Hash: 28736da617377d4acb80f984ef75949d4dc94b87e2e382963c38602344521cd2
Instruction Fuzzy Hash: 01012471600116ABDB04EBA8DC569FE3B7EFF87310B00061CF462A72C2EF7458089BA0

Function 005AB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 005AB6EB

Strings

ListBox, xrefs: 005AB6B5
ComboBox, xrefs: 005AB687

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 82386381861b930b26a2b77d894bd038e75632113a27aafb97c97d1a049e2dc4
Instruction ID: 70e7b962ae4bf228c17c7a25d36534dc13616d6613d6c1b6e52a734a5f5a4a75
Opcode Fuzzy Hash: 82386381861b930b26a2b77d894bd038e75632113a27aafb97c97d1a049e2dc4
Instruction Fuzzy Hash: 6001DF71A40006ABDB04EBA4D956AFE3BB9AB4B340B10001CB406A7182EF545E08ABF5

Function 005AB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 005AB76C

Strings

ListBox, xrefs: 005AB738
ComboBox, xrefs: 005AB70A

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 36161d340a2a7bdc190d264c23f1791fc1bbe6b378e6a598eacae465c29c8368
Instruction ID: 2307f80ae20c59c5e4621aa8970ffff23ab6e34a7eb729be8254ea4fcd9af60c
Opcode Fuzzy Hash: 36161d340a2a7bdc190d264c23f1791fc1bbe6b378e6a598eacae465c29c8368
Instruction Fuzzy Hash: 81012671640006BBDB01F7A4D916EFE3BADFB47300F50001DB406B3192EBA05E089BB1

Function 00594D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00594D9E
__calloc_crt.LIBCMT ref: 00594DB7

Strings

"c, xrefs: 00594DCE

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: __calloc_crt
String ID: "c
API String ID: 3494438863-2537087582
Opcode ID: 33412f53b8b210eb6e8daf4fd1a0bde5b124a4c958fcbaee011947f9fd529084
Instruction ID: e26cce122df62ce4649e7e1c7dd427c3c43608cf498c7e9eecfc3ffce29ab813
Opcode Fuzzy Hash: 33412f53b8b210eb6e8daf4fd1a0bde5b124a4c958fcbaee011947f9fd529084
Instruction Fuzzy Hash: D3F022702097238AEB248F18BC60E6B6FD6F740B20B10001AF201CA284E730CD828FD4

Function 00574024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00570000,00000063,00000001,00000010,00000010,00000000), ref: 00574048
EnumResourceNamesW.KERNEL32(00000000,0000000E,005B67E9,00000063,00000000,77080280,?,?,00573EE1,?,?,000000FF), ref: 005E41B3

Strings

>W, xrefs: 00574028

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID: >W
API String ID: 1578290342-1358646198
Opcode ID: 0cfc4d3891658bc56c8ff4b3a70039092295a389062d01ea65ab81a15d4e4d1d
Instruction ID: 8774dad9a37927a40cd2256a355190ff372c5e8d9bcba1ec379b76d283ceda5c
Opcode Fuzzy Hash: 0cfc4d3891658bc56c8ff4b3a70039092295a389062d01ea65ab81a15d4e4d1d
Instruction Fuzzy Hash: 70F06731640314B7E7244B1ABC8AFD23EAAE71ABB5F104506F224EE1E0D7E490909AE4

Function 005B7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 005B7762
_wcscmp.LIBCMT ref: 005B7774

Strings

#32770, xrefs: 005B776E

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 2893082d0005ca0aef9e49af7d5f11d6de5d8f43174e749e3ce824bb740a8920
Instruction ID: aa58156f8c6488f45189659a691cbf4473bf28824f6e389862e1d2e9c49c1013
Opcode Fuzzy Hash: 2893082d0005ca0aef9e49af7d5f11d6de5d8f43174e749e3ce824bb740a8920
Instruction Fuzzy Hash: 4CE0927760423927DB20AAA5AC09ED7FFADEB95760F010016B905D3141D664A6058BE4

Function 005AA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 005AA63F

Part of subcall function 005913F1: _doexit.LIBCMT ref: 005913FB

Strings

AutoIt, xrefs: 005AA633
Error allocating memory., xrefs: 005AA638

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 081946d8afeee1a6b15215a6378218e0922832587d0585fae458981dff8ef622
Instruction ID: f192457444d852729cad5c478b0f51de5170043292f386c16e25fa8edda7a702
Opcode Fuzzy Hash: 081946d8afeee1a6b15215a6378218e0922832587d0585fae458981dff8ef622
Instruction Fuzzy Hash: 3CD02B313C072933D21436D83C1FFC93D48AB59B51F040415BB0CD51C24AE2868052ED

Function 005EAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 005EACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 005EAEBD

Strings

WIN_XPe, xrefs: 005EACD3

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: bb55c627fc95856aee928f8a4140c3dbe16afaca28c56267757fd9c7155338c9
Instruction ID: 56b00e17c72d8d60ffd1958828648c016045b789fca6c5404ce4d0aa7c50a601
Opcode Fuzzy Hash: bb55c627fc95856aee928f8a4140c3dbe16afaca28c56267757fd9c7155338c9
Instruction Fuzzy Hash: E1E0EDB0C00589DFDB15DBB6D944AECBBB9BB58301F248485F156B2160DB746E84DF32

Function 005D86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005D86E2
PostMessageW.USER32(00000000), ref: 005D86E9

Part of subcall function 005B7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 005B7AD0

Strings

Shell_TrayWnd, xrefs: 005D86DB

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b30381abdb9d444bf6d044cb74a3cede573fb44bcfec3e593297bf8a1f0cf553
Instruction ID: c30c8a9f3e7355890752c10d9e624d63a4fa7678dc89fc7c9c7ae356fa274137
Opcode Fuzzy Hash: b30381abdb9d444bf6d044cb74a3cede573fb44bcfec3e593297bf8a1f0cf553
Instruction Fuzzy Hash: B4D0C9313853286BE3A56770AC0BFD67A29AB58B11F110815B649EA1D0C9A8A944CA64

Function 005D8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005D86A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 005D86B5

Part of subcall function 005B7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 005B7AD0

Strings

Shell_TrayWnd, xrefs: 005D869B

Memory Dump Source

Source File: 00000000.00000002.1277136121.0000000000571000.00000020.00000001.01000000.00000003.sdmp, Offset: 00570000, based on PE: true

Associated: 00000000.00000002.1277112718.0000000000570000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277281233.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277303118.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_570000_CHARIKLIA JUNIOR DETAILS (1) (1).jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a90ffd16deee5f6722c1c60e0cd0204ab12e4f7a23cfea91b282857e5e9d381e
Instruction ID: b13647c076800f99a7e028077d055e77400493a7bcaefe651ccacfc536705a67
Opcode Fuzzy Hash: a90ffd16deee5f6722c1c60e0cd0204ab12e4f7a23cfea91b282857e5e9d381e
Instruction Fuzzy Hash: CAD0C931385328A7E3A46770AC0BFD67E29AB54B11F110815B649EA1D0C9A8A944CA64

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut42B5.tmp

C:\Users\user\AppData\Local\Temp\lecheries

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Function 0059B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00573D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Function 0058DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 0057406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 005BFA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Function 005BBFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316
fileCOMMON

Function 00573F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00573742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00573E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 016CC5B0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 005749FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 005736B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 016CC350 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158
fileCOMMON

Function 00574A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138
COMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre