Edit tour

Windows Analysis Report
PARATRANSFARI REMINDER.exe

Overview

General Information

Sample name:	PARATRANSFARI REMINDER.exe
Analysis ID:	1580086
MD5:	7d142eb549dacdfc9c357f482d5bf921
SHA1:	57ef6110732b2d91f90c785a3fbba4a0112cdc87
SHA256:	36b641ba0f1f45fc6bb9c6fb4f74b2a07318b5f4a420d9fbe9b59e1ac2ce3bc4
Tags:	exeuser-TeamDreier
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Writes to foreign memory regions

Yara detected Generic Downloader

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PARATRANSFARI REMINDER.exe (PID: 2752 cmdline: "C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe" MD5: 7D142EB549DACDFC9C357F482D5BF921)

RegSvcs.exe (PID: 1520 cmdline: "C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cmd.exe (PID: 1372 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 1968 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7535953552:AAEceAC130pKqikyDX9W3q553FopjnWE5ro/sendMessage?chat_id=1981459653", "Token": "7535953552:AAEceAC130pKqikyDX9W3q553FopjnWE5ro", "Chat_id": "1981459653", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1484a:$a1: get_encryptedPassword 0x14b36:$a2: get_encryptedUsername 0x14656:$a3: get_timePasswordChanged 0x14751:$a4: get_passwordField 0x14860:$a5: set_encryptedPassword 0x15ef2:$a7: get_logins 0x15e55:$a10: KeyLoggerEventArgs 0x15ac0:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1981c:$x1: $%SMTPDV$ 0x18200:$x2: $#TheHashHere%& 0x197c4:$x3: %FTPDV$ 0x181a0:$x4: $%TelegramDv$ 0x15ac0:$x5: KeyLoggerEventArgs 0x15e55:$x5: KeyLoggerEventArgs 0x197e8:$m2: Clipboard Logs ID 0x19a26:$m2: Screenshot Logs ID 0x19b36:$m2: keystroke Logs ID 0x19e10:$m3: SnakePW 0x199fe:$m4: \SnakeKeylogger\
00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a4a:$a1: get_encryptedPassword 0x14d36:$a2: get_encryptedUsername 0x14856:$a3: get_timePasswordChanged 0x14951:$a4: get_passwordField 0x14a60:$a5: set_encryptedPassword 0x160f2:$a7: get_logins 0x16055:$a10: KeyLoggerEventArgs 0x15cc0:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3d2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b604:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba37:$a4: \Orbitum\User Data\Default\Login Data 0x1ca76:$a5: \Kometa\User Data\Default\Login Data
00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15625:$s1: UnHook 0x1562c:$s2: SetHook 0x15634:$s3: CallNextHook 0x15641:$s4: _hook
00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a1c:$x1: $%SMTPDV$ 0x18400:$x2: $#TheHashHere%& 0x199c4:$x3: %FTPDV$ 0x183a0:$x4: $%TelegramDv$ 0x15cc0:$x5: KeyLoggerEventArgs 0x16055:$x5: KeyLoggerEventArgs 0x199e8:$m2: Clipboard Logs ID 0x19c26:$m2: Screenshot Logs ID 0x19d36:$m2: keystroke Logs ID 0x1a010:$m3: SnakePW 0x19bfe:$m4: \SnakeKeylogger\
00000002.00000002.2544810443.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: PARATRANSFARI REMINDER.exe PID: 2752	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PARATRANSFARI REMINDER.exe PID: 2752	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: PARATRANSFARI REMINDER.exe PID: 2752	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3931f4:$a1: get_encryptedPassword 0x3934d6:$a2: get_encryptedUsername 0x39300a:$a3: get_timePasswordChanged 0x393105:$a4: get_passwordField 0x39320a:$a5: set_encryptedPassword 0x3956e0:$a7: get_logins 0x395643:$a10: KeyLoggerEventArgs 0x3952ae:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: PARATRANSFARI REMINDER.exe PID: 2752	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3952ae:$x5: KeyLoggerEventArgs 0x395643:$x5: KeyLoggerEventArgs 0x395f4a:$x5: KeyLoggerEventArgs 0x3962ab:$x5: KeyLoggerEventArgs 0x39786e:$m2: Clipboard Logs ID 0x397974:$m2: Screenshot Logs ID 0x3979ca:$m2: keystroke Logs ID 0x397aff:$m3: SnakePW 0x397960:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 1520	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 1520	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 1520	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7875:$a1: get_encryptedPassword 0x7b57:$a2: get_encryptedUsername 0x768b:$a3: get_timePasswordChanged 0x7786:$a4: get_passwordField 0x788b:$a5: set_encryptedPassword 0x9d61:$a7: get_logins 0x9cc4:$a10: KeyLoggerEventArgs 0x992f:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 1520	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x992f:$x5: KeyLoggerEventArgs 0x9cc4:$x5: KeyLoggerEventArgs 0xa5cb:$x5: KeyLoggerEventArgs 0xa92c:$x5: KeyLoggerEventArgs 0xbeef:$m2: Clipboard Logs ID 0xbff5:$m2: Screenshot Logs ID 0xc04b:$m2: keystroke Logs ID 0xc180:$m3: SnakePW 0xbfe1:$m4: \SnakeKeylogger\
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c4a:$a1: get_encryptedPassword 0x12f36:$a2: get_encryptedUsername 0x12a56:$a3: get_timePasswordChanged 0x12b51:$a4: get_passwordField 0x12c60:$a5: set_encryptedPassword 0x142f2:$a7: get_logins 0x14255:$a10: KeyLoggerEventArgs 0x13ec0:$a11: KeyLoggerEventArgsEventHandler
0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5d2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19804:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c37:$a4: \Orbitum\User Data\Default\Login Data 0x1ac76:$a5: \Kometa\User Data\Default\Login Data
0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13825:$s1: UnHook 0x1382c:$s2: SetHook 0x13834:$s3: CallNextHook 0x13841:$s4: _hook
0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c1c:$x1: $%SMTPDV$ 0x16600:$x2: $#TheHashHere%& 0x17bc4:$x3: %FTPDV$ 0x165a0:$x4: $%TelegramDv$ 0x13ec0:$x5: KeyLoggerEventArgs 0x14255:$x5: KeyLoggerEventArgs 0x17be8:$m2: Clipboard Logs ID 0x17e26:$m2: Screenshot Logs ID 0x17f36:$m2: keystroke Logs ID 0x18210:$m3: SnakePW 0x17dfe:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a4a:$a1: get_encryptedPassword 0x14d36:$a2: get_encryptedUsername 0x14856:$a3: get_timePasswordChanged 0x14951:$a4: get_passwordField 0x14a60:$a5: set_encryptedPassword 0x160f2:$a7: get_logins 0x16055:$a10: KeyLoggerEventArgs 0x15cc0:$a11: KeyLoggerEventArgsEventHandler
2.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3d2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b604:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba37:$a4: \Orbitum\User Data\Default\Login Data 0x1ca76:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15625:$s1: UnHook 0x1562c:$s2: SetHook 0x15634:$s3: CallNextHook 0x15641:$s4: _hook
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a1c:$x1: $%SMTPDV$ 0x18400:$x2: $#TheHashHere%& 0x199c4:$x3: %FTPDV$ 0x183a0:$x4: $%TelegramDv$ 0x15cc0:$x5: KeyLoggerEventArgs 0x16055:$x5: KeyLoggerEventArgs 0x199e8:$m2: Clipboard Logs ID 0x19c26:$m2: Screenshot Logs ID 0x19d36:$m2: keystroke Logs ID 0x1a010:$m3: SnakePW 0x19bfe:$m4: \SnakeKeylogger\
0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a4a:$a1: get_encryptedPassword 0x14d36:$a2: get_encryptedUsername 0x14856:$a3: get_timePasswordChanged 0x14951:$a4: get_passwordField 0x14a60:$a5: set_encryptedPassword 0x160f2:$a7: get_logins 0x16055:$a10: KeyLoggerEventArgs 0x15cc0:$a11: KeyLoggerEventArgsEventHandler
0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3d2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b604:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba37:$a4: \Orbitum\User Data\Default\Login Data 0x1ca76:$a5: \Kometa\User Data\Default\Login Data
0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15625:$s1: UnHook 0x1562c:$s2: SetHook 0x15634:$s3: CallNextHook 0x15641:$s4: _hook
0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a1c:$x1: $%SMTPDV$ 0x18400:$x2: $#TheHashHere%& 0x199c4:$x3: %FTPDV$ 0x183a0:$x4: $%TelegramDv$ 0x15cc0:$x5: KeyLoggerEventArgs 0x16055:$x5: KeyLoggerEventArgs 0x199e8:$m2: Clipboard Logs ID 0x19c26:$m2: Screenshot Logs ID 0x19d36:$m2: keystroke Logs ID 0x1a010:$m3: SnakePW 0x19bfe:$m4: \SnakeKeylogger\
Click to see the 15 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T21:50:26.292911+0100	2803305	3	Unknown Traffic	192.168.2.5	49720	104.21.67.152	443	TCP
2024-12-23T21:50:30.546086+0100	2803305	3	Unknown Traffic	192.168.2.5	49734	104.21.67.152	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T21:50:21.215308+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.8.169	80	TCP
2024-12-23T21:50:24.668403+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.8.169	80	TCP
2024-12-23T21:50:28.871550+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49726	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7535953552:AAEceAC130pKqikyDX9W3q553FopjnWE5ro/sendMessage?chat_id=1981459653", "Token": "7535953552:AAEceAC130pKqikyDX9W3q553FopjnWE5ro", "Chat_id": "1981459653", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: PARATRANSFARI REMINDER.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: PARATRANSFARI REMINDER.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: PARATRANSFARI REMINDER.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49706 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: PARATRANSFARI REMINDER.exe, 00000000.00000003.2109970967.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, PARATRANSFARI REMINDER.exe, 00000000.00000003.2110254293.0000000003E70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PARATRANSFARI REMINDER.exe, 00000000.00000003.2109970967.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, PARATRANSFARI REMINDER.exe, 00000000.00000003.2110254293.0000000003E70000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F4449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F4449B
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F4C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00F4C7E8
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F4C75D FindFirstFileW,FindClose,	0_2_00F4C75D
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F4F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F4F021
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F4F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F4F17E
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F4F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F4F47F
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F43833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F43833
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F43B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F43B56
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F4BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F4BD48

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 132.226.8.169 132.226.8.169

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49726 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49720 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49734 -> 104.21.67.152:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49706 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F52404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00F52404

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000002.00000002.2544810443.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.2544810443.0000000002E22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002D4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.2544810443.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: PARATRANSFARI REMINDER.exe, 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.2544810443.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.2544810443.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.2544810443.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: PARATRANSFARI REMINDER.exe, 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002D59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.2544810443.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000002.00000002.2544810443.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F5407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00F5407C

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F5427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F5427A

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

0_2_00F5407C

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F4003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00F4003A

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F6CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00F6CB26

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: PARATRANSFARI REMINDER.exe PID: 2752, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PARATRANSFARI REMINDER.exe PID: 2752, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 1520, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 1520, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00EE3B4C
Source: PARATRANSFARI REMINDER.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PARATRANSFARI REMINDER.exe, 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_821ba9ad-f
Source: PARATRANSFARI REMINDER.exe, 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_82eb9a40-a
Source: PARATRANSFARI REMINDER.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6cfe0ca3-f
Source: PARATRANSFARI REMINDER.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_e3336fb5-2

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F4A279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00F4A279

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F38638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00F38638

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F45264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00F45264

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00EEE800	0_2_00EEE800
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F0DAF5	0_2_00F0DAF5
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00EEE060	0_2_00EEE060
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00EF4140	0_2_00EF4140
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F02345	0_2_00F02345
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F60465	0_2_00F60465
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F16452	0_2_00F16452
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F125AE	0_2_00F125AE
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F0277A	0_2_00F0277A
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F608E2	0_2_00F608E2
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00EF6841	0_2_00EF6841
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F169C4	0_2_00F169C4
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00EF8968	0_2_00EF8968
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F48932	0_2_00F48932
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F3E928	0_2_00F3E928
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F1890F	0_2_00F1890F
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F0CCA1	0_2_00F0CCA1
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F16F36	0_2_00F16F36
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00EF70FE	0_2_00EF70FE
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00EF3190	0_2_00EF3190
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00EE1287	0_2_00EE1287
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F0F359	0_2_00F0F359
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F03307	0_2_00F03307
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00EF5680	0_2_00EF5680
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F01604	0_2_00F01604
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00EF58C0	0_2_00EF58C0
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F07813	0_2_00F07813
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F01AF8	0_2_00F01AF8
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F19C35	0_2_00F19C35
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00EEFE40	0_2_00EEFE40
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F67E0D	0_2_00F67E0D
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F0BF26	0_2_00F0BF26
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F01F10	0_2_00F01F10
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_01659198	0_2_01659198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02C5B328	2_2_02C5B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02C56108	2_2_02C56108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02C5C790	2_2_02C5C790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02C5C4B3	2_2_02C5C4B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02C54AD9	2_2_02C54AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02C5CA70	2_2_02C5CA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02C5BBD3	2_2_02C5BBD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02C56880	2_2_02C56880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02C59858	2_2_02C59858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02C5BEB0	2_2_02C5BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02C5CD53	2_2_02C5CD53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02C5B4F3	2_2_02C5B4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02C53573	2_2_02C53573

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: String function: 00F00C63 appears 70 times
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: String function: 00EE7F41 appears 35 times
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: String function: 00F08A80 appears 42 times

Source: PARATRANSFARI REMINDER.exe, 00000000.00000003.2109088646.000000000410D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PARATRANSFARI REMINDER.exe
Source: PARATRANSFARI REMINDER.exe, 00000000.00000003.2109832755.0000000003F63000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PARATRANSFARI REMINDER.exe
Source: PARATRANSFARI REMINDER.exe, 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs PARATRANSFARI REMINDER.exe

Source: PARATRANSFARI REMINDER.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: PARATRANSFARI REMINDER.exe PID: 2752, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PARATRANSFARI REMINDER.exe PID: 2752, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 1520, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 1520, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/5@2/2

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F4A0F4 GetLastError,FormatMessageW,

0_2_00F4A0F4

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F384F3 AdjustTokenPrivileges,CloseHandle,		0_2_00F384F3
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F38AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00F38AA3

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F4B3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00F4B3BF

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F5EF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00F5EF21

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F584D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00F584D0

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00EE4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00EE4FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1852:120:WilError_03

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

File created: C:\Users\user\AppData\Local\Temp\aut24E5.tmp

Jump to behavior

Source: PARATRANSFARI REMINDER.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PARATRANSFARI REMINDER.exe

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe "C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe"
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: PARATRANSFARI REMINDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PARATRANSFARI REMINDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PARATRANSFARI REMINDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PARATRANSFARI REMINDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PARATRANSFARI REMINDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PARATRANSFARI REMINDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PARATRANSFARI REMINDER.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: PARATRANSFARI REMINDER.exe, 00000000.00000003.2109970967.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, PARATRANSFARI REMINDER.exe, 00000000.00000003.2110254293.0000000003E70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PARATRANSFARI REMINDER.exe, 00000000.00000003.2109970967.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, PARATRANSFARI REMINDER.exe, 00000000.00000003.2110254293.0000000003E70000.00000004.00001000.00020000.00000000.sdmp

Source: PARATRANSFARI REMINDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PARATRANSFARI REMINDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PARATRANSFARI REMINDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PARATRANSFARI REMINDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PARATRANSFARI REMINDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F5C104 LoadLibraryA,GetProcAddress,

0_2_00F5C104

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F08AC5 push ecx; ret		0_2_00F08AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02C524B9 push 8BFFFFFFh; retf		2_2_02C524BF

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00EE4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00EE4A35
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F653DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00F653DF

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F03307 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00F03307

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

API/Special instruction interceptor: Address: 1658DBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599193	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598835	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598505	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595993	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1392			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8429			Jump to behavior

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-98765

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

API coverage: 4.7 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F4449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F4449B
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F4C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00F4C7E8
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F4C75D FindFirstFileW,FindClose,	0_2_00F4C75D
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F4F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F4F021
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F4F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F4F17E
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F4F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F4F47F
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F43833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F43833
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F43B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F43B56
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F4BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F4BD48

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00EE4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EE4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599193	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598835	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598505	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595993	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2545787334.0000000006270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RegSvcs.exe, 00000002.00000002.2544081217.00000000010CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	API call chain: ExitProcess graph end node			graph_0-97792
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	API call chain: ExitProcess graph end node			graph_0-97560

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F5401F BlockInput,

0_2_00F5401F

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00EE3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00EE3B4C

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F15BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00F15BFC

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F5C104 LoadLibraryA,GetProcAddress,

0_2_00F5C104

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_01659028 mov eax, dword ptr fs:[00000030h]	0_2_01659028
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_01659088 mov eax, dword ptr fs:[00000030h]	0_2_01659088
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_01657A18 mov eax, dword ptr fs:[00000030h]	0_2_01657A18

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F381D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00F381D4

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F0A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00F0A2D5
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F0A2A4 SetUnhandledExceptionFilter,		0_2_00F0A2A4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B25008

Jump to behavior

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F38A73 LogonUserW,

0_2_00F38A73

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00EE3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00EE3B4C

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00EE4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00EE4A35

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F44CFA mouse_event,

0_2_00F44CFA

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

0_2_00F381D4

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F44A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00F44A08

Source: PARATRANSFARI REMINDER.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: PARATRANSFARI REMINDER.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F087AB cpuid

0_2_00F087AB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F15007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F15007

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F2215F GetUserNameW,

0_2_00F2215F

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00F140BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00F140BA

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe

Code function: 0_2_00EE4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EE4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2544810443.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PARATRANSFARI REMINDER.exe PID: 2752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1520, type: MEMORYSTR

Source: PARATRANSFARI REMINDER.exe	Binary or memory string: WIN_81
Source: PARATRANSFARI REMINDER.exe	Binary or memory string: WIN_XP
Source: PARATRANSFARI REMINDER.exe	Binary or memory string: WIN_XPe
Source: PARATRANSFARI REMINDER.exe	Binary or memory string: WIN_VISTA
Source: PARATRANSFARI REMINDER.exe	Binary or memory string: WIN_7
Source: PARATRANSFARI REMINDER.exe	Binary or memory string: WIN_8
Source: PARATRANSFARI REMINDER.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PARATRANSFARI REMINDER.exe PID: 2752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1520, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PARATRANSFARI REMINDER.exe.3aa0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2544810443.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PARATRANSFARI REMINDER.exe PID: 2752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1520, type: MEMORYSTR

Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F56399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00F56399
Source: C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe	Code function: 0_2_00F5685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00F5685D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	126 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PARATRANSFARI REMINDER.exe	29%	ReversingLabs	Win32.Trojan.AutoitInject
PARATRANSFARI REMINDER.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.67.152	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.2544810443.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.2544810443.0000000002E22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002D4D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.2544810443.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2544810443.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	PARATRANSFARI REMINDER.exe, 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000002.00000002.2544810443.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.2544810443.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	PARATRANSFARI REMINDER.exe, 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2544810443.0000000002D59000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
104.21.67.152	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580086
Start date and time:	2024-12-23 21:49:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PARATRANSFARI REMINDER.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/5@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 62 Number of non-executed functions: 266
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 1520 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: PARATRANSFARI REMINDER.exe

Simulations

Behavior and APIs

Time	Type	Description
15:50:23	API Interceptor	215x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	checkip.dyndns.org/
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	conferma..exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	YU SV Payment.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	Overheaped237.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
checkip.dyndns.com	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	YU SV Payment.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://www.canva.com/design/DAGaHpv1g1M/bVE7B2sT8b8T3P-e2xb64w/view?utm_content=DAGaHpv1g1M&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h1ee3678e45	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	104.18.20.226
	Play Aud.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://flowto.it/8tooc2sec?fc=0	Get hash	malicious	Unknown	Browse	104.18.35.227
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	104.20.87.8
	vFile__0054seconds__Airborn.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://jkqbjwq.maxiite.com	Get hash	malicious	Unknown	Browse	104.16.123.96
	[External] 120112 Manual Policies Overview Guide_ 8VM8-WZPT3L-LYH1.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://jkqbjwq.maxiite.com	Get hash	malicious	HTMLPhisher	Browse	172.66.43.2
	https://qulatrics.com/	Get hash	malicious	Unknown	Browse	104.17.25.14
UTMEMUS	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	132.240.253.211
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	132.244.23.61
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Browser.Daemon.exe	Get hash	malicious	Unknown	Browse	104.21.67.152
	Browser.Daemon.exe	Get hash	malicious	Unknown	Browse	104.21.67.152
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	YU SV Payment.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

C:\Users\user\AppData\Local\Temp\Marquand

Download File

Process:	C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe
File Type:	data
Category:	dropped
Size (bytes):	133632
Entropy (8bit):	6.883236208601841
Encrypted:	false
SSDEEP:	3072:fUGkdZZSOXHLxDGgxrNBFhmcfs7QnbdL2klNYdbmVeytxVnvCE/i+mMjUo4FIfAZ:fUHvcgeKnnvtqcWgg
MD5:	670AD47C5A67F2239FE57CB7270E6526
SHA1:	2F5E0FE7E894DC25BAD628198A6BA3E8ED0CA286
SHA-256:	FC828B5CDDC402D4C9BFB9473AD1766F28A57CB03E45A949107053645D6992D0
SHA-512:	CED6E1341EFF7E6506B74F0CB8F5A58B7DCE06BE3EBCAAF4D3A9EBC7070E473165111F429E878DA5FE08697B48CE4818831D8BF030E4D0D03DED3A390029C075
Malicious:	false
Reputation:	low
Preview:	...2SCUC2GSG..UE.N2PCUC6.SGTEUEIN2PCUC6GSGTEUEIN2PCUC6GSGTEU.IN2^\.M6.Z.u.T..of8&cF5< &$8e/\>,!cT"s5!+u,'nv..u.Y#6iYH_aIN2PCUCf.SG.DVE.c.6CUC6GSGT.UGHE3.CU.7GSSTEUEIN.BAUC.GSGtGUEI.2PcUC6ESGPEUEIN2PGUC6GSGTE5GIN0PCUC6GQG..UEYN2@CUC6WSGDEUEIN2@CUC6GSGTEUE.\0P.UC6GsET.EEIN2PCUC6GSGTEUEIN2.AUO6GSGTEUEIN2PCUC6GSGTEUEIN2PCUC6GSGTEUEIN2PCUC6GSGTEUeIN:PCUC6GSGTEUMiN2.CUC6GSGTEUEg:W(7UC6..FTEuEIN.QCUA6GSGTEUEIN2PCUc6G3i&6'&IN2.SUC6gQGTWUEI.3PCUC6GSGTEUEI.2P.{1S+<$TEYEIN2.AUC4GSG\GUEIN2PCUC6GSG.EU.IN2PCUC6GSGTEUEI. RCUC6G.GTEWELN.qBUO.GSDTEU.IN4.cTC.GSGTEUEIN2PCUC6GSGTEUEIN2PCUC6GSGTEUEIN2PCU.K.\..<6.2PCUC6FQDPC]MIN2PCUC69SGT.UEI.2PCbC6GvGTE8EIN.PCU=6GS9TEU!IN2"CUCWGSG.EUE&N2P-UC69SGT[WmiN2ZisC4orGTOUo.=.PC_.7GSC'fUEC.0PCQ0.GSM.FUEM=.PC_.2GSC'cUEC.7PCQilGP.BCUER!.PC_C5.FATENooN0xyUC<GyaTF.PON2KiwC4.ZGTA..:S2PE}.6GY3]EUG.D2PG.]4o.GTO.g7^2PG~C.e-VTEQnId..QUC2lSmv;FEIJ.Piw="GSC.E.[K.&PCQi.9FGTA~EclLFCUG.GyeRUEMe2z]W.!GSC~C.'I<.LC%@Y.SGRm.EID.0CUE6miGeUEML].CUI.m.GVmVDID2R@(u6GWEP8bEIJ..CW8.G

C:\Users\user\AppData\Local\Temp\aut24E5.tmp

Download File

Process:	C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe
File Type:	data
Category:	dropped
Size (bytes):	15016
Entropy (8bit):	7.580050133799729
Encrypted:	false
SSDEEP:	384:M9/RwgFdNQgZsxLOxw37junLf4vg72MHwob6g3xGThQ/:MR/fQgOOQfgs62wp5J
MD5:	AEE9E0F4D81212B9B569D56CD96116F8
SHA1:	6F971D04B6D5F54425FBDA94DC09438E0C69D67F
SHA-256:	8D57A899E04C2DD00BE749BB22D99020D34BC8FFB5C698B66E172964D6836C1D
SHA-512:	AD1070246356770A421AE7AC9C0F0297EC067311608E7450C512F2997909ACA390FAF2BE1DA39D70DC93B12B88DB5CB0D933E127E9E15828C5119597F5E33D05
Malicious:	false
Reputation:	low
Preview:	EA06.....Zo.........SP.n......5e...`.....\|....T...3...(.6&.....9vp.=...G.....7@..9......$..k...........c}V.....?.P...p...Y@Q?.{..'..c.D.&.N. .'.9e.D.&`...D..' ...D...s...D...S.(......sP...h...M.Q?.y..G.c.D....Q.......O......60..........vh...0.7..!.....)^...t.C........$..C......l>[......!....\|.0...&d.....Hz..a....l?..uo.....P......V0....j......\|......l.....A.?.. Bg.8.l.E..Ed.L...?.. Bg.....Y..>@.............@..'.....8\|.?..u.........l. O..]e...O..!e...& ....#s.......3.Y....9.......9..M.7?............l?...F..........C7....g .........x2..8.a...?..j..+4.....W?..j....Y..M. ?.0....Q...d}S0{.......M.".@...Z........V....n.....Q>...'.N...r..(.-........0W.........(....... 6..p.....6zh......?.....O8....lCN....i..?..8}@L..E.i.....61...f#q....>.N....4..M.Q?.q.........D..0N..V.A..M.>K0i..d.h.&...%.Y...\|...<..aw.].3c..H.@B?...G..1...' ....k\|.A.O..#.....}V`....#..H\|.P!..d....0z....Y..>K..G./....G.7c.H..b....W..1....?.01..b.!...@.?..o.F\|....p9......S.!..nb.!....zb0..

C:\Users\user\AppData\Local\Temp\aut2544.tmp

Download File

Process:	C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe
File Type:	data
Category:	dropped
Size (bytes):	87720
Entropy (8bit):	7.912040740665648
Encrypted:	false
SSDEEP:	1536:WUzL4ovoJ+0FMXm0Xci3dUVpwet8A8e7/t5/4mg9c1citARrj3rF9+9VZHrTnJ:1zLYJ+0FF0MOUVpwetOKtZ4P9di48/Zh
MD5:	1C3B0D6A24957F0B799A5DBC124194C8
SHA1:	5D9009FB19D1A6287C0F20BA10D028D98A5003A6
SHA-256:	F9D856CE653AD92189D907AD24BFD5E5D38D405C8C59D1B9CC24D9317EA6685A
SHA-512:	5E1E2150D7622B9B16FB1235E45FA3F74876C6D43F042B6088D7F0AC4519F2D3CA287EA74279F2F3AD7CBB0ED329BD6FEE7D9CFD2BF7D708326D861B6FCAC431
Malicious:	false
Reputation:	low
Preview:	EA06.....D.....C.Q.t}^.E..U...m....Z......8......+..}6m.b...'.o.N%Rk..k<.I...,._\.K$6:...5....=....]e....Y.W. .y.@.tx...E.X..`..ij.zE.g...v.z=N...e..U.......<.L..0..S...%.G....I.L.)qQ..8.Z-f.2....z....[....x..B.....NU....Pj......?..i....m4.`...y.^Q7..4z.5R.u.<8...V.......y..M6.....L....h.J....<\|.!...1...J....i....x.Q.%..............}....Ze;eq.Ui.z=N..<u)4.b.T..?.../w\......b.=.5F.P..i.......0.LP.@........`..z..N@....i".-..DL.h..............i.......O.....B._...9=..E......%G..z.j...=... [..Oc..f....G.nhT:...!....9..A.Qi..}:ax..hs.=..T.j...t.i...z...A...U9.B.}.M....v.U..h.N...4...!...o^../.8.[V.Qj6.M.!........;.Qi4..B.w..!....[.....RsF.Z/.[...F..h..=....Z.Y..W..@.K...'..!t....Y....+o.I.F...d..i.....2....i1.l6.V....$.@.]f.z...8..<..5..8..%...V.O.L/....Y.[m..db.0.............uZ...Th..X..6....+of.V...j...#.ZeT*...3..a....b.:..4..^.Z.h.j4.QI.M.VZ..k:...nP.=Qe....Xj.._8....... ..@..x..d.T.....x...z4....f....ff.9.d.x..j.....@.N..MK...%.D..q..

C:\Users\user\AppData\Local\Temp\togging

Download File

Process:	C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	172054
Entropy (8bit):	3.1808056039274404
Encrypted:	false
SSDEEP:	48:sb3feqfCpfS6ftqfA0f9fWf9fZ1fi20fq0fFfY6fofi51fK0fi0fCfZ1fK0f70f1:iaNhCHcZLfaDfJQNy7HaPRCkJ0FZIklX
MD5:	576E98A040D48134C692B7E435EA8EA0
SHA1:	090BED4664A92142D4306A7AF73B4049FE86ACD0
SHA-256:	BB22880EA5D017D0778B0CE950B9C322D407F463FA5C7A7EF1299AAA18B5646C
SHA-512:	659F76B11CC0DFB65761DCE1E705884A44BFA6DD74AB6FC521FCEA92A461D331D3222568F658441A23EC78E5116A1AF32AE24CA2229E9E16640AC80BD9B0D97D
Malicious:	false
Preview:	hixjs0hixjsxhixjs5hixjs5hixjs8hixjsbhixjsehixjschixjs8hixjs1hixjsehixjschixjschixjschixjs0hixjs2hixjs0hixjs0hixjs0hixjs0hixjs5hixjs6hixjs5hixjs7hixjsbhixjs8hixjs6hixjsbhixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs8hixjs4hixjsbhixjs9hixjs6hixjs5hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixjs8hixjs6hixjsbhixjsahixjs7hixjs2hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs5hixjs5hixjs8hixjs8hixjsbhixjs8hixjs6hixjsehixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs8hixjsahixjsbhixjs9hixjs6hixjs5hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixjs8hixjschixjsbhixjsahixjs6hixjschixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs5hixjs5hixjs8hixjsehixjsbhixjs8hixjs3hixjs3hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs9hixjs0hixjsbhixjs9hixjs3hixjs2hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixj

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.878654092976613
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PARATRANSFARI REMINDER.exe
File size:	982'528 bytes
MD5:	7d142eb549dacdfc9c357f482d5bf921
SHA1:	57ef6110732b2d91f90c785a3fbba4a0112cdc87
SHA256:	36b641ba0f1f45fc6bb9c6fb4f74b2a07318b5f4a420d9fbe9b59e1ac2ce3bc4
SHA512:	77d59910817caeaa0f8b10d46fb9cf849784d98550040fa6c97a65cbc5a13207f8e8c83edc60608ff5ffba61061704ca5ecfe8c7f01961ddd5dfc987994e26b1
SSDEEP:	12288:yCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBga1Tc4lB6e8X:yCdxte/80jYLT3U1jfsWahT76bzZJoQ
TLSH:	2025AE2273DDC370CB669173BF69B7016EBF78614630B85B2F880D7DA950162262DB63
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427f4a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67695419 [Mon Dec 23 12:14:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F23B07C612Dh
jmp 00007F23B07B8EF4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F23B07B907Ah
cmp edi, eax
jc 00007F23B07B93DEh
bt dword ptr [004C31FCh], 01h
jnc 00007F23B07B9079h
rep movsb
jmp 00007F23B07B938Ch
cmp ecx, 00000080h
jc 00007F23B07B9244h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F23B07B9080h
bt dword ptr [004BE324h], 01h
jc 00007F23B07B9550h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F23B07B921Dh
test edi, 00000003h
jne 00007F23B07B922Eh
test esi, 00000003h
jne 00007F23B07B920Dh
bt edi, 02h
jnc 00007F23B07B907Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F23B07B9083h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F23B07B90D5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x27578	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xef000	0x7130	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dd2e	0x8de00	c2c2260508750422d20cd5cbb116b146	False	0.5729952505506608	data	6.675875439961112	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	4513b58651e3d8d87c81a396e5b2f1d1	False	0.3353340955284553	OpenPGP Public Key	5.760731648769018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	c2de4a3d214eae7e87c7bfc06bd79775	False	0.1017530487804878	data	1.1988106744719143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x27578	0x27600	8c4f20cb383359fb2740a601605c1650	False	0.833048115079365	data	7.637218589138136	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xef000	0x7130	0x7200	1254908a9a03d2bcf12045d49cd572b9	False	0.7703536184210527	data	6.782377328042204	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x1e83e	data			1.0003680294423554
RT_GROUP_ICON	0xedff8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xee070	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xee084	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xee098	0x14	data	English	Great Britain	1.25
RT_VERSION	0xee0ac	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xee188	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-23T21:50:21.215308+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	132.226.8.169	80	TCP
2024-12-23T21:50:24.668403+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	132.226.8.169	80	TCP
2024-12-23T21:50:26.292911+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49720	104.21.67.152	443	TCP
2024-12-23T21:50:28.871550+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49726	132.226.8.169	80	TCP
2024-12-23T21:50:30.546086+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49734	104.21.67.152	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 21:50:08.112510920 CET	49704	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:08.232198954 CET	80	49704	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:08.232495070 CET	49704	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:08.233865023 CET	49704	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:08.353511095 CET	80	49704	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:17.637733936 CET	80	49704	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:17.641860962 CET	49704	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:17.761907101 CET	80	49704	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:21.164144039 CET	80	49704	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:21.215307951 CET	49704	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:21.396969080 CET	49706	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:21.397025108 CET	443	49706	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:21.397100925 CET	49706	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:21.424149990 CET	49706	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:21.424165964 CET	443	49706	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:22.684400082 CET	443	49706	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:22.684472084 CET	49706	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:22.704739094 CET	49706	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:22.704757929 CET	443	49706	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:22.705821991 CET	443	49706	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:22.746526957 CET	49706	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:22.786590099 CET	49706	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:22.827334881 CET	443	49706	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:23.121548891 CET	443	49706	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:23.121607065 CET	443	49706	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:23.121674061 CET	49706	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:23.155263901 CET	49706	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:23.159275055 CET	49704	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:23.279279947 CET	80	49704	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:24.628221035 CET	80	49704	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:24.630983114 CET	49720	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:24.631026030 CET	443	49720	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:24.631190062 CET	49720	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:24.631480932 CET	49720	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:24.631496906 CET	443	49720	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:24.668402910 CET	49704	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:25.842658043 CET	443	49720	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:25.869134903 CET	49720	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:25.869172096 CET	443	49720	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:26.292953014 CET	443	49720	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:26.293029070 CET	443	49720	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:26.293133020 CET	49720	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:26.293716908 CET	49720	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:26.296900988 CET	49704	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:26.298132896 CET	49726	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:26.417155981 CET	80	49704	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:26.417217016 CET	49704	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:26.417777061 CET	80	49726	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:26.417923927 CET	49726	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:26.418044090 CET	49726	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:26.537578106 CET	80	49726	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:28.828382015 CET	80	49726	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:28.862555027 CET	49734	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:28.862584114 CET	443	49734	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:28.862669945 CET	49734	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:28.866195917 CET	49734	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:28.866215944 CET	443	49734	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:28.871550083 CET	49726	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:30.078000069 CET	443	49734	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:30.086370945 CET	49734	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:30.086393118 CET	443	49734	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:30.546106100 CET	443	49734	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:30.546349049 CET	443	49734	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:30.546472073 CET	49734	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:30.547034025 CET	49734	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:30.551318884 CET	49735	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:30.670823097 CET	80	49735	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:30.670897961 CET	49735	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:30.671032906 CET	49735	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:30.790524006 CET	80	49735	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:35.078701973 CET	80	49735	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:35.093664885 CET	49751	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:35.121584892 CET	49735	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:35.213968039 CET	80	49751	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:35.214075089 CET	49751	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:35.214420080 CET	49751	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:35.333955050 CET	80	49751	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:36.699930906 CET	80	49751	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:36.700398922 CET	49735	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:36.701158047 CET	49752	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:36.701194048 CET	443	49752	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:36.701263905 CET	49752	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:36.701492071 CET	49752	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:36.701504946 CET	443	49752	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:36.746535063 CET	49751	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:36.820378065 CET	80	49735	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:36.820447922 CET	49735	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:38.156951904 CET	443	49752	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:38.171586037 CET	49752	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:38.171619892 CET	443	49752	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:38.628062963 CET	443	49752	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:38.628120899 CET	443	49752	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:38.628209114 CET	49752	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:38.628752947 CET	49752	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:38.632405996 CET	49751	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:38.633661032 CET	49758	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:38.753305912 CET	80	49751	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:38.753365993 CET	49751	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:38.753420115 CET	80	49758	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:38.753530025 CET	49758	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:38.753669024 CET	49758	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:38.873116970 CET	80	49758	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:43.162993908 CET	80	49758	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:43.167542934 CET	49769	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:43.215305090 CET	49758	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:43.287187099 CET	80	49769	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:43.287262917 CET	49769	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:43.287388086 CET	49769	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:43.406830072 CET	80	49769	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:44.688441038 CET	80	49769	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:44.689646006 CET	49775	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:44.689692974 CET	443	49775	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:44.689754009 CET	49775	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:44.690005064 CET	49775	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:44.690021992 CET	443	49775	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:44.690066099 CET	49758	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:44.730930090 CET	49769	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:44.821005106 CET	80	49758	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:44.821070910 CET	49758	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:45.917964935 CET	443	49775	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:45.919612885 CET	49775	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:45.919656992 CET	443	49775	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:46.368644953 CET	443	49775	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:46.368729115 CET	443	49775	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:46.368876934 CET	49775	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:46.369189978 CET	49775	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:46.372195959 CET	49769	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:46.373672962 CET	49781	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:46.492909908 CET	80	49769	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:46.493051052 CET	49769	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:46.493204117 CET	80	49781	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:46.493334055 CET	49781	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:46.493432999 CET	49781	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:46.613588095 CET	80	49781	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:49.083175898 CET	80	49781	132.226.8.169	192.168.2.5
Dec 23, 2024 21:50:49.101982117 CET	49787	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:49.102016926 CET	443	49787	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:49.102086067 CET	49787	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:49.106575012 CET	49787	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:49.106586933 CET	443	49787	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:49.137185097 CET	49781	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:50.322000980 CET	443	49787	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:50.324403048 CET	49787	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:50.324426889 CET	443	49787	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:50.774348974 CET	443	49787	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:50.774418116 CET	443	49787	104.21.67.152	192.168.2.5
Dec 23, 2024 21:50:50.774477005 CET	49787	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:50.774954081 CET	49787	443	192.168.2.5	104.21.67.152
Dec 23, 2024 21:50:50.919785976 CET	49726	80	192.168.2.5	132.226.8.169
Dec 23, 2024 21:50:50.920523882 CET	49781	80	192.168.2.5	132.226.8.169

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 21:50:07.893526077 CET	63322	53	192.168.2.5	1.1.1.1
Dec 23, 2024 21:50:08.030791998 CET	53	63322	1.1.1.1	192.168.2.5
Dec 23, 2024 21:50:21.251524925 CET	65117	53	192.168.2.5	1.1.1.1
Dec 23, 2024 21:50:21.395833015 CET	53	65117	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 23, 2024 21:50:07.893526077 CET	192.168.2.5	1.1.1.1	0x253b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:50:21.251524925 CET	192.168.2.5	1.1.1.1	0x94b4	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 23, 2024 21:50:08.030791998 CET	1.1.1.1	192.168.2.5	0x253b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 23, 2024 21:50:08.030791998 CET	1.1.1.1	192.168.2.5	0x253b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:50:08.030791998 CET	1.1.1.1	192.168.2.5	0x253b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:50:08.030791998 CET	1.1.1.1	192.168.2.5	0x253b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:50:08.030791998 CET	1.1.1.1	192.168.2.5	0x253b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:50:08.030791998 CET	1.1.1.1	192.168.2.5	0x253b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:50:21.395833015 CET	1.1.1.1	192.168.2.5	0x94b4	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 23, 2024 21:50:21.395833015 CET	1.1.1.1	192.168.2.5	0x94b4	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	132.226.8.169	80	1520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 21:50:08.233865023 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 23, 2024 21:50:17.637733936 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:50:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 23, 2024 21:50:17.641860962 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 23, 2024 21:50:21.164144039 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:50:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 23, 2024 21:50:23.159275055 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 23, 2024 21:50:24.628221035 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:50:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49726	132.226.8.169	80	1520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 21:50:26.418044090 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 23, 2024 21:50:28.828382015 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:50:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49735	132.226.8.169	80	1520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 21:50:30.671032906 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 23, 2024 21:50:35.078701973 CET	697	IN	HTTP/1.1 504 Gateway Time-out Date: Mon, 23 Dec 2024 20:50:34 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49751	132.226.8.169	80	1520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 21:50:35.214420080 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 23, 2024 21:50:36.699930906 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:50:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49758	132.226.8.169	80	1520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 21:50:38.753669024 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 23, 2024 21:50:43.162993908 CET	697	IN	HTTP/1.1 504 Gateway Time-out Date: Mon, 23 Dec 2024 20:50:42 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49769	132.226.8.169	80	1520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 21:50:43.287388086 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 23, 2024 21:50:44.688441038 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:50:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49781	132.226.8.169	80	1520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 21:50:46.493432999 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 23, 2024 21:50:49.083175898 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:50:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	104.21.67.152	443	1520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 20:50:22 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-23 20:50:23 UTC	860	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:50:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 301812 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jUQsqmc0hQBvrVz7N0irAI0RfP6KlPzm%2BYmUN84LsUds4A%2BTBSnM0K1rUITR5zDX%2BYuCDVekOps944L%2BL2xvb7A%2BzfaFIJWgEc1nFhtdfYkJoD7SniyfdX8I4HJT54aQv8NGEg%2FH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6b393d6b4c440c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1609&min_rtt=1603&rtt_var=613&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1768625&cwnd=252&unsent_bytes=0&cid=0bf56ef95d6884a3&ts=469&x=0"
2024-12-23 20:50:23 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49720	104.21.67.152	443	1520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 20:50:25 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-23 20:50:26 UTC	854	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:50:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 301815 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jYlTeikl31vHxwIKY%2FlSLYttXN26UFzQY77I6cRo8GKe8KDvfoUYUoO%2FQIa8ZwyiUIE3wGTBvZnigc1H6usnOT%2FSWtNH3RT73SDhDhCnNjVXk46W5WaBT3iyVdxE7aRslCxAxmfb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6b39513f2c424c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1645&min_rtt=1605&rtt_var=630&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1819314&cwnd=227&unsent_bytes=0&cid=1ccbdebf821d386e&ts=454&x=0"
2024-12-23 20:50:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49734	104.21.67.152	443	1520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 20:50:30 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-23 20:50:30 UTC	860	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:50:30 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 301819 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u2EfjKMxiFWfKcHNZzOKjEGxgy2aOQLCt%2FFl7f%2Bg4naj5ADDoxIlQ1wA2rKuA%2BZd0jjOtiRtH%2BN3ZvuypRJCVWA9zbvQzs8sZJXFlg%2BI4PlUhVZZ%2BPtYJx9EeKw9rGw25v7Gl9DQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6b396bbd1defa5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1778&min_rtt=1774&rtt_var=673&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1616832&cwnd=200&unsent_bytes=0&cid=d66dae66181b6aaa&ts=456&x=0"
2024-12-23 20:50:30 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49752	104.21.67.152	443	1520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 20:50:38 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-23 20:50:38 UTC	856	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:50:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 301827 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xyn9AILSXS8%2BTT0kXHQbqE8dGp860G1xZVb9VQKIrpjvljFiJuFMugp%2B98GTKMitKtn54XbYEr%2BvpZGTPy0njzehTwJdhSgG00EhWjB5X8Kbr474nH8wtC3GLSduib%2Bz7gop33Hp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6b399e3d8c42cd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1648&min_rtt=1631&rtt_var=646&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1649717&cwnd=242&unsent_bytes=0&cid=d44cec9c71f7d6b3&ts=715&x=0"
2024-12-23 20:50:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49775	104.21.67.152	443	1520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 20:50:45 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-23 20:50:46 UTC	852	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:50:46 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 301835 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5ZNkciMIkwsYoRsUtqNoWso%2BNRxOB5quz4WU9EM1jyzADPmUFXK2cIZ9f3iGHqyBRzvxBHXiFZTrsNjJeap%2FpFBnaZFLp4XQcIbP0l5RdvW6q9hU8KnNUFXDIGklqS1x1AaHmXPg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6b39ceb8ad42a0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1600&rtt_var=610&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1777236&cwnd=225&unsent_bytes=0&cid=3fbb6d1f2bdb2092&ts=457&x=0"
2024-12-23 20:50:46 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49787	104.21.67.152	443	1520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 20:50:50 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-23 20:50:50 UTC	860	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 20:50:50 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 301839 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qoCvAuBgSq21MK5%2BXMrk8higC%2FsC2D2EpdBgSmPGKOvYZAQQJmrNb08LpPFcKLzRRXYPObsDttTa%2BPRLpoP4pQeGPY028rgzRIlkaA4C77F%2B6RsZa5fW4lvB9f3f%2FzKbS8hwd%2Fe9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6b39ea3e090f90-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1470&min_rtt=1455&rtt_var=576&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1852791&cwnd=109&unsent_bytes=0&cid=213730d1bee17813&ts=458&x=0"
2024-12-23 20:50:50 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	15:50:05
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe"
Imagebase:	0xee0000
File size:	982'528 bytes
MD5 hash:	7D142EB549DACDFC9C357F482D5BF921
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2112733507.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:50:06
Start date:	23/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PARATRANSFARI REMINDER.exe"
Imagebase:	0x9e0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.2543834958.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2544810443.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:50:50
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:50:50
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:50:50
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0xb20000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	5.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	170

Executed Functions

Function 00EE3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EE3B7A
IsDebuggerPresent.KERNEL32 ref: 00EE3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00FA52F8,00FA52E0,?,?), ref: 00EE3BFD

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

Part of subcall function 00EF0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00EE3C26,00FA52F8,?,?,?), ref: 00EF0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00EE3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00F97770,00000010), ref: 00F1D3EC
SetCurrentDirectoryW.KERNEL32(?,00FA52F8,?,?,?), ref: 00F1D424
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00F94260,00FA52F8,?,?,?), ref: 00F1D4AA
ShellExecuteW.SHELL32(00000000,?,?), ref: 00F1D4B1

Part of subcall function 00EE3A58: GetSysColorBrush.USER32(0000000F), ref: 00EE3A62
Part of subcall function 00EE3A58: LoadCursorW.USER32(00000000,00007F00), ref: 00EE3A71
Part of subcall function 00EE3A58: LoadIconW.USER32(00000063), ref: 00EE3A88
Part of subcall function 00EE3A58: LoadIconW.USER32(000000A4), ref: 00EE3A9A
Part of subcall function 00EE3A58: LoadIconW.USER32(000000A2), ref: 00EE3AAC
Part of subcall function 00EE3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00EE3AD2
Part of subcall function 00EE3A58: RegisterClassExW.USER32(?), ref: 00EE3B28

Part of subcall function 00EE39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00EE3A15
Part of subcall function 00EE39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00EE3A36
Part of subcall function 00EE39E7: ShowWindow.USER32(00000000,?,?), ref: 00EE3A4A
Part of subcall function 00EE39E7: ShowWindow.USER32(00000000,?,?), ref: 00EE3A53

Part of subcall function 00EE43DB: _memset.LIBCMT ref: 00EE4401
Part of subcall function 00EE43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EE44A6

Strings

runas, xrefs: 00F1D4A5
This is a third-party compiled AutoIt script., xrefs: 00F1D3E4

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 32f7e8beb6186fc84862824f7367fd29cc5989c02591d9a9d1966cabdc1d4a14
Instruction ID: 8a1be0f643b02c218eda5fbaf5cf83639f05eb973810730844876705cf4c7173
Opcode Fuzzy Hash: 32f7e8beb6186fc84862824f7367fd29cc5989c02591d9a9d1966cabdc1d4a14
Instruction Fuzzy Hash: E351E6B190428CBADF11EBB5EC05AFDBBF4AB46700F105169F861B31A2DA709645EB21

Function 00EE4FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00EE4EEE,?,?,00000000,00000000), ref: 00EE4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00EE4EEE,?,?,00000000,00000000), ref: 00EE5010
LoadResource.KERNEL32(?,00000000,?,?,00EE4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00EE4F8F), ref: 00F1DC90
SizeofResource.KERNEL32(?,00000000,?,?,00EE4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00EE4F8F), ref: 00F1DCA5
LockResource.KERNEL32(N,?,?,00EE4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00EE4F8F,00000000), ref: 00F1DCB8

Strings

SCRIPT, xrefs: 00EE5006
N, xrefs: 00F1DCB5

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$N
API String ID: 3051347437-3852340653
Opcode ID: 30e75e42a2cee68dfa546ca0d184e9a28eb46aa1ef40989737008c719c9cf79b
Instruction ID: c8b70e22f3aa7bee87c2b267e5d4527a6200822e5f2438069fbe5536ca4cd633
Opcode Fuzzy Hash: 30e75e42a2cee68dfa546ca0d184e9a28eb46aa1ef40989737008c719c9cf79b
Instruction Fuzzy Hash: D1117C76200708BFD7218B66EC58F677BB9EBC9B15F20456CF416D6260DBB1EC049AA0

Function 00EE4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00EE4B2B

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

GetCurrentProcess.KERNEL32(?,00F6FAEC,00000000,00000000,?), ref: 00EE4BF8
IsWow64Process.KERNEL32(00000000), ref: 00EE4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00EE4C45
FreeLibrary.KERNEL32(00000000), ref: 00EE4C50
GetSystemInfo.KERNEL32(00000000), ref: 00EE4C81
GetSystemInfo.KERNEL32(00000000), ref: 00EE4C8D

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 8d1457e6e6930e393126ca2e52a58b0744e3befa09a9f5646c82a170a8110b39
Instruction ID: b3a3aa86542fa0ad30f200b951141c30eb3b5fd689304f13f5d0ed6b74a7b569
Opcode Fuzzy Hash: 8d1457e6e6930e393126ca2e52a58b0744e3befa09a9f5646c82a170a8110b39
Instruction Fuzzy Hash: 5791057194E7C8DEC731CB6994511EAFFF4AF2A300B58499DD0CB93A42D224F948D719

Function 00F4449B Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00F1E6F1), ref: 00F444AB
FindFirstFileW.KERNELBASE(?,?), ref: 00F444BC
FindClose.KERNEL32(00000000), ref: 00F444CC

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 61409348db10b8e08ee6efba4df6d7b17f8e8a68608ac7d9dcb85b035be0f5dc
Instruction ID: b5105d4054e631e078342b6a15d8996a3c7ce476dcc15995e69f92af9c20ab40
Opcode Fuzzy Hash: 61409348db10b8e08ee6efba4df6d7b17f8e8a68608ac7d9dcb85b035be0f5dc
Instruction Fuzzy Hash: 23E0D832810404574210E738FC0D5E97B5CAE05335F100716FD35D11E0E7B46914A595

Function 00EEE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00F241BB

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 40016bdc2bd86d458f76dbc420e87bcd782e4fc327a4ef2d603d0820207de304
Instruction ID: 9f7fe19f146a0fba975d587d0924bc480585d72bcd96d30e396acb69c180fb23
Opcode Fuzzy Hash: 40016bdc2bd86d458f76dbc420e87bcd782e4fc327a4ef2d603d0820207de304
Instruction Fuzzy Hash: CBA29C74A00259CFCB24CF95C880AAEB7B1FF49314F289069E906BB351D775ED42DB91

Function 00EF0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF0BBB
timeGetTime.WINMM ref: 00EF0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF0FB3
Sleep.KERNEL32(0000000A), ref: 00EF0FC1
LockWindowUpdate.USER32(00000000,?,?), ref: 00EF105A
DestroyWindow.USER32 ref: 00EF1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EF1080
Sleep.KERNEL32(0000000A,?,?), ref: 00F251DC
TranslateMessage.USER32(?), ref: 00F25FB9
DispatchMessageW.USER32(?), ref: 00F25FC7
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F25FDB

Strings

@TRAY_ID, xrefs: 00F25AE8
@GUI_CTRLID, xrefs: 00F25293
@GUI_WINHANDLE, xrefs: 00F252E8
@COM_EVENTOBJ, xrefs: 00F25849
@GUI_CTRLHANDLE, xrefs: 00F2533D

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 6d6500ccc11605d038f22d43a621927f401503013ef70e9884165efe7e0b7357
Instruction ID: 70fc00b5d1c3585cc6b1dd2cd31c8a09dcdd67bedc69f1a1978afc7775a4706e
Opcode Fuzzy Hash: 6d6500ccc11605d038f22d43a621927f401503013ef70e9884165efe7e0b7357
Instruction Fuzzy Hash: 90B23370608745DFDB24DF20D884BAAB7E1FF84714F14491DF59AA72A2CB74E844EB82

Function 00F491FE Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F49008: __time64.LIBCMT ref: 00F49012

Part of subcall function 00EE5045: _fseek.LIBCMT ref: 00EE505D

__wsplitpath.LIBCMT ref: 00F492DD

Part of subcall function 00F0426E: __wsplitpath_helper.LIBCMT ref: 00F042AE

_wcscpy.LIBCMT ref: 00F492F0
_wcscat.LIBCMT ref: 00F49303
__wsplitpath.LIBCMT ref: 00F49328
_wcscat.LIBCMT ref: 00F4933E
_wcscat.LIBCMT ref: 00F49351

Part of subcall function 00F4904E: _memmove.LIBCMT ref: 00F49087
Part of subcall function 00F4904E: _memmove.LIBCMT ref: 00F49096

_wcscmp.LIBCMT ref: 00F49298

Part of subcall function 00F497DD: _wcscmp.LIBCMT ref: 00F498CD
Part of subcall function 00F497DD: _wcscmp.LIBCMT ref: 00F498E0

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F494FB
_wcsncpy.LIBCMT ref: 00F4956E
DeleteFileW.KERNEL32(?,?), ref: 00F495A4
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F495BA
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F495CB
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F495DD

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 2debc2756f7951fa557aeca3ff36347ddbf370c02f672b89933f453fb72deb1f
Instruction ID: 2d4071b55c0c9d2631409b8aa9d04415ff5288e18df095c67b3c31c97428e594
Opcode Fuzzy Hash: 2debc2756f7951fa557aeca3ff36347ddbf370c02f672b89933f453fb72deb1f
Instruction Fuzzy Hash: CCC15CB1E0411DAACF21DF95CC85ADFBBBDEF44314F0040AAFA09E6151DB749A44AF61

Function 00EE3023 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 68
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00EE3074
RegisterClassExW.USER32(00000030), ref: 00EE309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EE30AF
InitCommonControlsEx.COMCTL32(?), ref: 00EE30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EE30DC
LoadIconW.USER32(000000A9), ref: 00EE30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EE3101

Strings

AutoIt v3 GUI, xrefs: 00EE3090
0, xrefs: 00EE3056
+, xrefs: 00EE305D
TaskbarCreated, xrefs: 00EE30A4

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: fec184cfdfbf6cdc24afa31408632bed30fc669373719410f5643d717019df7b
Instruction ID: cd9e7e2f7456782dc0d8e4e5061781feac48ff4d22f18084ffde0602ffaf5da1
Opcode Fuzzy Hash: fec184cfdfbf6cdc24afa31408632bed30fc669373719410f5643d717019df7b
Instruction Fuzzy Hash: 613119B1841309AFDB50CFA4EC85BCDBBF4FB09710F14452AE590E62A1D3B94589EF51

Function 00EE3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00EE3074
RegisterClassExW.USER32(00000030), ref: 00EE309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EE30AF
InitCommonControlsEx.COMCTL32(?), ref: 00EE30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EE30DC
LoadIconW.USER32(000000A9), ref: 00EE30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EE3101

Strings

AutoIt v3 GUI, xrefs: 00EE3090
0, xrefs: 00EE3056
+, xrefs: 00EE305D
TaskbarCreated, xrefs: 00EE30A4

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c9dd22c77d1ce286390cd79152148b4ccadf29a85292a8afd8284fa3a5d49828
Instruction ID: f1a304fbccc165a3f8ec294080e3c4e373a6c621becd8963202a9c43c9d6c03b
Opcode Fuzzy Hash: c9dd22c77d1ce286390cd79152148b4ccadf29a85292a8afd8284fa3a5d49828
Instruction Fuzzy Hash: C721C4B1D1121CAFDB00DFA4ED89B9DBBF4FB09B00F00412AF921A62A0D7B54548AF91

Function 00EE71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EE4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FA52F8,?,00EE37C0,?), ref: 00EE4882

Part of subcall function 00F0068B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00EE72C5), ref: 00F006AD

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00EE7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F1EC21
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F1EC62
RegCloseKey.ADVAPI32(?), ref: 00F1ECA0
_wcscat.LIBCMT ref: 00F1ECF9

Strings

Software\AutoIt v3\AutoIt, xrefs: 00EE72FE
\Include\, xrefs: 00EE72C5
Include, xrefs: 00F1EC18, 00F1EC59
\, xrefs: 00F1ED1C

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 8eda847e161ad615791863adfc194e8220129ddc3561edfd93b3450c8ade39f2
Instruction ID: 5caa9b3fa389ab5347d04d6fa90cbf3e0ff4525fad9a1ac3cda907441f0d7dc5
Opcode Fuzzy Hash: 8eda847e161ad615791863adfc194e8220129ddc3561edfd93b3450c8ade39f2
Instruction Fuzzy Hash: FC71C2B15083099ECB04DF65EC81A9BBBE8FF99350F44052EF445D31B1DB709948EB92

Function 00EE3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00EE3A62
LoadCursorW.USER32(00000000,00007F00), ref: 00EE3A71
LoadIconW.USER32(00000063), ref: 00EE3A88
LoadIconW.USER32(000000A4), ref: 00EE3A9A
LoadIconW.USER32(000000A2), ref: 00EE3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00EE3AD2
RegisterClassExW.USER32(?), ref: 00EE3B28

Part of subcall function 00EE3041: GetSysColorBrush.USER32(0000000F), ref: 00EE3074
Part of subcall function 00EE3041: RegisterClassExW.USER32(00000030), ref: 00EE309E
Part of subcall function 00EE3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EE30AF
Part of subcall function 00EE3041: InitCommonControlsEx.COMCTL32(?), ref: 00EE30CC
Part of subcall function 00EE3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EE30DC
Part of subcall function 00EE3041: LoadIconW.USER32(000000A9), ref: 00EE30F2
Part of subcall function 00EE3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EE3101

Strings

#, xrefs: 00EE3B0D
0, xrefs: 00EE3B06
AutoIt v3, xrefs: 00EE3B17

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 3b4f1dfd084fe50060f71fc12db4365f3d8d88e21859a8f051b3edfde3e85b08
Instruction ID: 1af126ee713407aba1e815b4a133278ee8f1c7e7766635e4d85a4f1b5be30969
Opcode Fuzzy Hash: 3b4f1dfd084fe50060f71fc12db4365f3d8d88e21859a8f051b3edfde3e85b08
Instruction Fuzzy Hash: 962126B1D0030CAFEB10DFA5ED09B9D7BF4FB0AB15F10012AF504AA2A1D3B55A54AF94

Function 00EE3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00EE36D2
KillTimer.USER32(?,00000001), ref: 00EE36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EE371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EE372A
CreatePopupMenu.USER32 ref: 00EE373E
PostQuitMessage.USER32(00000000), ref: 00EE375F

Strings

TaskbarCreated, xrefs: 00EE3725

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: e64353d56437f3f0cc81bc2d5f2089d7596a7e5739685c44563b6114ea2d49b3
Instruction ID: 7d1cf7bcf193c2b7962543dc42ef224b616f391afe9698a9ff375dd167b3df43
Opcode Fuzzy Hash: e64353d56437f3f0cc81bc2d5f2089d7596a7e5739685c44563b6114ea2d49b3
Instruction Fuzzy Hash: CB4127F220058DFBDB109F75EC0DBBA37A5EB01700F141126FA12F72A2CAA59E44B261

Function 00EE3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINERAW, xrefs: 00EE380D
CMDLINE, xrefs: 00EE3834
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00EE37C0
/AutoIt3OutputDebug, xrefs: 00EE38A4
/AutoIt3ExecuteLine, xrefs: 00EE38B9
/AutoIt3ExecuteScript, xrefs: 00EE38CE
/ErrorStdOut, xrefs: 00EE388F

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: bdb006bd34584721bf7592a07a12ea35077651eae968515838982f2a842c6bd8
Instruction ID: f667541f1a53c1dad96493d2f5920122daf8e137cff019e4b1ad15b6d0f39072
Opcode Fuzzy Hash: bdb006bd34584721bf7592a07a12ea35077651eae968515838982f2a842c6bd8
Instruction Fuzzy Hash: 62A16171D1025D9ACB14EBE2DC95AEEB7F8BF14700F40102AF416B7192EF759A09DB60

Function 01658178 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01658249
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0165846F

Memory Dump Source

Source File: 00000000.00000002.2112581465.0000000001655000.00000040.00000020.00020000.00000000.sdmp, Offset: 01655000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1655000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: b0325a037c85c53f661a0f5ccf6d96a2cc628ecc3cdce0843acba03e268e7ea7
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: 55A11870E00209EBEB54CFE5C894BEEBBB9BF48304F208159EA11BB291D7759A41CF54

Function 00EE39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00EE3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00EE3A36
ShowWindow.USER32(00000000,?,?), ref: 00EE3A4A
ShowWindow.USER32(00000000,?,?), ref: 00EE3A53

Strings

edit, xrefs: 00EE3A30
AutoIt v3, xrefs: 00EE3A0D, 00EE3A12, 00EE3A13

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 7fc349f6555c08d60953edb362fbab4d5c3d7b6344ea69a7fa56b7f7d5e9e39f
Instruction ID: 7bc6b4abc633aa53819e0c48736fdfa4beb48b25df09bb02518182f034a6d703
Opcode Fuzzy Hash: 7fc349f6555c08d60953edb362fbab4d5c3d7b6344ea69a7fa56b7f7d5e9e39f
Instruction Fuzzy Hash: BEF03AB05102987EEB3057637C08F2B3EBDD7C7F50B00002ABA00A2171C6610800FAB0

Function 01657F58 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01657E48: Sleep.KERNELBASE(000001F4), ref: 01657E59

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0165806C

Strings

EIN2PCUC6GSGTEU, xrefs: 016580CF, 016580D2

Memory Dump Source

Source File: 00000000.00000002.2112581465.0000000001655000.00000040.00000020.00020000.00000000.sdmp, Offset: 01655000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1655000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CreateFileSleep
String ID: EIN2PCUC6GSGTEU
API String ID: 2694422964-2985934052
Opcode ID: 058380c4477b17c4634acfda8e149b6d60df8063b77d7fa3c36687b97d5409dc
Instruction ID: 070e911e843fbf71bfc471104109f2f472001b8bf1dcbc16f076f6db7e0076ee
Opcode Fuzzy Hash: 058380c4477b17c4634acfda8e149b6d60df8063b77d7fa3c36687b97d5409dc
Instruction Fuzzy Hash: FF519F71D04249EBEF11DBA4CC14BEEBB79AF18300F004198E609BB2C1D7B91B49CB65

Function 00EE410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F1D51C

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

_memset.LIBCMT ref: 00EE418D
_wcscpy.LIBCMT ref: 00EE41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EE41F1

Strings

Line: , xrefs: 00F1D545

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: ed20a904f657fdd1f8c459a9ad19573a4dda9c745b990ce15146a77f8bc21722
Instruction ID: 55bf2f62447dbc5f228ba86f03e0ed2f6716b66addf60c3a6c3f7b594d34783a
Opcode Fuzzy Hash: ed20a904f657fdd1f8c459a9ad19573a4dda9c745b990ce15146a77f8bc21722
Instruction Fuzzy Hash: 3231E0B140838DAAE721EB61DC4ABDB77ECAF55704F10551EF184A20E1EB70A688D793

Function 00F0558D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00F055EB
_memcpy_s.LIBCMT ref: 00F0565D
__read_nolock.LIBCMT ref: 00F056BB
__filbuf.LIBCMT ref: 00F056DE
_memset.LIBCMT ref: 00F05722

Part of subcall function 00F08CA8: __getptd_noexit.LIBCMT ref: 00F08CA8

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 85023550e632f3a2e029d8803ad8feb89e05da70391b4bd881aae18f065e9b73
Instruction ID: d78eec301ca9ccc225f76f0b09e16dc7ef7fe7358e073c1682c1dc98b80e0884
Opcode Fuzzy Hash: 85023550e632f3a2e029d8803ad8feb89e05da70391b4bd881aae18f065e9b73
Instruction Fuzzy Hash: AB51B271E00B09DBDF248EA98C8466F77A6AF40B34F648729E825962D0D7B19D50BF50

Function 00EE69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00EE4F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00FA52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EE4F6F

_free.LIBCMT ref: 00F1E5BC
_free.LIBCMT ref: 00F1E603

Part of subcall function 00EE6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00EE6D0D

Strings

Bad directive syntax error, xrefs: 00F1E5EB
>>>AUTOIT SCRIPT<<<, xrefs: 00F1E392

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 390aab59629a0ab5000e5bae4b064c6826a3da07331ca5456e858837283d46cf
Instruction ID: 146eb7c8f62ca9da0ef0ef7b2cc5e216b6501b094d206a71fed69871ace66656
Opcode Fuzzy Hash: 390aab59629a0ab5000e5bae4b064c6826a3da07331ca5456e858837283d46cf
Instruction Fuzzy Hash: 98918D71D10259AFCF04EFA5CC919EDBBB4FF18314F14442AF815AB2A1EB34A945EB60

Function 00EE35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00EE35A1,SwapMouseButtons,00000004,?), ref: 00EE35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00EE35A1,SwapMouseButtons,00000004,?,?,?,?,00EE2754), ref: 00EE35F5
RegCloseKey.KERNELBASE(00000000,?,?,00EE35A1,SwapMouseButtons,00000004,?,?,?,?,00EE2754), ref: 00EE3617

Strings

Control Panel\Mouse, xrefs: 00EE35D2

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 397eab22b4e4538452d477a171b53f09ac99c8090db8c5565b6c4f0b8296b49c
Instruction ID: 8e86be9755432757d3a269296389a3b1f1a487077fbfeabf98681f700ed9b842
Opcode Fuzzy Hash: 397eab22b4e4538452d477a171b53f09ac99c8090db8c5565b6c4f0b8296b49c
Instruction Fuzzy Hash: 3511487191024DBFDB20CFB5EC489EEBBB8EF05744F0164A9E805E7210D2719E44A760

Function 01656E48 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01657675
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01657699
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016576BB

Memory Dump Source

Source File: 00000000.00000002.2112581465.0000000001655000.00000040.00000020.00020000.00000000.sdmp, Offset: 01655000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1655000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction ID: 690631bfd32fab61b4f84aa360e497e87267d87935d35975da4e20ee3e8dbf74
Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction Fuzzy Hash: 84620A30A142589BEB64CFA4CC40BEEB776EF58300F5091A9D50DEB390E7799E81CB59

Function 00F49604 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00EE5045: _fseek.LIBCMT ref: 00EE505D

Part of subcall function 00F497DD: _wcscmp.LIBCMT ref: 00F498CD
Part of subcall function 00F497DD: _wcscmp.LIBCMT ref: 00F498E0

_free.LIBCMT ref: 00F4974B
_free.LIBCMT ref: 00F49752
_free.LIBCMT ref: 00F497BD

Part of subcall function 00F02ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00F09BA4), ref: 00F02EE9
Part of subcall function 00F02ED5: GetLastError.KERNEL32(00000000,?,00F09BA4), ref: 00F02EFB

_free.LIBCMT ref: 00F497C5

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: e7380544773663296b0c3136f1e3976d6f6c9a32d6817a33089202c8b0d22308
Instruction ID: 59cf19af9fca3109110f4456bca1392084a72b4d383867bddd1f21cbde6e23ce
Opcode Fuzzy Hash: e7380544773663296b0c3136f1e3976d6f6c9a32d6817a33089202c8b0d22308
Instruction Fuzzy Hash: F15191B1E04258AFDF249F64DC85AAEBBB9EF48314F00409EF609A7241DB755E80DF58

Function 00F0487A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F04910
__flush.LIBCMT ref: 00F04930
__write.LIBCMT ref: 00F04963
__flsbuf.LIBCMT ref: 00F04991

Part of subcall function 00F08CA8: __getptd_noexit.LIBCMT ref: 00F08CA8

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
Instruction ID: e2daa60a823b252b757ab46d6bc0fb7387acbd3e1ecef2f19e6ed86b6b2e0496
Opcode Fuzzy Hash: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
Instruction Fuzzy Hash: 7541D6B1A04706ABDF18CEA9C88096F7BA5AF44370B24C53DEA55C76C0D670FD40BB50

Function 00EE73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F1ED92
GetOpenFileNameW.COMDLG32(?), ref: 00F1EDDC

Part of subcall function 00EE48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE48A1,?,?,00EE37C0,?), ref: 00EE48CE

Part of subcall function 00F00911: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F00930

Strings

X, xrefs: 00F1EDAA

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: aaec992382b4623a3615e385f09dffe16e6c72878c21befbb5ad5ce90dfad9d2
Instruction ID: 943fa75c9b12aa40e9ee27fadcd5f91d6fe72e0759061539005a6d4efc021891
Opcode Fuzzy Hash: aaec992382b4623a3615e385f09dffe16e6c72878c21befbb5ad5ce90dfad9d2
Instruction Fuzzy Hash: F321C670A0428CABDF41DF94DC45BEE7BF8AF49714F004019E509B7282DFB45989ABA1

Function 00F48E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F48E55
__fread_nolock.LIBCMT ref: 00F48E6A

Strings

EA06, xrefs: 00F48E9C

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 6e899d465794dc36001d26a3f8699b3d0aa759d4f59bad062a384e3756346449
Instruction ID: c369147ca872fb82e5e85bb5908232d2ade027e6ec8851e07e8095a7a3cbb599
Opcode Fuzzy Hash: 6e899d465794dc36001d26a3f8699b3d0aa759d4f59bad062a384e3756346449
Instruction Fuzzy Hash: 2301B972D04218BEDB28C6A8CC56FEE7BF8DB15711F00459AF552D21C1E9B9E608AB60

Function 00F4998C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00F499A1
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00F499B8

Strings

aut, xrefs: 00F499B2

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: cabd2ae00dcd3bca8ff4a17ca7aac14123c4c85fbb174fa236b7eaa5a1f9414f
Instruction ID: 75e4355058ab6f36e55727ef93317c427cd9e34d15221c30963c97559eaaad8a
Opcode Fuzzy Hash: cabd2ae00dcd3bca8ff4a17ca7aac14123c4c85fbb174fa236b7eaa5a1f9414f
Instruction Fuzzy Hash: 5CD05E7958030DABDB509BA0EC0EF9A773CE704704F0002B1FA64910A1EAB0959D9FA1

Function 00F5CBF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06742e509ace49f5b0ba4f4d22431bd313981704d0174ae1bce7c48082d8739
Instruction ID: 4f4b1773798b81d9f16f1ca788fe0798543042e20b03f60889aea268e081d270
Opcode Fuzzy Hash: f06742e509ace49f5b0ba4f4d22431bd313981704d0174ae1bce7c48082d8739
Instruction Fuzzy Hash: 9AF16D719083459FC714DF28C880A2ABBE5FF88314F14892EF99A9B351D775E945CF82

Function 00EEF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F002E2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F00313
Part of subcall function 00F002E2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F0031B
Part of subcall function 00F002E2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F00326
Part of subcall function 00F002E2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F00331
Part of subcall function 00F002E2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F00339
Part of subcall function 00F002E2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F00341

Part of subcall function 00EF6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00EEFA90), ref: 00EF62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00EEFB2D
OleInitialize.OLE32(00000000), ref: 00EEFBAA
CloseHandle.KERNEL32(00000000), ref: 00F24921

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 57dcf8fbcac92d91ac785c9cd6178b3fde541cb3b30b87f334714efceb8a223a
Instruction ID: af0c8efc26727f448dc1ec76e677245d2584fca6c4c5446ec07c57765e217b6b
Opcode Fuzzy Hash: 57dcf8fbcac92d91ac785c9cd6178b3fde541cb3b30b87f334714efceb8a223a
Instruction Fuzzy Hash: 2981CFF0915B4CDFCB84DF39A9646197BE5FB8EB06350812AD819DB262EB704488FF11

Function 00EE43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EE4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EE44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00EE44C3

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: fcb8f24766e768ab86fe97f129097a40c7ee634afe25a3334480d045301616b0
Instruction ID: d6d78f920443a91e47f03f274ace4f9c446164ffc6273b1687ec9add435226fd
Opcode Fuzzy Hash: fcb8f24766e768ab86fe97f129097a40c7ee634afe25a3334480d045301616b0
Instruction Fuzzy Hash: 49318EF06047499FD720DF25D88479BBBF8FB49708F00092EF5AA96291E770A944DB92

Function 00F0588C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00F058A3

Part of subcall function 00F0A2EB: __NMSG_WRITE.LIBCMT ref: 00F0A312
Part of subcall function 00F0A2EB: __NMSG_WRITE.LIBCMT ref: 00F0A31C

__NMSG_WRITE.LIBCMT ref: 00F058AA

Part of subcall function 00F0A348: GetModuleFileNameW.KERNEL32(00000000,00FA33BA,00000104,?,00000001,00000000), ref: 00F0A3DA
Part of subcall function 00F0A348: ___crtMessageBoxW.LIBCMT ref: 00F0A488

Part of subcall function 00F0321F: ___crtCorExitProcess.LIBCMT ref: 00F03225
Part of subcall function 00F0321F: ExitProcess.KERNEL32 ref: 00F0322E

Part of subcall function 00F08CA8: __getptd_noexit.LIBCMT ref: 00F08CA8

RtlAllocateHeap.NTDLL(01560000,00000000,00000001,00000000,?,?,?,00F00F53,?), ref: 00F058CF

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: ae61c3360312a25830cf0c555404f2629fd5df83a991f4a19c31c2073412d18e
Instruction ID: 4664079990376b545b3e04a516156489ff7e18d224cd918eed07b53f90acb182
Opcode Fuzzy Hash: ae61c3360312a25830cf0c555404f2629fd5df83a991f4a19c31c2073412d18e
Instruction Fuzzy Hash: 3301DE72640B069AE6102774AC02B2F7798DF82BB0B504439F801AA1D2DEB89E017A61

Function 00F4994B Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00F495F1,?,?,?,?,?,00000004), ref: 00F49964
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00F495F1,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00F4997A
CloseHandle.KERNEL32(00000000,?,00F495F1,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F49981

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 5f8c5e1954a2adb2806d5049622ecbf742181edf122e9fc38db957d399176abf
Instruction ID: 0eecdc2b3731107dbdfdbbd1a44fa22fa15dc91e67c3c93e39526708c9e99ad5
Opcode Fuzzy Hash: 5f8c5e1954a2adb2806d5049622ecbf742181edf122e9fc38db957d399176abf
Instruction Fuzzy Hash: A1E08632241218B7DB211B54FC0AFDA7F58AB467B0F104220FB64690E087F11915A798

Function 00F48DB6 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F48DC4

Part of subcall function 00F02ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00F09BA4), ref: 00F02EE9
Part of subcall function 00F02ED5: GetLastError.KERNEL32(00000000,?,00F09BA4), ref: 00F02EFB

_free.LIBCMT ref: 00F48DD5
_free.LIBCMT ref: 00F48DE7

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3221efda5ec1aeb3564d3aaca8a62a8878e7642d45a62f0f0d26450024f2f6e1
Instruction ID: 5ae28eed48e278d5b2361f175a8481575d2ba1b7036f30041a82ad0238f5016e
Opcode Fuzzy Hash: 3221efda5ec1aeb3564d3aaca8a62a8878e7642d45a62f0f0d26450024f2f6e1
Instruction Fuzzy Hash: 4CE012A1E4260143CA646578ED44E9727EC5F583B1754081DF80AD75C2CE28E882B134

Function 00EEAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00F1FF5A

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: af890747988880e9086f0471a196ca79fc5cfb6557a180ab82b58cc9702f51c5
Instruction ID: eac789d9fddd75c74ab42bb49ac1bf04910e186b2068598561f6189bda9e615a
Opcode Fuzzy Hash: af890747988880e9086f0471a196ca79fc5cfb6557a180ab82b58cc9702f51c5
Instruction Fuzzy Hash: E4226971508285DFC724DF15C490B6AB7E1FF84304F18996DE88AAB262DB35EC85DB82

Function 00EE4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EE4E1A

Strings

EA06, xrefs: 00F1DC25

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 5c8b171ed9d7acc5695f8d08d06f49823eb2968eac184ef2dacf46abc4794083
Instruction ID: 17c77882626abe4cb1715824d88af2083009429e156e51393bffa2d4d63290f4
Opcode Fuzzy Hash: 5c8b171ed9d7acc5695f8d08d06f49823eb2968eac184ef2dacf46abc4794083
Instruction Fuzzy Hash: FE417DA2A041DC5BCF218B658C51BFE7BA5AB05304F686065F842BF2D2C6219D40D3E1

Function 00F4785C Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F47984

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 44090a73806a0c84fa2a2afbaad4390174401ad3f6745649b165bc964c40c128
Instruction ID: f8b462aa7f8a3e6a47405d9c7a44b7b50655d73fe52aa6b42d72247093a34aa5
Opcode Fuzzy Hash: 44090a73806a0c84fa2a2afbaad4390174401ad3f6745649b165bc964c40c128
Instruction Fuzzy Hash: 0741C77291830AABD720FFA89981A7EBBE4EF09350F244459F4859B282DF759C05F760

Function 00EE492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00EE4992

Part of subcall function 00F034EC: __lock.LIBCMT ref: 00F034F2
Part of subcall function 00F034EC: DecodePointer.KERNEL32(00000001,?,00EE49A7,00F37F9C), ref: 00F034FE
Part of subcall function 00F034EC: EncodePointer.KERNEL32(?,?,00EE49A7,00F37F9C), ref: 00F03509

Part of subcall function 00EE4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00EE4A73
Part of subcall function 00EE4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00EE4A88

Part of subcall function 00EE3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EE3B7A
Part of subcall function 00EE3B4C: IsDebuggerPresent.KERNEL32 ref: 00EE3B8C
Part of subcall function 00EE3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00FA52F8,00FA52E0,?,?), ref: 00EE3BFD
Part of subcall function 00EE3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00EE3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00EE49D2

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 0e5675bb8a5180e08215f85c82e0175e4f8637c24c11d7191e0a1a9cd435740d
Instruction ID: e934445317f891ed51c7c50dbcac6cee2b16ae8789053dd7a57cefa021f81ccb
Opcode Fuzzy Hash: 0e5675bb8a5180e08215f85c82e0175e4f8637c24c11d7191e0a1a9cd435740d
Instruction Fuzzy Hash: 061190B14043599BC700DF39EC4591AFBE8EF8A710F00451EF455A72B2DB719548EB92

Function 00EE5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00EE5981,?,?,?,?), ref: 00EE5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00EE5981,?,?,?,?), ref: 00F1E0CC

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1e43e3da4ebf5f04c0e20026f449c2085462697db4619dfac72ebb44fe1813bf
Instruction ID: 0e7dfad4ecbb3e609d15384b40c94b68b9cc6458e8c6dd200e2f8bec22906a4b
Opcode Fuzzy Hash: 1e43e3da4ebf5f04c0e20026f449c2085462697db4619dfac72ebb44fe1813bf
Instruction Fuzzy Hash: 7001927114474CBEF3240E25DC8AFA63BDCEB0576CF108318FAE56A1E0C6B01E899B10

Function 00F00F36 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F0588C: __FF_MSGBANNER.LIBCMT ref: 00F058A3
Part of subcall function 00F0588C: __NMSG_WRITE.LIBCMT ref: 00F058AA
Part of subcall function 00F0588C: RtlAllocateHeap.NTDLL(01560000,00000000,00000001,00000000,?,?,?,00F00F53,?), ref: 00F058CF

std::exception::exception.LIBCMT ref: 00F00F6C
__CxxThrowException@8.LIBCMT ref: 00F00F81

Part of subcall function 00F0871B: RaiseException.KERNEL32(?,?,?,00F99E78,00000000,?,?,?,?,00F00F86,?,00F99E78,?,00000001), ref: 00F08770

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 42cfc5fa9e68d383af29dee339cd4bad144c8847a3a8cc48c7d0b8d1268ccbe2
Instruction ID: 7d40627fcc3d567fa6e14ffce2b9a6f407c0ae16fe3d7def8cf76269363b4a18
Opcode Fuzzy Hash: 42cfc5fa9e68d383af29dee339cd4bad144c8847a3a8cc48c7d0b8d1268ccbe2
Instruction Fuzzy Hash: C9F0A97150421E66DB20BA58EC01ADE7B9CDF01361F104466FD48962D2DFB58A51B5D1

Function 00F0576D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F0579C
__lock_file.LIBCMT ref: 00F057BD

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 5e010c9aa86e46e27e8416f1f3773055b53e85c777f96e07584f0e55aa927617
Instruction ID: f54e6e3019f00aedaed2511d4f0b645d9ead1f0c1f2519896b153c6a6759527c
Opcode Fuzzy Hash: 5e010c9aa86e46e27e8416f1f3773055b53e85c777f96e07584f0e55aa927617
Instruction Fuzzy Hash: 9C014431D01A09EBDF11AF698C0559F7B72BF80760F148115F8545A1D1DBB98A22FF91

Function 00F05516 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F08CA8: __getptd_noexit.LIBCMT ref: 00F08CA8

__lock_file.LIBCMT ref: 00F0555B

Part of subcall function 00F06D8E: __lock.LIBCMT ref: 00F06DB1

__fclose_nolock.LIBCMT ref: 00F05566

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 177639d16e04564f3357f2bc2162e51c6d051c20daa972e756aa97e58d99b742
Instruction ID: d1ec5412e6e4a9e37fa3952ab4aeab1920fd248d5042aacb354f1c29e3c744e7
Opcode Fuzzy Hash: 177639d16e04564f3357f2bc2162e51c6d051c20daa972e756aa97e58d99b742
Instruction Fuzzy Hash: A0F0B431D01A01AAEB20AB758C0277F77A26F41779F288209F454AB1C1CBBC8902BF52

Function 00EE81C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00EE558F,?,?,?,?,?), ref: 00EE81DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00EE558F,?,?,?,?,?), ref: 00EE820D

Part of subcall function 00EE78AD: _memmove.LIBCMT ref: 00EE78E9

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 5644b64d175cccf603543855dc8300bb5362797fbfbddfcdc7c69f25aad27b42
Instruction ID: 9b84f9e7e482ef3bd56bcbc6bdb4f2659193e2752cc26e01a58a6b42fde69168
Opcode Fuzzy Hash: 5644b64d175cccf603543855dc8300bb5362797fbfbddfcdc7c69f25aad27b42
Instruction Fuzzy Hash: F101A2712055087FEB246A22ED46F7B7B5CEB8A360F10802AF905DD1E0DE609800E671

Function 01656E45 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01657675
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01657699
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016576BB

Memory Dump Source

Source File: 00000000.00000002.2112581465.0000000001655000.00000040.00000020.00020000.00000000.sdmp, Offset: 01655000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1655000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: d3ea2f395ed3d42f37b3d258099a9490635bcd1277d9003ff89452f065342816
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: EF12C024E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 00EF2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 958a0ee3f289518ffcc11a662764739bf543a1eb08b9937d90e4e4bd4d83cf49
Instruction ID: 6b484bd5a1e91e47a2d788aa56a327b47afd1e776938e817db27712b2a43e6de
Opcode Fuzzy Hash: 958a0ee3f289518ffcc11a662764739bf543a1eb08b9937d90e4e4bd4d83cf49
Instruction Fuzzy Hash: 0D519131600618AFCF14EB64C991EAE77E5AF45324F149068FA4ABB392CB34ED00EB55

Function 00EE5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00EE5CF6

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2cc1df9655bb698219794297c62ebdca8a79106b6bea9bf7064ac5c3cad06b2f
Instruction ID: eef511dc6824517719f77fcf9f4d0cc8da4689abda3e87e25ba61d89bd45198e
Opcode Fuzzy Hash: 2cc1df9655bb698219794297c62ebdca8a79106b6bea9bf7064ac5c3cad06b2f
Instruction Fuzzy Hash: 7C314F72A00B49AFCB18DF6EC89469DF7B5FF48318F248619D819A3710D771B950DB90

Function 00F00D88 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00F00E37

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 12f4b065811a291a21a6e7dab3f0bf3e76675a0465e860dacb4fd0b78f606a9f
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1331F575A011069BC718DF48C584A69FBA2FF49310F688AA5E409DB291DF30EDC1EB90

Function 00F20005 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00F20010

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ad2e983111eb5db449f48cb75cb921f690bc87b4180183d970e803e8576753bd
Instruction ID: 58854285c6dbef84d62731612fb941464308eb9f2d799585b409f7f237a9ee06
Opcode Fuzzy Hash: ad2e983111eb5db449f48cb75cb921f690bc87b4180183d970e803e8576753bd
Instruction Fuzzy Hash: 6F4147755083558FDB24CF15C484B1ABBE0BF85318F0988ACE8999B362C736FC45DB42

Function 00EE5B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EE5B61

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 333aaf0269d9eb0069992006cd153e4e18f917399e1d42bebbe564a4f4089038
Instruction ID: 98b799a247ccb8ec2e76b24a321232b8c59762c330aa21008415683f929e06fa
Opcode Fuzzy Hash: 333aaf0269d9eb0069992006cd153e4e18f917399e1d42bebbe564a4f4089038
Instruction Fuzzy Hash: EB210572900A0DEBDB109F56EC817A97FF8EB54351F21846EE886D5110EBB085D0B755

Function 00EEC707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00EEC73D

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: d13e51f823bf5cd2545db5d237dfc6ffb5e392146c1ae51f0cd36d718572f7d5
Instruction ID: 99875f55294437ad353d6fd3b17cbf8c37ef989066fbe59144d734e3dfb925bd
Opcode Fuzzy Hash: d13e51f823bf5cd2545db5d237dfc6ffb5e392146c1ae51f0cd36d718572f7d5
Instruction Fuzzy Hash: 8811AF3290415DDBDB14EBAADC819EEB7B8FF55360F10512AF814B71A0EB30AD46DB90

Function 00EE4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00EE4D4D

Part of subcall function 00F053CB: __wfsopen.LIBCMT ref: 00F053D6

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00FA52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EE4F6F

Part of subcall function 00EE4CC8: FreeLibrary.KERNEL32(00000000), ref: 00EE4D02

Part of subcall function 00EE4DD0: _memmove.LIBCMT ref: 00EE4E1A

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 2c872c2718e0098f4adc77e464e5f8d1b499824c90b5a8972f3bc0c3fd7b1924
Instruction ID: cea1701f861dd84bb56bdcf27dc16381346f5848c266dc92114d01e7f1c571f0
Opcode Fuzzy Hash: 2c872c2718e0098f4adc77e464e5f8d1b499824c90b5a8972f3bc0c3fd7b1924
Instruction Fuzzy Hash: 5711C472B0020EAADB10AF61DC12FAE77E59F40B10F109829F941B62C1DAB59A05EB90

Function 00F200DE Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00F200EA

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 2b1af5c82061605c6e6b9bffe6a2c40383ae12ebddd5ee254418303454538e7a
Instruction ID: c23f7c8ed2a6d4cfcdec08f1a92dff2299bb862b1165fbfe51d92e4f10641882
Opcode Fuzzy Hash: 2b1af5c82061605c6e6b9bffe6a2c40383ae12ebddd5ee254418303454538e7a
Instruction Fuzzy Hash: 652115B55083958FCB14DF14C844B1ABBE0BF84314F09896CE89567762DB31F845EB52

Function 00EE5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00EE5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00EE5D76

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 869b615e372ff4641b68a0bcbbc454b69c3af90d6e8fd9de4ab1fd4c1a6f0a1a
Instruction ID: 1cd5e0a3111b59030bcacac980ac9b039ea3943fdbfc447ccba8dc7ae08a0a65
Opcode Fuzzy Hash: 869b615e372ff4641b68a0bcbbc454b69c3af90d6e8fd9de4ab1fd4c1a6f0a1a
Instruction Fuzzy Hash: B6113A32200B499FD3308F16C884B63B7E9EF45768F10D92EE4AA96A50D7B0E945CB60

Function 00EEC6DA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00EEC73D

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 0348aa5b13100cb90b80e8c76e4aaafc0dd3c9eb3a6e468b2ef4f830efed58fb
Instruction ID: 810a5e19639162400c2632f2a4227b3cf19fa32ee93ed4a4aad6db1e0b357992
Opcode Fuzzy Hash: 0348aa5b13100cb90b80e8c76e4aaafc0dd3c9eb3a6e468b2ef4f830efed58fb
Instruction Fuzzy Hash: A901C432C082D95FDB05AB6AC8505EDFFB49F67360F69809BD850FB192D2359C46CB41

Function 00EE5BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F1E071

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 63f98075173fc353d443e45181684640797c3b03f0cf6681a76f29982698bb2e
Instruction ID: 93d14a38a3c5533c15d0248d6f11d1852030bf9d4d4c56bf9dc05664c13249fc
Opcode Fuzzy Hash: 63f98075173fc353d443e45181684640797c3b03f0cf6681a76f29982698bb2e
Instruction Fuzzy Hash: 4B01A2B5600546AFC305DB69D941D26FBA9FF89314B148159F819C7702DB35FC22DBE0

Function 00F049D3 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00F04A16

Part of subcall function 00F08CA8: __getptd_noexit.LIBCMT ref: 00F08CA8

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: a5943c3c6625c124cb9196cffcfc642c5351d129a65d55fb2878fa5905d2bce4
Instruction ID: 46a12824dad63dd713f26cccef3341e219cdd597922e4b7a681f2b3c7dc531a9
Opcode Fuzzy Hash: a5943c3c6625c124cb9196cffcfc642c5351d129a65d55fb2878fa5905d2bce4
Instruction Fuzzy Hash: 15F0AF72A40206EBDF21AFB48C0639E76A1AF40365F048514B524AA1D1DBBC9911FF55

Function 00EE4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00FA52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EE4FDE

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 68db6c1ff472c0b0cbccbde27eee57a581a85a89ad613ab69bc220cdabfd3b7e
Instruction ID: 4d89a74b82a5c94a3824ff9341f5b100a452f355f8c06888e1ca9a74fe261d40
Opcode Fuzzy Hash: 68db6c1ff472c0b0cbccbde27eee57a581a85a89ad613ab69bc220cdabfd3b7e
Instruction Fuzzy Hash: 53F030B1205755CFCB349F65E894852BBE1AF04729314AA3EE1D692650C7719844DF40

Function 00F00911 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F00930

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: bcfe7050beafb1028cd23163a0677598e7385f810a0de4dbbad697a13e7a79a1
Instruction ID: 6586ff3538891b8ba6d3b018dcb025c902534e84920c51d41f538f7f2b93a194
Opcode Fuzzy Hash: bcfe7050beafb1028cd23163a0677598e7385f810a0de4dbbad697a13e7a79a1
Instruction Fuzzy Hash: CCE0CD3694512C57C720D6589C05FFA77EDDF89790F0501B5FD4CD7304D9A45C818690

Function 00F48F48 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00F48F6A

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 87e92921201f7f350e3b6a5d32947fae34ea2a0dab1f5900b9b8b54ddfacd81a
Instruction ID: e944cc8527a46d87cda8c8c76dc71c4cd68413923331fd506667916760968a5d
Opcode Fuzzy Hash: 87e92921201f7f350e3b6a5d32947fae34ea2a0dab1f5900b9b8b54ddfacd81a
Instruction Fuzzy Hash: 2BE092B5604B009BDB358A24D8007A377E1AB05324F00081CF69AC3242EBA3B846DB59

Function 00EE5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00F1E09B,?,?,00000000), ref: 00EE5DBF

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4010094197a08bc98aac9eafcbcae97231105ce52ef1739ebdcd82c2b5af14b4
Instruction ID: 7ccf2c3a9c2311e00df89cf735c16914bd7e5a5e9257127dcbab22bbf5619bbc
Opcode Fuzzy Hash: 4010094197a08bc98aac9eafcbcae97231105ce52ef1739ebdcd82c2b5af14b4
Instruction Fuzzy Hash: 6CD0C77464420CBFE710DB80DC46FA9777CD705710F100294FD0456290D6F27D549795

Function 00F053CB Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00F053D6

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 0f473bde8977d562c242e5eb7cb14a83417f5c383ec23461fdfcafa0c8dc0688
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: F3B0927644020C77CE012A82EC02A4A3B5A9B40BA4F408020FB0C181E2A6F7A660AA89

Function 00F4D107 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00F4D28B

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: e64e12fe5542473447201239da796844030e1d42e591b42024be1adee1a59109
Instruction ID: b2a9a02a2ada7fd63c709545e7ce4221693dbced78831fa53741746dfecee940
Opcode Fuzzy Hash: e64e12fe5542473447201239da796844030e1d42e591b42024be1adee1a59109
Instruction Fuzzy Hash: B771A4316043468FC714EF25D591A6EBBE0BF88314F04552DF89A9B3A2DB70EE09DB52

Function 01657E44 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01657E59

Memory Dump Source

Source File: 00000000.00000002.2112581465.0000000001655000.00000040.00000020.00020000.00000000.sdmp, Offset: 01655000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1655000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 3ca0c8c3ee9d487f4283830479ce30a55d8864b10e8109eaac803c1e7dfd144b
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: D2E0BF7494020DEFDB00DFB4D9496DE7BB4EF04301F1006A1FD05D7681DB309E549A62

Function 01657E48 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01657E59

Memory Dump Source

Source File: 00000000.00000002.2112581465.0000000001655000.00000040.00000020.00020000.00000000.sdmp, Offset: 01655000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1655000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 3b2a9c2f175fed3883a4fe35464d5885fa4467b830247897d565830d8d98c335
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: C5E0E67494020DDFDB00DFB4D94969E7BB4EF04301F1002A1FD01D2281D6309D509A62

Non-executed Functions

Function 00F6CB26 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00F6CBA1
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F6CBFF
GetWindowLongW.USER32(?,000000F0), ref: 00F6CC40
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F6CC6A
SendMessageW.USER32 ref: 00F6CC93
_wcsncpy.LIBCMT ref: 00F6CCFF
GetKeyState.USER32(00000011), ref: 00F6CD20
GetKeyState.USER32(00000009), ref: 00F6CD2D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F6CD43
GetKeyState.USER32(00000010), ref: 00F6CD4D
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F6CD76
SendMessageW.USER32 ref: 00F6CD9D
SendMessageW.USER32(?,00001030,?,00F6B37C), ref: 00F6CEA1
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00F6CEB7
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F6CECA
SetCapture.USER32(?), ref: 00F6CED3
ClientToScreen.USER32(?,?), ref: 00F6CF38
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F6CF45
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F6CF5F
ReleaseCapture.USER32 ref: 00F6CF6A
GetCursorPos.USER32(?), ref: 00F6CFA4
ScreenToClient.USER32(?,?), ref: 00F6CFB1
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F6D00D
SendMessageW.USER32 ref: 00F6D03B
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F6D078
SendMessageW.USER32 ref: 00F6D0A7
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F6D0C8
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F6D0D7
GetCursorPos.USER32(?), ref: 00F6D0F7
ScreenToClient.USER32(?,?), ref: 00F6D104
GetParent.USER32(?), ref: 00F6D124
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F6D18D
SendMessageW.USER32 ref: 00F6D1BE
ClientToScreen.USER32(?,?), ref: 00F6D21C
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F6D24C
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F6D276
SendMessageW.USER32 ref: 00F6D299
ClientToScreen.USER32(?,?), ref: 00F6D2EB
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F6D31F

Part of subcall function 00EE25DB: GetWindowLongW.USER32(?,000000EB), ref: 00EE25EC

GetWindowLongW.USER32(?,000000F0), ref: 00F6D3BB

Strings

@GUI_DRAGID, xrefs: 00F6CF06
F, xrefs: 00F6D29F

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 6cfeb94e3ea52e7659d6f429f562a1e94042ae0c3f71956c5eb9773c75de08fb
Instruction ID: a2c8672ef17d45a2876264a5e5bf694a55066998413236dda8ac8b62418c82e3
Opcode Fuzzy Hash: 6cfeb94e3ea52e7659d6f429f562a1e94042ae0c3f71956c5eb9773c75de08fb
Instruction Fuzzy Hash: 47428F70A04345AFD720CF24C845BAABBE5FF8A720F140919F6E5972B1C772D854EB92

Function 00EF70FE Relevance: 50.5, APIs: 19, Strings: 7, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EF7323
_memset.LIBCMT ref: 00EF7699
_memmove.LIBCMT ref: 00EF780C

Strings

Q\E, xrefs: 00EF812B
[:>:]], xrefs: 00EF75F2
[:<:]], xrefs: 00EF75D9
DEFINE, xrefs: 00F32459
\b(?<=\w), xrefs: 00F33AC9
\b(?=\w), xrefs: 00F33ABF
Oa, xrefs: 00F32721

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Oa$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-2202602582
Opcode ID: 5385677ad29a532a9235a145bdd6802aee4cb48071b1bfe74800fa632a7eb00c
Instruction ID: 4c17ee570eb9dd7375c51bd4b78b9ac7f2d1e9bbdd68eccb8d2370782bbbf2a4
Opcode Fuzzy Hash: 5385677ad29a532a9235a145bdd6802aee4cb48071b1bfe74800fa632a7eb00c
Instruction Fuzzy Hash: 3793A375E00219DBDB24CF58C881BBDB7B1FF48720F25816AE945EB290E774AE81DB50

Function 00EE4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00EE4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F1D9BE
IsIconic.USER32(?), ref: 00F1D9C7
ShowWindow.USER32(?,00000009), ref: 00F1D9D4
SetForegroundWindow.USER32(?), ref: 00F1D9DE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F1D9F4
GetCurrentThreadId.KERNEL32 ref: 00F1D9FB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F1DA07
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F1DA18
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F1DA20
AttachThreadInput.USER32(00000000,?,00000001), ref: 00F1DA28
SetForegroundWindow.USER32(?), ref: 00F1DA2B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1DA40
keybd_event.USER32(00000012,00000000), ref: 00F1DA4B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1DA55
keybd_event.USER32(00000012,00000000), ref: 00F1DA5A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1DA63
keybd_event.USER32(00000012,00000000), ref: 00F1DA68
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1DA72
keybd_event.USER32(00000012,00000000), ref: 00F1DA77
SetForegroundWindow.USER32(?), ref: 00F1DA7A
AttachThreadInput.USER32(?,?,00000000), ref: 00F1DAA1

Strings

Shell_TrayWnd, xrefs: 00F1D9B9

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: b03ce283dfe436b49821601e553be54f5979af1e5961af05c09a3a55fca310c1
Instruction ID: fa930455bb56ccacaadac573470f41a4e3d25b3ac8d6cde9e388a1d8e923a6f6
Opcode Fuzzy Hash: b03ce283dfe436b49821601e553be54f5979af1e5961af05c09a3a55fca310c1
Instruction Fuzzy Hash: E4317371A4031CBBEB205F61AC49FBF7E7CEB44B60F144025FA15EA1D1C6B15D41BAA1

Function 00F38638 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00F38AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F38AED
Part of subcall function 00F38AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F38B1A
Part of subcall function 00F38AA3: GetLastError.KERNEL32 ref: 00F38B27

_memset.LIBCMT ref: 00F3867B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00F386CD
CloseHandle.KERNEL32(?), ref: 00F386DE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F386F5
GetProcessWindowStation.USER32 ref: 00F3870E
SetProcessWindowStation.USER32(00000000), ref: 00F38718
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F38732

Part of subcall function 00F384F3: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F38631), ref: 00F38508
Part of subcall function 00F384F3: CloseHandle.KERNEL32(?,?,00F38631), ref: 00F3851A

Strings

default, xrefs: 00F3872D
winsta0, xrefs: 00F386F0
, xrefs: 00F3868A

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 78d53f812cd818d2c7ba6a05c965de456f5b53382e2e708ff33e9be33e00ceed
Instruction ID: 29fff54564b0f99cb8fe5f985d252d24223420bfadc627f462261385f9c64459
Opcode Fuzzy Hash: 78d53f812cd818d2c7ba6a05c965de456f5b53382e2e708ff33e9be33e00ceed
Instruction Fuzzy Hash: C6816C71C00309BFDF119FA4DC45AEEBB78EF043A4F144169F924A6161DB798E16EB60

Function 00F5407C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00F6F910), ref: 00F540A6
IsClipboardFormatAvailable.USER32(0000000D), ref: 00F540B4
GetClipboardData.USER32(0000000D), ref: 00F540BC
CloseClipboard.USER32 ref: 00F540C8
GlobalLock.KERNEL32(00000000), ref: 00F540E4
CloseClipboard.USER32 ref: 00F540EE
GlobalUnlock.KERNEL32(00000000), ref: 00F54103
IsClipboardFormatAvailable.USER32(00000001), ref: 00F54110
GetClipboardData.USER32(00000001), ref: 00F54118
GlobalLock.KERNEL32(00000000), ref: 00F54125
GlobalUnlock.KERNEL32(00000000), ref: 00F54159
CloseClipboard.USER32 ref: 00F54269

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 9f463141dc9a6c5832b2a6957725e829917f9b05311cc2f0eb3347d185a35057
Instruction ID: d48978ed500050a07badb0bec189ef63327c5819d06fe0f2519982f034493f6d
Opcode Fuzzy Hash: 9f463141dc9a6c5832b2a6957725e829917f9b05311cc2f0eb3347d185a35057
Instruction Fuzzy Hash: C051D335204309ABD300EF20EC95F6E77A8AF84B15F10052DFA56D21E1DFB0E94DAB62

Function 00F4C7E8 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F4C819
FindClose.KERNEL32(00000000), ref: 00F4C86D
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F4C892
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F4C8A9
FileTimeToSystemTime.KERNEL32(?,?), ref: 00F4C8D0
__swprintf.LIBCMT ref: 00F4C91C
__swprintf.LIBCMT ref: 00F4C95F

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

__swprintf.LIBCMT ref: 00F4C9B3

Part of subcall function 00F03818: __woutput_l.LIBCMT ref: 00F03871

__swprintf.LIBCMT ref: 00F4CA01

Part of subcall function 00F03818: __flsbuf.LIBCMT ref: 00F03893
Part of subcall function 00F03818: __flsbuf.LIBCMT ref: 00F038AB

__swprintf.LIBCMT ref: 00F4CA50
__swprintf.LIBCMT ref: 00F4CA9F
__swprintf.LIBCMT ref: 00F4CAEE

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00F4C916
%02d, xrefs: 00F4C9A7, 00F4C9B1, 00F4C9FF, 00F4CA4E, 00F4CA9D, 00F4CAEC
%4d, xrefs: 00F4C959

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: ef92d4e7adaed1674151e06c0f2ce5d306fd5956c1389cf3f6b582ac1719bf53
Instruction ID: c7884c20e212784b47a228af29255cca2c3497ad3d0b4f2e7871360bd558097a
Opcode Fuzzy Hash: ef92d4e7adaed1674151e06c0f2ce5d306fd5956c1389cf3f6b582ac1719bf53
Instruction Fuzzy Hash: 10A140B2408348ABC750EB65CC86DAFB7ECEF94704F40592DF595D2192EB34DA08CB62

Function 00F4F021 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00F4F042
_wcscmp.LIBCMT ref: 00F4F057
_wcscmp.LIBCMT ref: 00F4F06E
GetFileAttributesW.KERNEL32(?), ref: 00F4F080
SetFileAttributesW.KERNEL32(?,?), ref: 00F4F09A
FindNextFileW.KERNEL32(00000000,?), ref: 00F4F0B2
FindClose.KERNEL32(00000000), ref: 00F4F0BD
FindFirstFileW.KERNEL32(*.*,?), ref: 00F4F0D9
_wcscmp.LIBCMT ref: 00F4F100
_wcscmp.LIBCMT ref: 00F4F117
SetCurrentDirectoryW.KERNEL32(?), ref: 00F4F129
SetCurrentDirectoryW.KERNEL32(00F98920), ref: 00F4F147
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F4F151
FindClose.KERNEL32(00000000), ref: 00F4F15E
FindClose.KERNEL32(00000000), ref: 00F4F170

Strings

*.*, xrefs: 00F4F0D4

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: a82ac1f2f1184ad8b88f224b5a3c433690c5feec7d1ac052b0c4e3d9408d566a
Instruction ID: bae79ff4f1035eb17cba48e7c7be7a62d57dbe7fdeb8c5b170922d4be15cadb0
Opcode Fuzzy Hash: a82ac1f2f1184ad8b88f224b5a3c433690c5feec7d1ac052b0c4e3d9408d566a
Instruction Fuzzy Hash: D231F53290020DAADF10DBB4EC59EEE7BAC9F89360F100175EC19D21A0DB74DA49EA65

Function 00F608E2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F609DE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00F6F910,00000000,?,00000000,?,?), ref: 00F60A4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00F60A94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00F60B1D
RegCloseKey.ADVAPI32(?), ref: 00F60E3D
RegCloseKey.ADVAPI32(00000000), ref: 00F60E4A

Strings

REG_BINARY, xrefs: 00F60DD8
REG_EXPAND_SZ, xrefs: 00F60ABA
REG_DWORD, xrefs: 00F60D0E
REG_SZ, xrefs: 00F60B5B
REG_MULTI_SZ, xrefs: 00F60C05
REG_QWORD, xrefs: 00F60D8B

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 2124f7dfd563ca2b6b6976fc0d8928662bb24a608f9d27519e959ffb2f934a36
Instruction ID: 3433868d2fc736775189190b2508e5b0d527d08cd6a0be6016a2de51c6326fc2
Opcode Fuzzy Hash: 2124f7dfd563ca2b6b6976fc0d8928662bb24a608f9d27519e959ffb2f934a36
Instruction Fuzzy Hash: 2B028D756046559FCB14DF25C841E2AB7E5FF88324F14885DF89A9B3A2CB35ED00DB81

Function 00F4F17E Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00F4F19F
_wcscmp.LIBCMT ref: 00F4F1B4
_wcscmp.LIBCMT ref: 00F4F1CB

Part of subcall function 00F443C6: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F443E1

FindNextFileW.KERNEL32(00000000,?), ref: 00F4F1FA
FindClose.KERNEL32(00000000), ref: 00F4F205
FindFirstFileW.KERNEL32(*.*,?), ref: 00F4F221
_wcscmp.LIBCMT ref: 00F4F248
_wcscmp.LIBCMT ref: 00F4F25F
SetCurrentDirectoryW.KERNEL32(?), ref: 00F4F271
SetCurrentDirectoryW.KERNEL32(00F98920), ref: 00F4F28F
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F4F299
FindClose.KERNEL32(00000000), ref: 00F4F2A6
FindClose.KERNEL32(00000000), ref: 00F4F2B8

Strings

*.*, xrefs: 00F4F21C

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 943467f3a19416a044208e7d609b6cae32f674976f0591db2db6b7fe4492dfb3
Instruction ID: 41bd98da2590729f6a359562e18d5329ad13b55a0a0ee00aa2ea83090dc10fe7
Opcode Fuzzy Hash: 943467f3a19416a044208e7d609b6cae32f674976f0591db2db6b7fe4492dfb3
Instruction Fuzzy Hash: F231E33690021A6ADF109FA4EC59EEE7BAC9F45370F100171EC18E21A0DBB1DF49FA54

Function 00F4A279 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F4A299
__swprintf.LIBCMT ref: 00F4A2BB
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F4A2F8
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F4A31D
_memset.LIBCMT ref: 00F4A33C
_wcsncpy.LIBCMT ref: 00F4A378
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F4A3AD
CloseHandle.KERNEL32(00000000), ref: 00F4A3B8
RemoveDirectoryW.KERNEL32(?), ref: 00F4A3C1
CloseHandle.KERNEL32(00000000), ref: 00F4A3CB

Strings

\, xrefs: 00F4A2D1
\??\%s, xrefs: 00F4A2B5
:, xrefs: 00F4A2DC

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 933bf3f2f1ff01625cb85240e72e72e278373777efb3f3b36f4f87185698c752
Instruction ID: ea57a4b7c754efd47a47a5104028e0e48f382e45a448b65ad3df3180359c254c
Opcode Fuzzy Hash: 933bf3f2f1ff01625cb85240e72e72e278373777efb3f3b36f4f87185698c752
Instruction Fuzzy Hash: 8131C572940109ABDB20DFA0DC49FFB37BCEF89750F1041B6F918D2150E7B49644AB25

Function 00F381D4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F3852A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F38546
Part of subcall function 00F3852A: GetLastError.KERNEL32(?,00F3800A,?,?,?), ref: 00F38550
Part of subcall function 00F3852A: GetProcessHeap.KERNEL32(00000008,?,?,00F3800A,?,?,?), ref: 00F3855F
Part of subcall function 00F3852A: HeapAlloc.KERNEL32(00000000,?,00F3800A,?,?,?), ref: 00F38566
Part of subcall function 00F3852A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F3857D

Part of subcall function 00F385C7: GetProcessHeap.KERNEL32(00000008,00F38020,00000000,00000000,?,00F38020,?), ref: 00F385D3
Part of subcall function 00F385C7: HeapAlloc.KERNEL32(00000000,?,00F38020,?), ref: 00F385DA
Part of subcall function 00F385C7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F38020,?), ref: 00F385EB

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F38238
_memset.LIBCMT ref: 00F3824D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F3826C
GetLengthSid.ADVAPI32(?), ref: 00F3827D
GetAce.ADVAPI32(?,00000000,?), ref: 00F382BA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F382D6
GetLengthSid.ADVAPI32(?), ref: 00F382F3
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F38302
HeapAlloc.KERNEL32(00000000), ref: 00F38309
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F3832A
CopySid.ADVAPI32(00000000), ref: 00F38331
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F38362
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F38388
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F3839C

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: d16def138b698686fe2eff23488d03ea96f43c083425725841311114a3e1981a
Instruction ID: de3e217a80478e055af823eae04790fdec0c558ba8a868c30cdec32356d50fa2
Opcode Fuzzy Hash: d16def138b698686fe2eff23488d03ea96f43c083425725841311114a3e1981a
Instruction Fuzzy Hash: 8F615D71900209EFDF10CF94DC44AEEBB79FF44760F048129F915A6251DB799A06EB60

Function 00EF6841 Relevance: 19.6, Strings: 15, Instructions: 889COMMON

Download Yara Rule

Strings

ANYCRLF), xrefs: 00F31651
ANY), xrefs: 00F31634
LIMIT_RECURSION=, xrefs: 00F31552
BSR_UNICODE), xrefs: 00F3168E
UCP), xrefs: 00F31463
CRLF), xrefs: 00F31617
Oa, xrefs: 00F317BB, 00F31862, 00F3190A
NO_START_OPT), xrefs: 00F314A5
UTF), xrefs: 00F31450
NO_AUTO_POSSESS), xrefs: 00F31484
LIMIT_MATCH=, xrefs: 00F314C6
UTF16), xrefs: 00F31425
BSR_ANYCRLF), xrefs: 00F31674
CR), xrefs: 00F315DD
LF), xrefs: 00F315FA

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa$UCP)$UTF)$UTF16)
API String ID: 0-3700951917
Opcode ID: 1447fdedb3a71e06f9be27bec01b783ffca8c296141db5a578dc732fb426e002
Instruction ID: 59fcee25e945f7bcb5e109796491a11cda6dccbeadcd5f08c53b9ee8290fd92c
Opcode Fuzzy Hash: 1447fdedb3a71e06f9be27bec01b783ffca8c296141db5a578dc732fb426e002
Instruction Fuzzy Hash: 33727E75E002199BDB24DF58C8817BEB7F5FF48320F14816AE949EB291EB709E41DB90

Function 00F60465 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F60EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F5FE38,?,?), ref: 00F60EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F60537

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F605D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F6066E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00F608AD
RegCloseKey.ADVAPI32(00000000), ref: 00F608BA

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 9c281f041278698d75e8514bf3dfe82c3c4f026d84758fe66deaa1cad906ee14
Instruction ID: a3087e9b602bffc34eb500e05ff972b54a5172afd73326144ca9e5bc93ddbf35
Opcode Fuzzy Hash: 9c281f041278698d75e8514bf3dfe82c3c4f026d84758fe66deaa1cad906ee14
Instruction Fuzzy Hash: 76E15D31604214AFCB14DF29C891E2BBBE4EF88724F14896DF45ADB262DB30ED05DB91

Function 00F4003A Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F40062
GetAsyncKeyState.USER32(000000A0), ref: 00F400E3
GetKeyState.USER32(000000A0), ref: 00F400FE
GetAsyncKeyState.USER32(000000A1), ref: 00F40118
GetKeyState.USER32(000000A1), ref: 00F4012D
GetAsyncKeyState.USER32(00000011), ref: 00F40145
GetKeyState.USER32(00000011), ref: 00F40157
GetAsyncKeyState.USER32(00000012), ref: 00F4016F
GetKeyState.USER32(00000012), ref: 00F40181
GetAsyncKeyState.USER32(0000005B), ref: 00F40199
GetKeyState.USER32(0000005B), ref: 00F401AB

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a46b6c30888fcdb052617fb5478e7afd507f3caaf4c008860930f2bc3256fe91
Instruction ID: d285f859b7a22cfbc4a7ac57236307e0f4d6c41b46b4812a0b92b946d55bc49a
Opcode Fuzzy Hash: a46b6c30888fcdb052617fb5478e7afd507f3caaf4c008860930f2bc3256fe91
Instruction Fuzzy Hash: 2141B834D047C969FF318A6488047A5BEA06F51364F08409ADFC6475C2DFF49DC8E7A2

Function 00F584D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

CoInitialize.OLE32 ref: 00F58518
CoUninitialize.OLE32 ref: 00F58523
CoCreateInstance.OLE32(?,00000000,00000017,00F72BEC,?), ref: 00F58583
IIDFromString.OLE32(?,?), ref: 00F585F6
VariantInit.OLEAUT32(?), ref: 00F58690
VariantClear.OLEAUT32(?), ref: 00F586F1

Strings

Failed to create object, xrefs: 00F5858E, 00F58644
NULL Pointer assignment, xrefs: 00F585C8
Invalid parameter, xrefs: 00F5860F

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 8d3211f0be3e9b5752a677bbdfd9008e4e5c6706fb1873f83d50c2c47d11a0ea
Instruction ID: 5c4bebe9342c5b0c92a7af947f1ecf3b44bad69c8377f266dc3a11b79fa53cfa
Opcode Fuzzy Hash: 8d3211f0be3e9b5752a677bbdfd9008e4e5c6706fb1873f83d50c2c47d11a0ea
Instruction Fuzzy Hash: 3461E3716083019FD710DF24C844B5EBBE4AF497A5F04481DFA85AB291DB70ED4EEB92

Function 00F5427A Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00F542A1
EmptyClipboard.USER32 ref: 00F542A7
GlobalAlloc.KERNEL32(00000002,?), ref: 00F542BC
CloseClipboard.USER32 ref: 00F5435B

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 926f340f29031cb3e14788bae03bb57575b37d00bc8c37a7e42e277458f23dc7
Instruction ID: ee3c92c18b03c505b61c8dc985c5cbe3c47c4e47737ff1c7f7da2e497c3df29b
Opcode Fuzzy Hash: 926f340f29031cb3e14788bae03bb57575b37d00bc8c37a7e42e277458f23dc7
Instruction Fuzzy Hash: 6521A3352002149FDB10AF60EC49B6D77E8FF44725F10802AFA56DB2B2DB75AC44EB54

Function 00F43833 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE48A1,?,?,00EE37C0,?), ref: 00EE48CE

Part of subcall function 00F44AD8: GetFileAttributesW.KERNEL32(?,00F4374F), ref: 00F44AD9

FindFirstFileW.KERNEL32(?,?), ref: 00F438E7
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00F4398F
MoveFileW.KERNEL32(?,?), ref: 00F439A2
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00F439BF
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F439E1
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00F439FD

Strings

\*.*, xrefs: 00F43892, 00F4389B, 00F438B0

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: c17838f57f7f239e5beabf7340a4ff1f0edd243bbff765eb786546d590750068
Instruction ID: 82de34725aac56cc643e246b6df8caedb714edcf1e3710c0c40cc22292d3958b
Opcode Fuzzy Hash: c17838f57f7f239e5beabf7340a4ff1f0edd243bbff765eb786546d590750068
Instruction Fuzzy Hash: 0851D432C0418D9ACF11EBA1DD929EDBBB9AF14300F64416AE84677192EF706F0DDB60

Function 00EF4140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00F27A3B
VUUU, xrefs: 00EF44ED
VUUU, xrefs: 00EF44DB
VUUU, xrefs: 00EF4520
Oa, xrefs: 00EF4984, 00F280A2
ERCP, xrefs: 00EF421F

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID:
String ID: ERCP$Oa$VUUU$VUUU$VUUU$VUUU
API String ID: 0-3486589167
Opcode ID: 25878b6c7bd22c94018a97d280ad61e5453d8f3098f3617d6ffe889a098d6950
Instruction ID: 382b610c2a1a86734da02afaeb91a12611c44b70d5160053f0629a7b193c752f
Opcode Fuzzy Hash: 25878b6c7bd22c94018a97d280ad61e5453d8f3098f3617d6ffe889a098d6950
Instruction Fuzzy Hash: 53A28CB0E0422ECBDF24DF58D9507BEB7B1BB44314F2491AADA15B7280E7749E81DB90

Function 00F4F47F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00F4F4CC
Sleep.KERNEL32(0000000A), ref: 00F4F4FC
_wcscmp.LIBCMT ref: 00F4F510
_wcscmp.LIBCMT ref: 00F4F52B
FindNextFileW.KERNEL32(?,?), ref: 00F4F5C9
FindClose.KERNEL32(00000000), ref: 00F4F5DF

Strings

*.*, xrefs: 00F4F4B1

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 715a40bf841ca75986d0e39deff27e8679652598ff6d5bd90db1a0d464d7c10c
Instruction ID: a1d10e19ae2dd2c69eebe43fbbf817324c3c09631abecd48312efc99e07a5507
Opcode Fuzzy Hash: 715a40bf841ca75986d0e39deff27e8679652598ff6d5bd90db1a0d464d7c10c
Instruction Fuzzy Hash: 8141607190021EAFDF11DFA4DC55AEE7BB4FF05320F144566E819A32A1EB309E48EB50

Function 00EF58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EF5A05
_memmove.LIBCMT ref: 00EF5A55
_memmove.LIBCMT ref: 00EF5ABB

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 4d7ad634d418c51047d4ec783bd35b443e25e89035372713e60c2f2361735bcb
Instruction ID: b198d50d577666d7cf77c26a3499d48715090436b973f1b480fbefdb2fdfaa8a
Opcode Fuzzy Hash: 4d7ad634d418c51047d4ec783bd35b443e25e89035372713e60c2f2361735bcb
Instruction Fuzzy Hash: 4312A971A00A0EEFDF14CFA5D981AEEB3F5FF48310F10856AE506A7291EB35A911DB50

Function 00EF5680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00F00F36: std::exception::exception.LIBCMT ref: 00F00F6C
Part of subcall function 00F00F36: __CxxThrowException@8.LIBCMT ref: 00F00F81

_memmove.LIBCMT ref: 00F305AE
_memmove.LIBCMT ref: 00F306C3
_memmove.LIBCMT ref: 00F3076A

Strings

yZ, xrefs: 00F30800, 00F3077E

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZ
API String ID: 1300846289-3798167742
Opcode ID: c4bdbfbaed69b4e0af26f35ceb71ec6a328f2e5d891f627ad906a3defcc7c333
Instruction ID: 95ceaf540d9c905dc21fb37e4210f37b7380746e7e7918abf90f003dbcac4982
Opcode Fuzzy Hash: c4bdbfbaed69b4e0af26f35ceb71ec6a328f2e5d891f627ad906a3defcc7c333
Instruction Fuzzy Hash: E302D271E00209DBDF04DF64D991ABEBBF5EF44310F14806AE90AEB295EB35D911EB90

Function 00F45264 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00F38AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F38AED
Part of subcall function 00F38AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F38B1A
Part of subcall function 00F38AA3: GetLastError.KERNEL32 ref: 00F38B27

ExitWindowsEx.USER32(?,00000000), ref: 00F452A0

Strings

@, xrefs: 00F45293
SeShutdownPrivilege, xrefs: 00F45270
, xrefs: 00F4528E

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 7b2321d9cfbce661a23cdd1397ecb6a3435755e86b79d1c606fc6f6adb344a7d
Instruction ID: 75316a68314ed861f22656cfce69cbf976dbaf6c01c57627da8504fd17775216
Opcode Fuzzy Hash: 7b2321d9cfbce661a23cdd1397ecb6a3435755e86b79d1c606fc6f6adb344a7d
Instruction Fuzzy Hash: F4017031A907156BFB287678AC47BB67A58DB05F61F240123FC13D10D3D9D45E0471A0

Function 00EF3190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oa, xrefs: 00EF3482

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oa
API String ID: 674341424-3945284152
Opcode ID: 847863d14533fe742c3924d8bb2a9e2a6f7abc2cf923dbd725b64a8ba0e71e69
Instruction ID: f68f672192514099ded4a464d90172f9ec9c2c01e6527117ca9271cd5fa95f08
Opcode Fuzzy Hash: 847863d14533fe742c3924d8bb2a9e2a6f7abc2cf923dbd725b64a8ba0e71e69
Instruction Fuzzy Hash: FC22AC715083559FD724EF24C881BAFB7E4AF84314F10592DF99AA7292DB30EA04DB92

Function 00F56399 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F563F2
WSAGetLastError.WSOCK32(00000000), ref: 00F56401
bind.WSOCK32(00000000,?,00000010), ref: 00F5641D
listen.WSOCK32(00000000,00000005), ref: 00F5642C
WSAGetLastError.WSOCK32(00000000), ref: 00F56446
closesocket.WSOCK32(00000000,00000000), ref: 00F5645A

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 46ccc61debd10aac38692079393e767a320f64401364a384f8c8055a762b05b4
Instruction ID: 227070257d538d9077e21313ab8c9221e7abbe52cd419d124d45be40b3e13e3b
Opcode Fuzzy Hash: 46ccc61debd10aac38692079393e767a320f64401364a384f8c8055a762b05b4
Instruction Fuzzy Hash: BB21C1316002089FCB10EF64D845B2EB7E9EF48721F108168E96AE73D2C770AC09EB51

Function 00EE1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00EE19FA
GetSysColor.USER32(0000000F), ref: 00EE1A4E
SetBkColor.GDI32(?,00000000), ref: 00EE1A61

Part of subcall function 00EE1290: DefDlgProcW.USER32(?,00000020,?), ref: 00EE12D8

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 1f807314d87501504769afb838b09ec694cde217b25051c5b7cf3e8c708dd10a
Instruction ID: 65c1f781c817fba068030afdc862a03c0d440e05a3dba870ecbeab7b6d7f70dc
Opcode Fuzzy Hash: 1f807314d87501504769afb838b09ec694cde217b25051c5b7cf3e8c708dd10a
Instruction Fuzzy Hash: A8A167B11055CCFAD628AA2A8C44DFF359DEF86395B14116DF406F6196CA399CC0B2B2

Function 00F5685D Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F57EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F57ECB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F568B4
WSAGetLastError.WSOCK32(00000000), ref: 00F568DD
bind.WSOCK32(00000000,?,00000010), ref: 00F56916
WSAGetLastError.WSOCK32(00000000), ref: 00F56923
closesocket.WSOCK32(00000000,00000000), ref: 00F56937

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: e5a25ab2da167d6b4407b4de4d59f0f6685266084ec5faa61332c0a5735b15d4
Instruction ID: 039f3faf2f2b960d84fdf15add0776e94cb43dd7242ef845efd9ccec93d2b866
Opcode Fuzzy Hash: e5a25ab2da167d6b4407b4de4d59f0f6685266084ec5faa61332c0a5735b15d4
Instruction Fuzzy Hash: A841B575A00218AFEB10AF659C86F7E77E9DF48720F448058FA1AAB3D3DA709D009791

Function 00F653DF Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00F6542E
IsWindowEnabled.USER32 ref: 00F6543C
GetForegroundWindow.USER32(?,?,00000001), ref: 00F65449
IsIconic.USER32 ref: 00F65457
IsZoomed.USER32 ref: 00F65465

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: f61731141ba6133f386d2bc4f6f4812dce23045f0e303dcbae472fde588d9c19
Instruction ID: d376533fb5ecc32fe14ee35c967d533164225a2915a9708446fee2863ecad4f0
Opcode Fuzzy Hash: f61731141ba6133f386d2bc4f6f4812dce23045f0e303dcbae472fde588d9c19
Instruction Fuzzy Hash: FB110432B009146FE7209F27DC64B2A7798FF44B22F048068F846E7251CF719C42E694

Function 00F5C104 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F21CB7,?), ref: 00F5C112
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00F5C124

Strings

kernel32.dll, xrefs: 00F5C10D
GetSystemWow64DirectoryW, xrefs: 00F5C11E

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: d192728d27fa286987c46ddb3ec5ccbd2a7d3d6ef53f212f05c37dcbe35c1a72
Instruction ID: c8ff411f2d6ab57037315812f12a98fadf8e436238730e608994f07c7e7a3a4b
Opcode Fuzzy Hash: d192728d27fa286987c46ddb3ec5ccbd2a7d3d6ef53f212f05c37dcbe35c1a72
Instruction Fuzzy Hash: 97E01D74900713CFD7205F25D818A4176D4EF197D9B408439DD56D2151D7B8D448E750

Function 00F5EF21 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F5EF51
Process32FirstW.KERNEL32(00000000,?), ref: 00F5EF5F

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Process32NextW.KERNEL32(00000000,?), ref: 00F5F01F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00F5F02E

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: aff9e5bdf23828464f951bcffc79a0fbedf340abdac2c5a746bb177550d1622d
Instruction ID: 8b25e9a8981e49c2eb88813c8cc672b3a9e6523e20fc520910f3c0966e7ccc42
Opcode Fuzzy Hash: aff9e5bdf23828464f951bcffc79a0fbedf340abdac2c5a746bb177550d1622d
Instruction Fuzzy Hash: CE518071508345AFD310EF25DC85E6BB7E8FF88710F14582DF99697292EB70A908CB92

Function 00F3E928 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F3E93A

Strings

|, xrefs: 00F3E96A
(, xrefs: 00F3E980

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 7108e78cffbe7ca8016ad71cf132861e4630a68aecea23ea125201d787b5c7c8
Instruction ID: ca43383be2cf1ea0025a756d00763b93904e9e2321e6e7593e51f7edf028a73e
Opcode Fuzzy Hash: 7108e78cffbe7ca8016ad71cf132861e4630a68aecea23ea125201d787b5c7c8
Instruction Fuzzy Hash: 89320475A006059FDB28CF19C481A6AB7F1FF48320F15C56EE89ADB3A1E770E981DB40

Function 00F52404 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F51920,00000000), ref: 00F524F7
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00F5252E

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 24507224a8d8930c7079f38766fa3355616878bd593b1130d73dcb435485a05c
Instruction ID: e08ce6ae5740392211a4df994660ca4e98228d349af9de413fe37dfd2e99df62
Opcode Fuzzy Hash: 24507224a8d8930c7079f38766fa3355616878bd593b1130d73dcb435485a05c
Instruction Fuzzy Hash: 8941F871900209BFEB60DE94DC85FBFB7BCEB42726F14412AFB01A6141EB709E49B650

Function 00F4B3BF Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F4B3CF
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F4B429
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00F4B476

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 4073f615469eb453f4eaf2757d5b012bf9aba47730706a381c62d031710bd264
Instruction ID: 0a5b0aad1ded0830b900b348426a09b1f0bdceb0358a3a0d83e38ac36e4e4101
Opcode Fuzzy Hash: 4073f615469eb453f4eaf2757d5b012bf9aba47730706a381c62d031710bd264
Instruction Fuzzy Hash: 07216235A0011CEFCB00EFA5D880AADBBF8FF49314F1480AAE905AB362CB319915DB50

Function 00F38AA3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F00F36: std::exception::exception.LIBCMT ref: 00F00F6C
Part of subcall function 00F00F36: __CxxThrowException@8.LIBCMT ref: 00F00F81

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F38AED
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F38B1A
GetLastError.KERNEL32 ref: 00F38B27

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: b07be7c5b71bf7c77d601b17a0588577ba8dc481ce0cdfb6bf6a5ca4eeca4546
Instruction ID: 96328a4267c2a52d898f3638277596b1ae226a242294d29aa760d434aee8249f
Opcode Fuzzy Hash: b07be7c5b71bf7c77d601b17a0588577ba8dc481ce0cdfb6bf6a5ca4eeca4546
Instruction Fuzzy Hash: CC11BFB291430ABFD7289F54EC85D2BB7B8EB44321B20816EF45697241EB74AC01EA60

Function 00F44A08 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F44A31
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F44A48
FreeSid.ADVAPI32(?), ref: 00F44A58

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 6200a16c98227232fec19bab57f21a19fa0dbb0376768ca04befe8db2910c819
Instruction ID: 8866cb75715ad02b4d788f46bcc9b0bfa3ebed1a78101e917e8b667f66fdaee2
Opcode Fuzzy Hash: 6200a16c98227232fec19bab57f21a19fa0dbb0376768ca04befe8db2910c819
Instruction Fuzzy Hash: 0DF04F7595130CBFDF00DFF0DD89AADBBBCEF08311F004469E901E2181D6746A049B50

Function 00EEE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cacd635360806800189b7257eed3c86207a436bd6c7a1f02640370f6150d7f25
Instruction ID: ba7d72104061ff63cd13d39cb0dea2cdf2ba8c6593320a249d048c68e99b3b9b
Opcode Fuzzy Hash: cacd635360806800189b7257eed3c86207a436bd6c7a1f02640370f6150d7f25
Instruction Fuzzy Hash: 4022DCB0A0025ACFDB24DF55D480ABEB7F0FF08310F149069E856AB395E739AD85DB91

Function 00F4C75D Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F4C787
FindClose.KERNEL32(00000000), ref: 00F4C7B7

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 9522824e1c97914498d74230150555755f092b18cf431ba9d8d3b72b13c87e20
Instruction ID: e70fe1398bfb51950193cf61a772960def5d4febdb446caf47bce59a6807760d
Opcode Fuzzy Hash: 9522824e1c97914498d74230150555755f092b18cf431ba9d8d3b72b13c87e20
Instruction Fuzzy Hash: 91115E766106049FD710DF29D845A2AF7E9FF94324F00851EF9AAD7391DB70A804DB91

Function 00F4A0F4 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00F5957D,?,00F6FB84,?), ref: 00F4A121
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00F5957D,?,00F6FB84,?), ref: 00F4A133

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 09ff402b41500c54138392a424ddd3be0a0e4840c82d68e8ad6926faacc08785
Instruction ID: 1bea03cbe8b54cc053ae93fc4a4d41a2c284329e7e251a6fc6f082fc15aff1f1
Opcode Fuzzy Hash: 09ff402b41500c54138392a424ddd3be0a0e4840c82d68e8ad6926faacc08785
Instruction Fuzzy Hash: 6BF0E23654422DBBDB209FA4CC48FEA776CFF08361F004266F919E2180D6749944DFA1

Function 00F384F3 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F38631), ref: 00F38508
CloseHandle.KERNEL32(?,?,00F38631), ref: 00F3851A

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 37c8217e1377828d44afa2dd0d5f6daf02be8d64ef86e1d95e361c2bfb105594
Instruction ID: 0a9a80c69a76d77997fe0752ca18bbdc79828cdbeb39d72bd1c31c3be52e515f
Opcode Fuzzy Hash: 37c8217e1377828d44afa2dd0d5f6daf02be8d64ef86e1d95e361c2bfb105594
Instruction Fuzzy Hash: 4AE0B672014611AFEB252B64FC09E77BBA9EB44361B148829F4A680474DB66ACA1FB50

Function 00F0A2D5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00F08ED7,?,?,?,00000001), ref: 00F0A2DA
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00F0A2E3

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 85239e0854a08da84e2d35a1533e334105a92e5fac3313ed3b46a8f3fab9dbf4
Instruction ID: 34febaf63c8de296c5c2f863d2d465cf02f4b0323e9098fddd618e98d46ffe81
Opcode Fuzzy Hash: 85239e0854a08da84e2d35a1533e334105a92e5fac3313ed3b46a8f3fab9dbf4
Instruction Fuzzy Hash: 05B0923105820CABCA002B91FC0AB883F68EB44AA2F404020F61D84262EBA25454AA91

Function 00F0F359 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72ca9ac58f87e3945d516926e767231ab518f2a49e34ebbc416ddcba43deeed
Instruction ID: 8458289515f6ffb05968e3a561e20170a657e6619e0579ba2e36143958aec5a9
Opcode Fuzzy Hash: f72ca9ac58f87e3945d516926e767231ab518f2a49e34ebbc416ddcba43deeed
Instruction Fuzzy Hash: 6132F462D29F054DD723A638D832336A249AFB73D4F15D737E819B5DAAEB28C4C36101

Function 00F125AE Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716e3faa98484710214b60d8c5760e7b2fe4c406faac6f92ba2937fb94860ea4
Instruction ID: 55e0bccad227512308ecccf5ae24050ca69f85a12258bf0c4b2c7759e1514cda
Opcode Fuzzy Hash: 716e3faa98484710214b60d8c5760e7b2fe4c406faac6f92ba2937fb94860ea4
Instruction Fuzzy Hash: D1B1F220D2AF444DD2639A398835336B65CAFFB2D5F52D71BFC1A74D22EB2285C35142

Function 00F48932 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00F48944

Part of subcall function 00F0537A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00F49017,00000000,?,?,?,?,00F491C8,00000000,?), ref: 00F05383
Part of subcall function 00F0537A: __aulldiv.LIBCMT ref: 00F053A3

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: a9531647a053c9461fb15a33ab71f9f5e896fced84e6403b514e1116e225ce8a
Instruction ID: 9a44a9020bbb381939fe2c01d0a72e3beea8ab70416512be05d498c631d5a7d6
Opcode Fuzzy Hash: a9531647a053c9461fb15a33ab71f9f5e896fced84e6403b514e1116e225ce8a
Instruction Fuzzy Hash: 5521D272A35510CFC729CF25D841A52B7E1EBA5320B288E2CE5F5CB2C0CA74A905EB54

Function 00F5401F Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00F5403A

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 1ff408008bac4eec8d7d2d2025f67751addbe526ff58cb0f580639bbff0060fc
Instruction ID: f034e8d122294ada905e31143596432d3242c98467f60cf404a412853690a778
Opcode Fuzzy Hash: 1ff408008bac4eec8d7d2d2025f67751addbe526ff58cb0f580639bbff0060fc
Instruction Fuzzy Hash: F3E048722001185FC710AF5AD404A56FBD8AF64765F108025FD4AD7351DA70F8449B90

Function 00F44CFA Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00F44D1D

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: d8e09887bfe232b544aed54601b8730c0160817bf2ee8b673e268102dfac37fb
Instruction ID: 43bdebcc7bdd0c0449b58f8b8c72c272daa65c052e3df8768f554f0571a4d78e
Opcode Fuzzy Hash: d8e09887bfe232b544aed54601b8730c0160817bf2ee8b673e268102dfac37fb
Instruction Fuzzy Hash: 5BD09EA5D6464679FC2C0B209C1FB762929F3007A6FA845497E02B61C6A9E87C45B835

Function 00F38A73 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00F386B1), ref: 00F38A93

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 657ae60a8982976ea0887ff52f4a01ddc4f1da492d562795d6e88cf3d79b6114
Instruction ID: 89c00bb1137ac640cc947b92f1e261452b03a82d09223ec977ca6f36cf28da4a
Opcode Fuzzy Hash: 657ae60a8982976ea0887ff52f4a01ddc4f1da492d562795d6e88cf3d79b6114
Instruction Fuzzy Hash: 40D09E3226450EBBEF019EA4ED05EAE3B69EB04B01F408511FE25D51A1C7B5D935AB60

Function 00F2215F Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00F22171

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: cb92f20f922010ab920765bc455d5d0ccdcf52a765f4cec13a1d1f7134ce418c
Instruction ID: e9090c336f695329ab63ccbe909786a40b5e533dc4789991d9a4a1a64c473b0c
Opcode Fuzzy Hash: cb92f20f922010ab920765bc455d5d0ccdcf52a765f4cec13a1d1f7134ce418c
Instruction Fuzzy Hash: 8EC002B180111D9BCB05DB90E9889EA77BCAB04304F104055A111A2100D6749B449A61

Function 00F0A2A4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00F0A2AA

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4d716bd5cbbffff2990be9590a877a2bfa89cc0bc55ff2636551ccc56b765d65
Instruction ID: 8a15b5eac10adf69e0bda62cbafd2b8f2397e3c6c2566d93a928b2c50ca75550
Opcode Fuzzy Hash: 4d716bd5cbbffff2990be9590a877a2bfa89cc0bc55ff2636551ccc56b765d65
Instruction Fuzzy Hash: F0A0243000010CF7CF001F41FC054447F5CD7001D07004030F40C40133D773541055C0

Function 00EF8968 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9187892c7c2f485a0a0c5a0273fba729dcb63db24f0cbc925eed905479fc417b
Instruction ID: 5a020b9a15d89c642ea355742e3d078338a07e3c10cc306ae117f45664faadd4
Opcode Fuzzy Hash: 9187892c7c2f485a0a0c5a0273fba729dcb63db24f0cbc925eed905479fc417b
Instruction Fuzzy Hash: 7D225575A0451ACBCF388F68C69437CB7A1FF81728F28906BDA56AB591DB30DD81E740

Function 00F02345 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 128bcaeae44e9d9ad80197da3f7b7d7f20278fd606c4409a974798c320d02de4
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 35C17836A1515309DF6E4739887813EFEA16AA27B231A075DE8B3CB1D5EF10C564F620

Function 00F0277A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 414abfa683877f02f8df4e186159140b1cbd2287404ef32a9a8e68d19b5b4c37
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 14C18633A1519309DFAE4639887813EBFA16B927B231A076DE4B2DB1D4EF14C524F620

Function 00F01AF8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 1c9cf838d867ec7f1cc2b4cd9e8afa5e54c57a2151c5e3de794e8299ccf50f04
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 07C17332A1519309DF6E4739C87417EBEA17AA27B231A076DE4B3DB1C4EF20D564F620

Function 00F5791B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F57970
DeleteObject.GDI32(00000000), ref: 00F57982
DestroyWindow.USER32 ref: 00F57990
GetDesktopWindow.USER32 ref: 00F579AA
GetWindowRect.USER32(00000000), ref: 00F579B1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00F57AF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00F57B02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F57B4A
GetClientRect.USER32(00000000,?), ref: 00F57B56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F57B90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F57BB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F57BC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F57BD0
GlobalLock.KERNEL32(00000000), ref: 00F57BD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F57BE8
GlobalUnlock.KERNEL32(00000000), ref: 00F57BF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F57BF8
GlobalFree.KERNEL32(00000000), ref: 00F57C03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F57C15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00F72CAC,00000000), ref: 00F57C2B
GlobalFree.KERNEL32(00000000), ref: 00F57C3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00F57C61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00F57C80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F57CA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F57E8F

Strings

static, xrefs: 00F57B8A, 00F57CE1
AutoIt v3, xrefs: 00F57B42
, xrefs: 00F57E15
DISPLAY, xrefs: 00F57CF2

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 81882118376c0371b0e21d704b648738093e6318608da60bd6c94d2e2507479c
Instruction ID: 8e49eb4b91075429ad2b56794017a2e592a2feb360f00083dcf80b5dede6dce1
Opcode Fuzzy Hash: 81882118376c0371b0e21d704b648738093e6318608da60bd6c94d2e2507479c
Instruction Fuzzy Hash: A7027D71900209AFDB14DFA4EC89EAEBBB9FF49311F108158F915AB2A1CB749D05DB60

Function 00F635D4 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00F6F910), ref: 00F63690
IsWindowVisible.USER32(?), ref: 00F636B4

Strings

SELECTSTRING, xrefs: 00F6386F
GETLINECOUNT, xrefs: 00F6392F
SHOWDROPDOWN, xrefs: 00F63749
GETCURRENTLINE, xrefs: 00F63956
UNCHECK, xrefs: 00F638EC
GETCURRENTSELECTION, xrefs: 00F6384C
ISVISIBLE, xrefs: 00F636A0
ISENABLED, xrefs: 00F636D4
SETCURRENTSELECTION, xrefs: 00F6381F
FINDSTRING, xrefs: 00F637DF
CURRENTTAB, xrefs: 00F63726
EDITPASTE, xrefs: 00F639C8
CHECK, xrefs: 00F638D6
GETCURRENTCOL, xrefs: 00F63991
ADDSTRING, xrefs: 00F6377F
TABLEFT, xrefs: 00F636F0
HIDEDROPDOWN, xrefs: 00F63769
TABRIGHT, xrefs: 00F63706
GETSELECTED, xrefs: 00F6390C
GETLINE, xrefs: 00F63A04
SENDCOMMANDID, xrefs: 00F63A43
ISCHECKED, xrefs: 00F638A2
DELSTRING, xrefs: 00F637B2

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 2177d0f6195bb714a3aca6f04859f009f66882b2c389fa1c934d1f9777c3b271
Instruction ID: b1e6ae79666a1c4a845b60d218e4e829387d48cc0ee5876e2e2079ff39b72aac
Opcode Fuzzy Hash: 2177d0f6195bb714a3aca6f04859f009f66882b2c389fa1c934d1f9777c3b271
Instruction Fuzzy Hash: 0CD18E346082019BDB14EF14C891A6AB7E6AF94354F14856CF8865B3E3CF75EE0AFB41

Function 00F6A60C Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00F6A662
GetSysColorBrush.USER32(0000000F), ref: 00F6A693
GetSysColor.USER32(0000000F), ref: 00F6A69F
SetBkColor.GDI32(?,000000FF), ref: 00F6A6B9
SelectObject.GDI32(?,00000000), ref: 00F6A6C8
InflateRect.USER32(?,000000FF,000000FF), ref: 00F6A6F3
GetSysColor.USER32(00000010), ref: 00F6A6FB
CreateSolidBrush.GDI32(00000000), ref: 00F6A702
FrameRect.USER32(?,?,00000000), ref: 00F6A711
DeleteObject.GDI32(00000000), ref: 00F6A718
InflateRect.USER32(?,000000FE,000000FE), ref: 00F6A763
FillRect.USER32(?,?,00000000), ref: 00F6A795
GetWindowLongW.USER32(?,000000F0), ref: 00F6A7C0

Part of subcall function 00F6A8FC: GetSysColor.USER32(00000012), ref: 00F6A935
Part of subcall function 00F6A8FC: SetTextColor.GDI32(?,?), ref: 00F6A939
Part of subcall function 00F6A8FC: GetSysColorBrush.USER32(0000000F), ref: 00F6A94F
Part of subcall function 00F6A8FC: GetSysColor.USER32(0000000F), ref: 00F6A95A
Part of subcall function 00F6A8FC: GetSysColor.USER32(00000011), ref: 00F6A977
Part of subcall function 00F6A8FC: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F6A985
Part of subcall function 00F6A8FC: SelectObject.GDI32(?,00000000), ref: 00F6A996
Part of subcall function 00F6A8FC: SetBkColor.GDI32(?,00000000), ref: 00F6A99F
Part of subcall function 00F6A8FC: SelectObject.GDI32(?,?), ref: 00F6A9AC
Part of subcall function 00F6A8FC: InflateRect.USER32(?,000000FF,000000FF), ref: 00F6A9CB
Part of subcall function 00F6A8FC: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F6A9E2
Part of subcall function 00F6A8FC: GetWindowLongW.USER32(00000000,000000F0), ref: 00F6A9F7
Part of subcall function 00F6A8FC: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F6AA1F

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 817d65ccf8e9904dff8a22c4c9ea1e11862b8d815c01265b046acfc6a9df756f
Instruction ID: a5f554b3aa0002cee84ac3b344cb13eacbd81837f4f7f951b9b78031d701ee1c
Opcode Fuzzy Hash: 817d65ccf8e9904dff8a22c4c9ea1e11862b8d815c01265b046acfc6a9df756f
Instruction Fuzzy Hash: D7917D72408305BFC7109F64EC08A5B7BA9FF89331F141A29F962E61A1D7B1D948EF52

Function 00EE2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00EE2CA2
DeleteObject.GDI32(00000000), ref: 00EE2CE8
DeleteObject.GDI32(00000000), ref: 00EE2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00EE2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00EE2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F1C5BB
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F1C5F4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F1CA1D

Part of subcall function 00EE1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00EE2036,?,00000000,?,?,?,?,00EE16CB,00000000,?), ref: 00EE1B9A

SendMessageW.USER32(?,00001053), ref: 00F1CA5A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F1CA71
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F1CA87
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F1CA92

Strings

0, xrefs: 00F1C8B1

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 06304829ab80d059ee98e6cc5e9e44950a6a2c404875fd8a195af170b6be1683
Instruction ID: e0e003fd42c88edbf02bb45cab1297b700cb192e11ba04e5b5fcffeca57c9489
Opcode Fuzzy Hash: 06304829ab80d059ee98e6cc5e9e44950a6a2c404875fd8a195af170b6be1683
Instruction Fuzzy Hash: 6C129C30A40245EFDB25CF24C884BA9BBE5FF04320F64556DE59ADB262C771EC81EB91

Function 00F575C0 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00F575F3
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F576B2
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00F576F0
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00F57702
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00F57748
GetClientRect.USER32(00000000,?), ref: 00F57754
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00F57798
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F577A7
GetStockObject.GDI32(00000011), ref: 00F577B7
SelectObject.GDI32(00000000,00000000), ref: 00F577BB
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00F577CB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F577D4
DeleteDC.GDI32(00000000), ref: 00F577DD
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F57809
SendMessageW.USER32(00000030,00000000,00000001), ref: 00F57820
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00F5785B
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F5786F
SendMessageW.USER32(00000404,00000001,00000000), ref: 00F57880
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00F578B0
GetStockObject.GDI32(00000011), ref: 00F578BB
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F578C6
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00F578D0

Strings

static, xrefs: 00F57792, 00F578AA
AutoIt v3, xrefs: 00F57740
msctls_progress32, xrefs: 00F57851
DISPLAY, xrefs: 00F5779D

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 526d5b5be02f6872b347ee29ae90715e2a38f26f1fbe9ed5ba609168786ec357
Instruction ID: 685d535a99c86a0393195abdf0e0c383a5fb3284a69f80364471accdf359e759
Opcode Fuzzy Hash: 526d5b5be02f6872b347ee29ae90715e2a38f26f1fbe9ed5ba609168786ec357
Instruction Fuzzy Hash: 28A182B1A40619BFEB14DFA4EC4AFAE7BB9EB45710F104114FA15A72E1C7B0AD04DB60

Function 00F4AD9C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F4ADAA
GetDriveTypeW.KERNEL32(?,00F6FAC0,?,\\.\,00F6F910), ref: 00F4AE87
SetErrorMode.KERNEL32(00000000,00F6FAC0,?,\\.\,00F6F910), ref: 00F4AFE5

Strings

SAS, xrefs: 00F4AF91
USB, xrefs: 00F4AF7C
SSA, xrefs: 00F4AF6E
Fixed, xrefs: 00F4AECF
Removable, xrefs: 00F4AED9
Network, xrefs: 00F4AEC5
ATA, xrefs: 00F4AF60
ATAPI, xrefs: 00F4AF59
Fibre, xrefs: 00F4AF75
SCSI, xrefs: 00F4AF52
RAID, xrefs: 00F4AF83
MMC, xrefs: 00F4AFA6
CDROM, xrefs: 00F4AEBB
\\.\, xrefs: 00F4ADFC
FileBackedVirtual, xrefs: 00F4AFB4
SSD, xrefs: 00F4AF12
PhysicalDrive, xrefs: 00F4AE33
1394, xrefs: 00F4AF67
SATA, xrefs: 00F4AF98
Virtual, xrefs: 00F4AFAD
Unknown, xrefs: 00F4AEA7, 00F4AF4B
RAMDisk, xrefs: 00F4AEB1
iSCSI, xrefs: 00F4AF8A

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 11bddf01ccce98b4207af66ee1f65161690c9fe38551e930d58e519c2b046ac3
Instruction ID: 9bf7b46b7d6286bd57cbde226300491d16ba97f9736a64dea59a8e4bd792f085
Opcode Fuzzy Hash: 11bddf01ccce98b4207af66ee1f65161690c9fe38551e930d58e519c2b046ac3
Instruction Fuzzy Hash: 0D51D9B5A84209ABDF00DF11CD8297DBBB0AB453607244016FD16A7192CB75DD0AFB83

Function 00EE6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00EE6A91
__wcsnicmp.LIBCMT ref: 00EE6AA9
__wcsnicmp.LIBCMT ref: 00EE6AC1
__wcsnicmp.LIBCMT ref: 00EE6AD9
__wcsnicmp.LIBCMT ref: 00EE6AF1
__wcsnicmp.LIBCMT ref: 00EE6B09
__wcsnicmp.LIBCMT ref: 00EE6B21
__wcsnicmp.LIBCMT ref: 00EE6B35
__wcsnicmp.LIBCMT ref: 00EE6B76
__wcsnicmp.LIBCMT ref: 00EE6B8A
__wcsnicmp.LIBCMT ref: 00EE6B9E
__wcsnicmp.LIBCMT ref: 00EE6BB2

Strings

#include-once, xrefs: 00EE6AEB
#pragma compile, xrefs: 00EE6A8B
Cannot parse #include, xrefs: 00F1E749
#include, xrefs: 00EE6B03
#notrayicon, xrefs: 00EE6AA3
#ce, xrefs: 00EE6BAC
#comments-end, xrefs: 00EE6B98
#cs, xrefs: 00EE6B2F, 00EE6B84
Bad directive syntax error, xrefs: 00F1E673
#comments-start, xrefs: 00EE6B1B, 00EE6B70
Unterminated group of comments, xrefs: 00F1E75C
#OnAutoItStartRegister, xrefs: 00EE6AD3
#requireadmin, xrefs: 00EE6ABB

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 89483dc42ad1d46db41e312d8c6e7e886a31a71e2eaacf692f4f739b73bdffda
Instruction ID: 72c78c7c49b4ae8bb4ead699791ef0cc65d591792d803abaab5945016a5b116b
Opcode Fuzzy Hash: 89483dc42ad1d46db41e312d8c6e7e886a31a71e2eaacf692f4f739b73bdffda
Instruction Fuzzy Hash: 05816C70A00349BACB20AF62DC82FFE7798AF24750F045025FD49BA0C2EB64DA51F291

Function 00F69A4E Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00F69B04
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00F69BBD
SendMessageW.USER32(?,00001102,00000002,?), ref: 00F69BD9

Strings

0, xrefs: 00F69C16

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 82e5a82a1f78923fb793fbececf817049d3f6ab1ee1e3fa75376419e33105b49
Instruction ID: 4f9cc70ff6697dade04e72597b3d623fe5a84681647949fcb43011fcf6eff774
Opcode Fuzzy Hash: 82e5a82a1f78923fb793fbececf817049d3f6ab1ee1e3fa75376419e33105b49
Instruction Fuzzy Hash: 9902027050C305AFDB15CF24D848BAABBE8FF49320F04862DF5A5D62A1C7B5D944EB92

Function 00F6A8FC Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00F6A935
SetTextColor.GDI32(?,?), ref: 00F6A939
GetSysColorBrush.USER32(0000000F), ref: 00F6A94F
GetSysColor.USER32(0000000F), ref: 00F6A95A
CreateSolidBrush.GDI32(?), ref: 00F6A95F
GetSysColor.USER32(00000011), ref: 00F6A977
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F6A985
SelectObject.GDI32(?,00000000), ref: 00F6A996
SetBkColor.GDI32(?,00000000), ref: 00F6A99F
SelectObject.GDI32(?,?), ref: 00F6A9AC
InflateRect.USER32(?,000000FF,000000FF), ref: 00F6A9CB
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F6A9E2
GetWindowLongW.USER32(00000000,000000F0), ref: 00F6A9F7
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F6AA1F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F6AA46
InflateRect.USER32(?,000000FD,000000FD), ref: 00F6AA64
DrawFocusRect.USER32(?,?), ref: 00F6AA6F
GetSysColor.USER32(00000011), ref: 00F6AA7D
SetTextColor.GDI32(?,00000000), ref: 00F6AA85
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00F6AA99
SelectObject.GDI32(?,00F6A62C), ref: 00F6AAB0
DeleteObject.GDI32(?), ref: 00F6AABB
SelectObject.GDI32(?,?), ref: 00F6AAC1
DeleteObject.GDI32(?), ref: 00F6AAC6
SetTextColor.GDI32(?,?), ref: 00F6AACC
SetBkColor.GDI32(?,?), ref: 00F6AAD6

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 6702f974d950970cc781437b550ae8c587b0f90ee97eff516fb3a2f45d75c560
Instruction ID: 04e54fddc105e00139a2f1cb610faac9ef03bc8b4d5102829d5b921847a53773
Opcode Fuzzy Hash: 6702f974d950970cc781437b550ae8c587b0f90ee97eff516fb3a2f45d75c560
Instruction Fuzzy Hash: D8514F71900208FFDB109FA4ED48EAE7B79EF08320F214625F921AB2A1D7B59D44EF50

Function 00F68A07 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F68AF3
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F68B04
CharNextW.USER32(0000014E), ref: 00F68B33
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F68B74
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F68B8A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F68B9B
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00F68BB8
SetWindowTextW.USER32(?,0000014E), ref: 00F68C0A
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00F68C20
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F68C51
_memset.LIBCMT ref: 00F68C76
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00F68CBF
_memset.LIBCMT ref: 00F68D1E
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F68D48
SendMessageW.USER32(?,00001074,?,00000001), ref: 00F68DA0
SendMessageW.USER32(?,0000133D,?,?), ref: 00F68E4D
InvalidateRect.USER32(?,00000000,00000001), ref: 00F68E6F
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F68EB9
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F68EE6
DrawMenuBar.USER32(?), ref: 00F68EF5
SetWindowTextW.USER32(?,0000014E), ref: 00F68F1D

Strings

0, xrefs: 00F68E87

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: eebb83246c18cf80ea868159fc116e2dac4adc659277ce56c9c9ffdb4ed2ab9f
Instruction ID: 247c5095df2125de486446079964e4dd3e5b79ad3af6e84b880390567cc4381c
Opcode Fuzzy Hash: eebb83246c18cf80ea868159fc116e2dac4adc659277ce56c9c9ffdb4ed2ab9f
Instruction Fuzzy Hash: CBE18571901218ABDF209F54CC84EEE7B79FF057A0F10425AF915AA191DB748986FF60

Function 00F648F8 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F64A33
GetDesktopWindow.USER32 ref: 00F64A48
GetWindowRect.USER32(00000000), ref: 00F64A4F
GetWindowLongW.USER32(?,000000F0), ref: 00F64AB1
DestroyWindow.USER32(?), ref: 00F64ADD
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F64B06
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F64B24
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00F64B4A
SendMessageW.USER32(?,00000421,?,?), ref: 00F64B5F
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00F64B72
IsWindowVisible.USER32(?), ref: 00F64B92
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00F64BAD
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00F64BC1
GetWindowRect.USER32(?,?), ref: 00F64BD9
MonitorFromPoint.USER32(?,?,00000002), ref: 00F64BFF
GetMonitorInfoW.USER32(00000000,?), ref: 00F64C19
CopyRect.USER32(?,?), ref: 00F64C30
SendMessageW.USER32(?,00000412,00000000), ref: 00F64C9B

Strings

0, xrefs: 00F649DE
tooltips_class32, xrefs: 00F64AFF
(, xrefs: 00F64C0C

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 2d41951c42482913119c56e552aad5951f3f3deedb82290f05d66a45ca862b3e
Instruction ID: c5e871c6ec5098bdbe7cd662792f23e83f16c9864bcccc281726d9b082b3356a
Opcode Fuzzy Hash: 2d41951c42482913119c56e552aad5951f3f3deedb82290f05d66a45ca862b3e
Instruction Fuzzy Hash: 0EB17D71604341AFDB04EF65C885B6ABBE4FF88310F00891CF599AB2A1D775EC05DB95

Function 00F444DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00F444ED
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00F44513
_wcscpy.LIBCMT ref: 00F44541
_wcscmp.LIBCMT ref: 00F4454C
_wcscat.LIBCMT ref: 00F44562
_wcsstr.LIBCMT ref: 00F4456D
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00F44589
_wcscat.LIBCMT ref: 00F445D2
_wcscat.LIBCMT ref: 00F445D9
_wcsncpy.LIBCMT ref: 00F44604

Strings

%u.%u.%u.%u, xrefs: 00F44667
StringFileInfo\, xrefs: 00F4455C
DefaultLangCodepage, xrefs: 00F445EC
04090000, xrefs: 00F445BF
\VarFileInfo\Translation, xrefs: 00F44581

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: faba660011a84ec415d48d660dbaae0f9ab6e9a850918cabbd2b355cc22ddef9
Instruction ID: 39b0c26c734094015753a5ed6ba4779f26cea586588486ccab71965bc90adf4a
Opcode Fuzzy Hash: faba660011a84ec415d48d660dbaae0f9ab6e9a850918cabbd2b355cc22ddef9
Instruction Fuzzy Hash: EC41F872A002057AEB10AB609C47FBF7B7CDF42751F140066F904F61C2EB78E901B6A9

Function 00EE27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00EE28BC
GetSystemMetrics.USER32(00000007), ref: 00EE28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00EE28EF
GetSystemMetrics.USER32(00000008), ref: 00EE28F7
GetSystemMetrics.USER32(00000004), ref: 00EE291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00EE2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00EE2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00EE297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00EE2990
GetClientRect.USER32(00000000,000000FF), ref: 00EE29AE
GetStockObject.GDI32(00000011), ref: 00EE29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00EE29D5

Part of subcall function 00EE2344: GetCursorPos.USER32(?), ref: 00EE2357
Part of subcall function 00EE2344: ScreenToClient.USER32(00FA57B0,?), ref: 00EE2374
Part of subcall function 00EE2344: GetAsyncKeyState.USER32(00000001), ref: 00EE2399
Part of subcall function 00EE2344: GetAsyncKeyState.USER32(00000002), ref: 00EE23A7

SetTimer.USER32(00000000,00000000,00000028,00EE1256), ref: 00EE29FC

Strings

AutoIt v3 GUI, xrefs: 00EE2974

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 0a0266d1e73a332c9d0056e2a601fc0e89ed74c61b05e9bb46bef183940097ac
Instruction ID: e521d5d791a3fae7307abb07abdc659d503b82776ea9237990c9d2eb55452941
Opcode Fuzzy Hash: 0a0266d1e73a332c9d0056e2a601fc0e89ed74c61b05e9bb46bef183940097ac
Instruction Fuzzy Hash: FBB14C71A4024EEFDB14DFA9DC45BED7BB8FB08714F105229FA16A72A0DB749840EB50

Function 00F3A844 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F3A885
__swprintf.LIBCMT ref: 00F3A926
_wcscmp.LIBCMT ref: 00F3A939
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F3A98E
_wcscmp.LIBCMT ref: 00F3A9CA
GetClassNameW.USER32(?,?,00000400), ref: 00F3AA01
GetDlgCtrlID.USER32(?), ref: 00F3AA53
GetWindowRect.USER32(?,?), ref: 00F3AA89
GetParent.USER32(?), ref: 00F3AAA7
ScreenToClient.USER32(00000000), ref: 00F3AAAE
GetClassNameW.USER32(?,?,00000100), ref: 00F3AB28
_wcscmp.LIBCMT ref: 00F3AB3C
GetWindowTextW.USER32(?,?,00000400), ref: 00F3AB62
_wcscmp.LIBCMT ref: 00F3AB76

Part of subcall function 00F037AC: _iswctype.LIBCMT ref: 00F037B4

Strings

%s%u, xrefs: 00F3A920

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 6db6929df0418422c193414c232c2c6add5eea62189a28b11e582fd2c6945713
Instruction ID: 2c3f18630a1a957e927047d78a6129cbf71422006f6569dafc332b4db95ff4c7
Opcode Fuzzy Hash: 6db6929df0418422c193414c232c2c6add5eea62189a28b11e582fd2c6945713
Instruction Fuzzy Hash: 7BA1C072604606AFDB14DF25C884FAAF7E9FF44324F004629F9E9D2190D734E945EBA2

Function 00F3B196 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00F3B1DA
_wcscmp.LIBCMT ref: 00F3B1EB
GetWindowTextW.USER32(00000001,?,00000400), ref: 00F3B213
CharUpperBuffW.USER32(?,00000000), ref: 00F3B230
_wcscmp.LIBCMT ref: 00F3B24E
_wcsstr.LIBCMT ref: 00F3B25F
GetClassNameW.USER32(00000018,?,00000400), ref: 00F3B297
_wcscmp.LIBCMT ref: 00F3B2A7
GetWindowTextW.USER32(00000002,?,00000400), ref: 00F3B2CE
GetClassNameW.USER32(00000018,?,00000400), ref: 00F3B317
_wcscmp.LIBCMT ref: 00F3B327
GetClassNameW.USER32(00000010,?,00000400), ref: 00F3B34F
GetWindowRect.USER32(00000004,?), ref: 00F3B3B8

Strings

ThumbnailClass, xrefs: 00F3B2A2, 00F3B322
@, xrefs: 00F3B1BB

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: d3c73e944943c66f24026aea62f661c6bfdb35361305bcce4fdf5059164d9f00
Instruction ID: 097c23e509ab41e78d89561e4f0f09d3693855e1be1e06eebd04dcb77ed363bb
Opcode Fuzzy Hash: d3c73e944943c66f24026aea62f661c6bfdb35361305bcce4fdf5059164d9f00
Instruction Fuzzy Hash: B481A2714083099FDB01DF14C895FAA77D8EF44334F04856AFE899A0A2DB74DD49EBA1

Function 00F3AFDF Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F3B03E

Strings

[LAST, xrefs: 00F3B0EB
CLASSNAME=, xrefs: 00F3B07B
REGEXP=, xrefs: 00F3B053
LAST, xrefs: 00F3B003
[ACTIVE, xrefs: 00F3B02B
[REGEXPTITLE:, xrefs: 00F3B066
ACTIVE, xrefs: 00F3B019
[ALL, xrefs: 00F3B0E4
HANDLE=, xrefs: 00F3B037
[CLASS:, xrefs: 00F3B08E
[HANDLE:, xrefs: 00F3B04A
ALL, xrefs: 00F3B0D2

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 62fdb3b621aad7130844bb5beb46b699723a950c5ba47f0149e724d25feee969
Instruction ID: 1a7cbda3f531f2b0fe22304fee8ac21b4e6799aebe01c1e941384f3c96b1a32a
Opcode Fuzzy Hash: 62fdb3b621aad7130844bb5beb46b699723a950c5ba47f0149e724d25feee969
Instruction Fuzzy Hash: 68318F71A48309A6EF28FA61CD63EAF77A89F10730F200429F555710E2EF65AF04F656

Function 00F3C2C0 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00F3C2D3
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F3C2E5
SetWindowTextW.USER32(?,?), ref: 00F3C2FC
GetDlgItem.USER32(?,000003EA), ref: 00F3C311
SetWindowTextW.USER32(00000000,?), ref: 00F3C317
GetDlgItem.USER32(?,000003E9), ref: 00F3C327
SetWindowTextW.USER32(00000000,?), ref: 00F3C32D
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F3C34E
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F3C368
GetWindowRect.USER32(?,?), ref: 00F3C371
SetWindowTextW.USER32(?,?), ref: 00F3C3DC
GetDesktopWindow.USER32 ref: 00F3C3E2
GetWindowRect.USER32(00000000), ref: 00F3C3E9
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00F3C435
GetClientRect.USER32(?,?), ref: 00F3C442
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00F3C467
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F3C492

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: d2e4c6297fd479ec2d0d86f2e65e0ebf8da1464abe00480cf75312b1ad3dc8a2
Instruction ID: 945c50b22be217719e4e9150e1b0e4368bf901c6b52c069e0dbb9a2dc97e637a
Opcode Fuzzy Hash: d2e4c6297fd479ec2d0d86f2e65e0ebf8da1464abe00480cf75312b1ad3dc8a2
Instruction Fuzzy Hash: 83517D31900709EFDB20DFA8DD89B6EBBF5FF04714F004528E692A25A1C7B5E904EB50

Function 00F55113 Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00F55129
LoadCursorW.USER32(00000000,00007F00), ref: 00F55134
LoadCursorW.USER32(00000000,00007F03), ref: 00F5513F
LoadCursorW.USER32(00000000,00007F8B), ref: 00F5514A
LoadCursorW.USER32(00000000,00007F01), ref: 00F55155
LoadCursorW.USER32(00000000,00007F81), ref: 00F55160
LoadCursorW.USER32(00000000,00007F88), ref: 00F5516B
LoadCursorW.USER32(00000000,00007F80), ref: 00F55176
LoadCursorW.USER32(00000000,00007F86), ref: 00F55181
LoadCursorW.USER32(00000000,00007F83), ref: 00F5518C
LoadCursorW.USER32(00000000,00007F85), ref: 00F55197
LoadCursorW.USER32(00000000,00007F82), ref: 00F551A2
LoadCursorW.USER32(00000000,00007F84), ref: 00F551AD
LoadCursorW.USER32(00000000,00007F04), ref: 00F551B8
LoadCursorW.USER32(00000000,00007F02), ref: 00F551C3
LoadCursorW.USER32(00000000,00007F89), ref: 00F551CE
GetCursorInfo.USER32(?), ref: 00F551DE

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 6133e08b480cc8464fd6eae8893e120167dd8c5419a54e661b2c231f97121e84
Instruction ID: 17ad6f94b0f22d82559f2a92c9a9f713b963cca8c8d2a863d75129f283a4c744
Opcode Fuzzy Hash: 6133e08b480cc8464fd6eae8893e120167dd8c5419a54e661b2c231f97121e84
Instruction Fuzzy Hash: A03113B0D4831D6ADF109FB69C8996FBEE8FF04760F50453AE50DE7280DA78A5048FA1

Function 00F6A1EB Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F6A28B
DestroyWindow.USER32(?,?), ref: 00F6A305

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F6A37F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F6A3A1
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F6A3B4
DestroyWindow.USER32(00000000), ref: 00F6A3D6
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00EE0000,00000000), ref: 00F6A40D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F6A426
GetDesktopWindow.USER32 ref: 00F6A43F
GetWindowRect.USER32(00000000), ref: 00F6A446
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F6A45E
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F6A476

Part of subcall function 00EE25DB: GetWindowLongW.USER32(?,000000EB), ref: 00EE25EC

Strings

0, xrefs: 00F6A2A1
tooltips_class32, xrefs: 00F6A378, 00F6A406

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 81b699151e4f5f2baf6df43fe0d27bb1caa31300ae5bfd76b95c578a59710900
Instruction ID: af15809155f12e3024e5515b22d09cd09195a15df787735ad24279852ca6280a
Opcode Fuzzy Hash: 81b699151e4f5f2baf6df43fe0d27bb1caa31300ae5bfd76b95c578a59710900
Instruction Fuzzy Hash: 1C71BB71550248AFD720CF28DC49F6A77E5FB89B10F04051CF996A72A0DBB5E905EF22

Function 00F6C668 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

DragQueryPoint.SHELL32(?,?), ref: 00F6C691

Part of subcall function 00F6AB69: ClientToScreen.USER32(?,?), ref: 00F6AB92
Part of subcall function 00F6AB69: GetWindowRect.USER32(?,?), ref: 00F6AC08
Part of subcall function 00F6AB69: PtInRect.USER32(?,?,00F6C07E), ref: 00F6AC18

SendMessageW.USER32(?,000000B0,?,?), ref: 00F6C6FA
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F6C705
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F6C728
_wcscat.LIBCMT ref: 00F6C758
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F6C76F
SendMessageW.USER32(?,000000B0,?,?), ref: 00F6C788
SendMessageW.USER32(?,000000B1,?,?), ref: 00F6C79F
SendMessageW.USER32(?,000000B1,?,?), ref: 00F6C7C1
DragFinish.SHELL32(?), ref: 00F6C7C8
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F6C8BB

Strings

@GUI_DROPID, xrefs: 00F6C7E8
@GUI_DRAGFILE, xrefs: 00F6C86A
@GUI_DRAGID, xrefs: 00F6C833

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 82a3db75c9eb52be6d42e795393f27cdae0428418ebdc323886528d9c4b05dfc
Instruction ID: 2441c0d83c2e78b080851edd4b999d3e12a6eae1a20222919d33cc9b2ea3dba0
Opcode Fuzzy Hash: 82a3db75c9eb52be6d42e795393f27cdae0428418ebdc323886528d9c4b05dfc
Instruction Fuzzy Hash: 2D617A71108345AFC700EF61DC85DAFBBE8FF89710F00092EF5A5922A1DB709A49DB92

Function 00F643FB Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F6448D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F644D8

Strings

SELECT, xrefs: 00F64689
UNCHECK, xrefs: 00F646B4
GETITEMCOUNT, xrefs: 00F645BA
COLLAPSE, xrefs: 00F6451E
GETTEXT, xrefs: 00F6462B
EXISTS, xrefs: 00F64541
GETTOTALCOUNT, xrefs: 00F644BF
GETSELECTED, xrefs: 00F645E8
ISCHECKED, xrefs: 00F6465B
CHECK, xrefs: 00F644F8
EXPAND, xrefs: 00F6458A

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 20dc4aaf4873e4fb2a24f64702c8db01ffb58c02ccf5c92d642a56f0e045a035
Instruction ID: 24268dddbb2d866abf9cd74074de89a0b70d90d0861b403158767e50b621929d
Opcode Fuzzy Hash: 20dc4aaf4873e4fb2a24f64702c8db01ffb58c02ccf5c92d642a56f0e045a035
Instruction Fuzzy Hash: 8C917E302047459FDB14EF11C891A6AB7E1AF85324F14846CF8966B7A3CF75ED0AEB81

Function 00F6B832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F6B8E8
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00F691F4), ref: 00F6B944
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F6B97D
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F6B9C0
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F6B9F7
FreeLibrary.KERNEL32(?), ref: 00F6BA03
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F6BA13
DestroyIcon.USER32(?,?,?,?,?,00F691F4), ref: 00F6BA22
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F6BA3F
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F6BA4B

Part of subcall function 00F0307D: __wcsicmp_l.LIBCMT ref: 00F03106

Strings

.icl, xrefs: 00F6B85E
.dll, xrefs: 00F6B8A1
.exe, xrefs: 00F6B87E

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 37c1cb47db3d7458b25fc6e2a9ebc9dc7883454b272ae9cc52b605b9152e4779
Instruction ID: 64330f85831e4339e1aa354a8d2550457a479868d54f9fcbdd1a79734afcc55a
Opcode Fuzzy Hash: 37c1cb47db3d7458b25fc6e2a9ebc9dc7883454b272ae9cc52b605b9152e4779
Instruction Fuzzy Hash: F061DE71900619BAEB24DF64DC46BBE77ACFF08720F104119FD15D61D1DBB8AA84EBA0

Function 00F4A3DC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

CharLowerBuffW.USER32(?,?), ref: 00F4A455
GetDriveTypeW.KERNEL32 ref: 00F4A4A2
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F4A4EA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F4A521
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F4A54F

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

Strings

type cdaudio alias cd wait, xrefs: 00F4A4CD
closed, xrefs: 00F4A469, 00F4A472
wait, xrefs: 00F4A50C
close, xrefs: 00F4A45B
set cd door , xrefs: 00F4A4F0
open , xrefs: 00F4A4B1
open, xrefs: 00F4A47C
close cd wait, xrefs: 00F4A53A

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 0e201f38ade5bbaa5ababf3e83379a30bc1ac19119763c8f489187343d284090
Instruction ID: 23f8697af7a9f8620c5ece7c0c353b3bd89292ae121fb30bcc81bcca877caaf3
Opcode Fuzzy Hash: 0e201f38ade5bbaa5ababf3e83379a30bc1ac19119763c8f489187343d284090
Instruction Fuzzy Hash: CC51B1711043489FD700EF21C99196AB7F4FF88718F04496DF89AA7262DB31EE0ADB42

Function 00F3FBDB Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00F1E382,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00F3FC10
LoadStringW.USER32(00000000,?,00F1E382,00000001), ref: 00F3FC19

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

GetModuleHandleW.KERNEL32(00000000,00FA5310,?,00000FFF,?,?,00F1E382,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00F3FC3B
LoadStringW.USER32(00000000,?,00F1E382,00000001), ref: 00F3FC3E
__swprintf.LIBCMT ref: 00F3FC8E
__swprintf.LIBCMT ref: 00F3FC9F
_wprintf.LIBCMT ref: 00F3FD48
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F3FD5F

Strings

^ ERROR, xrefs: 00F3FCF4
Error: , xrefs: 00F3FD16
Line %d:, xrefs: 00F3FC99
Line %d (File "%s"):, xrefs: 00F3FC88
%s (%d) : ==> %s: %s %s, xrefs: 00F3FD43

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 0f081633f9b97e5e49abc548ad7e97353a2e2a2925bfa6a56608df400218b7bc
Instruction ID: 349e183d58ccd51c026f66f6894751caab6b9328a242329de0a11ac1e46f5e17
Opcode Fuzzy Hash: 0f081633f9b97e5e49abc548ad7e97353a2e2a2925bfa6a56608df400218b7bc
Instruction Fuzzy Hash: D0416172C0424DAACF14FBE1DD86DEEB7B8AF19300F501065F505720A2EA756F49DBA1

Function 00F6BA67 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00F69239,?,?), ref: 00F6BA8A
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00F69239,?,?,00000000,?), ref: 00F6BAA1
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00F69239,?,?,00000000,?), ref: 00F6BAAC
CloseHandle.KERNEL32(00000000,?,?,?,?,00F69239,?,?,00000000,?), ref: 00F6BAB9
GlobalLock.KERNEL32(00000000), ref: 00F6BAC2
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00F69239,?,?,00000000,?), ref: 00F6BAD1
GlobalUnlock.KERNEL32(00000000), ref: 00F6BADA
CloseHandle.KERNEL32(00000000,?,?,?,?,00F69239,?,?,00000000,?), ref: 00F6BAE1
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F69239,?,?,00000000,?), ref: 00F6BAF2
OleLoadPicture.OLEAUT32(?,00000000,00000000,00F72CAC,?), ref: 00F6BB0B
GlobalFree.KERNEL32(00000000), ref: 00F6BB1B
GetObjectW.GDI32(00000000,00000018,?), ref: 00F6BB3F
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00F6BB6A
DeleteObject.GDI32(00000000), ref: 00F6BB92
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F6BBA8

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: fcf24d6d2b6b0a5ee99e860a3bb799da03f554eddff15b55031e3040335b9b27
Instruction ID: 26b9a9122fa3e5dbce1ed17bc95c8f3e5589ce328ddff275a554b06d67c2b7ef
Opcode Fuzzy Hash: fcf24d6d2b6b0a5ee99e860a3bb799da03f554eddff15b55031e3040335b9b27
Instruction Fuzzy Hash: DE413A75600209FFDB119FA5EC88EAA7BB8FF89721F104068F916D7260D7709D45EB60

Function 00F4D925 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00F4DA9C
_wcscat.LIBCMT ref: 00F4DAB4
_wcscat.LIBCMT ref: 00F4DAC6
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F4DADB
SetCurrentDirectoryW.KERNEL32(?), ref: 00F4DAEF
GetFileAttributesW.KERNEL32(?), ref: 00F4DB07
SetFileAttributesW.KERNEL32(?,00000000), ref: 00F4DB21
SetCurrentDirectoryW.KERNEL32(?), ref: 00F4DB33

Strings

*.*, xrefs: 00F4DB72

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: f1995953c82027c186adacd6fbed9b59c089586938c18c62277b431d3dbb6349
Instruction ID: d15e72f6fd68f6461849fc051ae34b604fc7ddd900923e41073b9ffce66a2797
Opcode Fuzzy Hash: f1995953c82027c186adacd6fbed9b59c089586938c18c62277b431d3dbb6349
Instruction Fuzzy Hash: E58195729182459FCB24DF64C844A6ABBE8FF89314F18482EFC89D7252D738DD44EB52

Function 00F6C216 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F6C266
GetFocus.USER32 ref: 00F6C276
GetDlgCtrlID.USER32(00000000), ref: 00F6C281
_memset.LIBCMT ref: 00F6C3AC
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00F6C3D7
GetMenuItemCount.USER32(?), ref: 00F6C3F7
GetMenuItemID.USER32(?,00000000), ref: 00F6C40A
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00F6C43E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00F6C486
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F6C4BE
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00F6C4F3

Strings

0, xrefs: 00F6C3A4

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: cf34f375c7bc5445bdaa817b93336d6939b0b49bedc6bf299205617aa483c4ca
Instruction ID: d54afb2a10b760ce539b6f8966fb45bbecc4664b6114d1a93bffbb29e9e87c20
Opcode Fuzzy Hash: cf34f375c7bc5445bdaa817b93336d6939b0b49bedc6bf299205617aa483c4ca
Instruction Fuzzy Hash: 59817A71608305AFD710DF14D895A7ABBE8FF88724F00492EF9D597291CB71D805EBA2

Function 00F5742F Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F574A4
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00F574B0
CreateCompatibleDC.GDI32(?), ref: 00F574BC
SelectObject.GDI32(00000000,?), ref: 00F574C9
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00F5751D
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00F57559
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00F5757D
SelectObject.GDI32(00000006,?), ref: 00F57585
DeleteObject.GDI32(?), ref: 00F5758E
DeleteDC.GDI32(00000006), ref: 00F57595
ReleaseDC.USER32(00000000,?), ref: 00F575A0

Strings

(, xrefs: 00F57525

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: fd724b4ae0d33a317730f686e63b6468397fd46e3d4ee8d10bcc021256bce344
Instruction ID: a5312060de8cead77118a6750dfaa847313793d69751d5486422536e7ea66f95
Opcode Fuzzy Hash: fd724b4ae0d33a317730f686e63b6468397fd46e3d4ee8d10bcc021256bce344
Instruction Fuzzy Hash: 10515971904309EFCB14CFA8DC84EAEBBB9EF48310F14842DFA9A97211D771A844DB60

Function 00EE6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00F00AD7: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00EE6C6C,?,00008000), ref: 00F00AF3

Part of subcall function 00EE48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE48A1,?,?,00EE37C0,?), ref: 00EE48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00EE6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00EE6E5A

Part of subcall function 00EE59CD: _wcscpy.LIBCMT ref: 00EE5A05

Part of subcall function 00F037BD: _iswctype.LIBCMT ref: 00F037C5

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 00F1E77A
Error opening the file, xrefs: 00F1E796, 00F1E811
AU3!, xrefs: 00EE6CC1
EA06, xrefs: 00F1E7AB
Bad directive syntax error, xrefs: 00F1EAF6
Unterminated string, xrefs: 00F1EB3D
>>>AUTOIT SCRIPT<<<, xrefs: 00F1E7EF

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 4b57f50ea1521558394be27a90605e8889b3e3d7de835a66bbf590502d30a690
Instruction ID: 618605bf834ca87abd7377cb6208725d9494ec53fc3320098034663915621edf
Opcode Fuzzy Hash: 4b57f50ea1521558394be27a90605e8889b3e3d7de835a66bbf590502d30a690
Instruction Fuzzy Hash: 5E02BF315083859FC724EF21C881AAFBBE5EF99354F04091DF8C9A32A1DB34D949EB42

Function 00EE45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EE45F9
GetMenuItemCount.USER32(00FA5890), ref: 00F1D6FD
GetMenuItemCount.USER32(00FA5890), ref: 00F1D7AD
GetCursorPos.USER32(?), ref: 00F1D7F1
SetForegroundWindow.USER32(00000000), ref: 00F1D7FA
TrackPopupMenuEx.USER32(00FA5890,00000000,?,00000000,00000000,00000000), ref: 00F1D80D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F1D819

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 2b7e2a61aea7f365b9c321829546379d6c815f064edca4a7494973bb31f4c934
Instruction ID: 34050f37e4b23b27aafe1463126e757e10dfad33e83017a59324331c75a0994c
Opcode Fuzzy Hash: 2b7e2a61aea7f365b9c321829546379d6c815f064edca4a7494973bb31f4c934
Instruction Fuzzy Hash: A271F670A0024ABEEB209F15DC45FEABF74FF05368F140216F529A61E1C7B56C50EB95

Function 00F60EA5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F5FE38,?,?), ref: 00F60EBC

Strings

HKEY_CLASSES_ROOT, xrefs: 00F60F4F
HKCU, xrefs: 00F60FAC
HKCC, xrefs: 00F60F8A
HKEY_LOCAL_MACHINE, xrefs: 00F60F25
HKLM, xrefs: 00F60F3A
HKCR, xrefs: 00F60F64
HKEY_USERS, xrefs: 00F60FBD
HKU, xrefs: 00F60FCE
HKEY_CURRENT_CONFIG, xrefs: 00F60F79
HKEY_CURRENT_USER, xrefs: 00F60F9B

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: d747d3d1a116cc4f7fbe0acb0f07bf7b77befcbc5094450177e770e58afffecf
Instruction ID: 494feca0314f1d42a4569cfefc9c689d396315623296c353d1a83e66db65ea12
Opcode Fuzzy Hash: d747d3d1a116cc4f7fbe0acb0f07bf7b77befcbc5094450177e770e58afffecf
Instruction Fuzzy Hash: 94419C3150428A9BEF21EF18DC91AEE3360FF55310F188419FC511B296DF759A5AFBA0

Function 00F3FAD2 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F1E5F9,00000010,?,Bad directive syntax error,00F6F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F3FAF3
LoadStringW.USER32(00000000,?,00F1E5F9,00000010), ref: 00F3FAFA

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

_wprintf.LIBCMT ref: 00F3FB2D
__swprintf.LIBCMT ref: 00F3FB4F
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F3FBBE

Strings

., xrefs: 00F3FBA4
Error: , xrefs: 00F3FB8C
Line %d:, xrefs: 00F3FB49
%s (%d) : ==> %s.: %s %s, xrefs: 00F3FB28
Line %d (File "%s"):, xrefs: 00F3FB64

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 74e881380f3ea8c7f1eb66a3c159b21bbe838191954b25f270e2d4707568389b
Instruction ID: d4bcd3834f28bb006d7dff4f04cb4f639ea3463845a162614b917bc835c56309
Opcode Fuzzy Hash: 74e881380f3ea8c7f1eb66a3c159b21bbe838191954b25f270e2d4707568389b
Instruction Fuzzy Hash: CA218D72D0025EEBCF22EF90CC56EEE7779BF18300F0444AAF515620A2DA719A58EB51

Function 00F4536E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

Part of subcall function 00EE7A84: _memmove.LIBCMT ref: 00EE7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F453D7
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F453ED
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F453FE
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F45410
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F45421

Strings

close PlayMe, xrefs: 00F453E8, 00F45415
status PlayMe mode, xrefs: 00F453D2
alias PlayMe, xrefs: 00F453B0
play PlayMe, xrefs: 00F4541C
open , xrefs: 00F45386
play PlayMe wait, xrefs: 00F4540B

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 9c7641fa6cd2bfe218671cba9bd7c7a8c53bb9068a67fb56e592d1b9e143de8c
Instruction ID: f73c74eafe7fb20501f4d3ee28c48042eb1701c186257882897d46b1894b34d5
Opcode Fuzzy Hash: 9c7641fa6cd2bfe218671cba9bd7c7a8c53bb9068a67fb56e592d1b9e143de8c
Instruction Fuzzy Hash: D711C82195016D7AEB20F7A2CC59DFF7FBCEB92F80F000429B815A60D1DEA04D46D5A2

Function 00F446F8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F44713
gethostname.WSOCK32(?,00000100), ref: 00F4472D
gethostbyname.WSOCK32(?), ref: 00F4473A
_wcscpy.LIBCMT ref: 00F44762
_memmove.LIBCMT ref: 00F44775
inet_ntoa.WSOCK32(?), ref: 00F44780
_strcat.LIBCMT ref: 00F4478E
_wcscpy.LIBCMT ref: 00F447A5
WSACleanup.WSOCK32 ref: 00F447B3
_wcscpy.LIBCMT ref: 00F447C1

Strings

0.0.0.0, xrefs: 00F4475C

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 994d31cd4886c1c64a08062fd0b6927ede4a192527d9594b630cab48a2874464
Instruction ID: 9900a2f08d06091c90ca70da4a37ddda9c92a24f4dfe7fe08090f9775f32f065
Opcode Fuzzy Hash: 994d31cd4886c1c64a08062fd0b6927ede4a192527d9594b630cab48a2874464
Instruction Fuzzy Hash: 8411EB31904119AFDB10A730EC4AFDA7BBCDF42725F0401B6F815A6091EFB4AA86B661

Function 00F4501C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F45021

Part of subcall function 00F0034A: timeGetTime.WINMM(?,75A8B400,00EF0FDB), ref: 00F0034E

Sleep.KERNEL32(0000000A), ref: 00F4504D
EnumThreadWindows.USER32(?,Function_00064FCF,00000000), ref: 00F45071
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F45093
SetActiveWindow.USER32 ref: 00F450B2
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F450C0
SendMessageW.USER32(00000010,00000000,00000000), ref: 00F450DF
Sleep.KERNEL32(000000FA), ref: 00F450EA
IsWindow.USER32 ref: 00F450F6
EndDialog.USER32(00000000), ref: 00F45107

Strings

BUTTON, xrefs: 00F45085

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 2e6b3be544b121216dd481d0b405f26c3a806e92e30f191ea6e1a996e8f7b257
Instruction ID: b62d8f1b116af3b9feb03e340558f7e311342c354cab84394ee4d2b8c038d498
Opcode Fuzzy Hash: 2e6b3be544b121216dd481d0b405f26c3a806e92e30f191ea6e1a996e8f7b257
Instruction Fuzzy Hash: BB2184B560460DBFE7017F20FC89F253F69EB46B95F0D1024F911C12B6DBA18D58BA62

Function 00F4D619 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

CoInitialize.OLE32(00000000), ref: 00F4D676
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F4D709
SHGetDesktopFolder.SHELL32(?), ref: 00F4D71D
CoCreateInstance.OLE32(00F72D7C,00000000,00000001,00F98C1C,?), ref: 00F4D769
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F4D7D8
CoTaskMemFree.OLE32(?,?), ref: 00F4D830
_memset.LIBCMT ref: 00F4D86D
SHBrowseForFolderW.SHELL32(?), ref: 00F4D8A9
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F4D8CC
CoTaskMemFree.OLE32(00000000), ref: 00F4D8D3
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00F4D90A
CoUninitialize.OLE32(00000001,00000000), ref: 00F4D90C

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 06939ae97f10fbe4f8a9267b55d963978ca320b34f708c551450063a8755b442
Instruction ID: 41e8422d3cddf37d129de013ab2bc6ef38c4a90d31c3465200f87d5a63ff2975
Opcode Fuzzy Hash: 06939ae97f10fbe4f8a9267b55d963978ca320b34f708c551450063a8755b442
Instruction Fuzzy Hash: 29B1FB75A00109AFDB04DFA5C888DAEBBF9FF88314B1480A9F919EB251DB30ED45DB50

Function 00F4034D Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F403C8
SetKeyboardState.USER32(?), ref: 00F40433
GetAsyncKeyState.USER32(000000A0), ref: 00F40453
GetKeyState.USER32(000000A0), ref: 00F4046A
GetAsyncKeyState.USER32(000000A1), ref: 00F40499
GetKeyState.USER32(000000A1), ref: 00F404AA
GetAsyncKeyState.USER32(00000011), ref: 00F404D6
GetKeyState.USER32(00000011), ref: 00F404E4
GetAsyncKeyState.USER32(00000012), ref: 00F4050D
GetKeyState.USER32(00000012), ref: 00F4051B
GetAsyncKeyState.USER32(0000005B), ref: 00F40544
GetKeyState.USER32(0000005B), ref: 00F40552

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 3b9acaa7edaed5bb37e70b0e6f59675607849c99f1564ef848c53f5d6d72b197
Instruction ID: 12f27d7fc82c28e7dc0aba20fb5da5a62add651de6b0f5b2fb0f9192c5d19944
Opcode Fuzzy Hash: 3b9acaa7edaed5bb37e70b0e6f59675607849c99f1564ef848c53f5d6d72b197
Instruction Fuzzy Hash: BA518730D0878829FB35DBB088157AABFB49F11390F4885999EC2571D3DE749A8CEB61

Function 00F3C529 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00F3C545
GetWindowRect.USER32(00000000,?), ref: 00F3C557
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00F3C5B5
GetDlgItem.USER32(?,00000002), ref: 00F3C5C0
GetWindowRect.USER32(00000000,?), ref: 00F3C5D2
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00F3C626
GetDlgItem.USER32(?,000003E9), ref: 00F3C634
GetWindowRect.USER32(00000000,?), ref: 00F3C645
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00F3C688
GetDlgItem.USER32(?,000003EA), ref: 00F3C696
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F3C6B3
InvalidateRect.USER32(?,00000000,00000001), ref: 00F3C6C0

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: eed9436b27e811cf4ea5a20dffa3e3ac87415dfee632ce2562bfa5565cbf62cc
Instruction ID: c32347226e71f85d0d7e94e25fa7c93f18d96e49d5d9fbc32ad6cdb942927a18
Opcode Fuzzy Hash: eed9436b27e811cf4ea5a20dffa3e3ac87415dfee632ce2562bfa5565cbf62cc
Instruction Fuzzy Hash: 9C514371F00209AFDB18CF69DD85AAEBBB5FB88320F14812DF515E72A0D7B19D049B50

Function 00EE201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00EE2036,?,00000000,?,?,?,?,00EE16CB,00000000,?), ref: 00EE1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00EE20D3
KillTimer.USER32(-00000001,?,?,?,?,00EE16CB,00000000,?,?,00EE1AE2,?,?), ref: 00EE216E
DestroyAcceleratorTable.USER32(00000000), ref: 00F1BE26
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EE16CB,00000000,?,?,00EE1AE2,?,?), ref: 00F1BE57
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EE16CB,00000000,?,?,00EE1AE2,?,?), ref: 00F1BE6E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EE16CB,00000000,?,?,00EE1AE2,?,?), ref: 00F1BE8A
DeleteObject.GDI32(00000000), ref: 00F1BE9C

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 5088de8e5d20414d7aa50f0d3bd033bd137fb37ba3e94a52aa2c12524d281dca
Instruction ID: 7d28db60387f61c45e4b7696c4e148b0c07b71219d98c0574ce49a7a0de66fab
Opcode Fuzzy Hash: 5088de8e5d20414d7aa50f0d3bd033bd137fb37ba3e94a52aa2c12524d281dca
Instruction Fuzzy Hash: 6D61BE71500A58DFCB359F16D848BAAB7F5FF41726F10952CE252AA5B0C775A880EF80

Function 00EE21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00EE25DB: GetWindowLongW.USER32(?,000000EB), ref: 00EE25EC

GetSysColor.USER32(0000000F), ref: 00EE21D3

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 620ab84e2e2b2f93a49f6e780ebec50d449e971ed7255ab109e4d9e3269beb89
Instruction ID: 22f9fa8b8bf4e45bd603376c9bd181412e6abf4d7f054338ace46a39836e60f3
Opcode Fuzzy Hash: 620ab84e2e2b2f93a49f6e780ebec50d449e971ed7255ab109e4d9e3269beb89
Instruction Fuzzy Hash: A241B331400188DBDB255F29EC48BB93769EB0A731F184269FF659A1F5C7718C81EB61

Function 00F4A931 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00F6F910), ref: 00F4A995
GetDriveTypeW.KERNEL32(00000061,00F989A0,00000061), ref: 00F4AA5F
_wcscpy.LIBCMT ref: 00F4AA89

Strings

unknown, xrefs: 00F4AA20
ramdisk, xrefs: 00F4AA09
network, xrefs: 00F4A9F3
fixed, xrefs: 00F4A9DD
removable, xrefs: 00F4A9C7
cdrom, xrefs: 00F4A9B1
all, xrefs: 00F4A99B

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: bc5758a33f63f4dd08cecf14d75aae2a42c1e81b461fefcd324d205923d66da7
Instruction ID: 1506940844bc98069061df0aa2739724d25dff0b4a8900e3cb00e47c2c4d64a2
Opcode Fuzzy Hash: bc5758a33f63f4dd08cecf14d75aae2a42c1e81b461fefcd324d205923d66da7
Instruction Fuzzy Hash: 5351D9315483419BD710EF14C8D2AAEBBE5EF81750F40482DF896A72A2DB31DE09EA53

Function 00EE9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00EE99C2
__swprintf.LIBCMT ref: 00EE9A0C
__i64tow.LIBCMT ref: 00F1F93F

Strings

True, xrefs: 00F1F900
False, xrefs: 00F1F907
0x%p, xrefs: 00F1F921
%.15g, xrefs: 00EE9A06

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: aafd093072e14a3e2d4ea1978971a66b6d455df8066ed06aeb9d9b80b8a36178
Instruction ID: 931b43476efc992ea516f1737c227b393a3a81d604adcc0b4b32cb5ea933ed74
Opcode Fuzzy Hash: aafd093072e14a3e2d4ea1978971a66b6d455df8066ed06aeb9d9b80b8a36178
Instruction Fuzzy Hash: 4A41D771904209AFDB24AF35DC42EB677E8EF44320F24446EE549DA292EA729D42EB11

Function 00F67184 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F6719C
CreateMenu.USER32 ref: 00F671B7
SetMenu.USER32(?,00000000), ref: 00F671C6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F67253
IsMenu.USER32(?), ref: 00F67269
CreatePopupMenu.USER32 ref: 00F67273
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F672A0
DrawMenuBar.USER32 ref: 00F672A8

Strings

0, xrefs: 00F67192
F, xrefs: 00F67294

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 2e28b70d1f9c2b830053d562b2f463935ab292d259c20954c9a9d8d5f8e120c7
Instruction ID: e0607527f6121258ceeec08e117e10ef92120e6f6444bf06126e387a2804d0e2
Opcode Fuzzy Hash: 2e28b70d1f9c2b830053d562b2f463935ab292d259c20954c9a9d8d5f8e120c7
Instruction Fuzzy Hash: 374167B5A00209EFDB10EF64E894A9A7BF5FF4A714F140129F916A7360D770AD14EFA0

Function 00F674ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F67590
CreateCompatibleDC.GDI32(00000000), ref: 00F67597
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F675AA
SelectObject.GDI32(00000000,00000000), ref: 00F675B2
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F675BD
DeleteDC.GDI32(00000000), ref: 00F675C6
GetWindowLongW.USER32(?,000000EC), ref: 00F675D0
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00F675E4
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00F675F0

Strings

static, xrefs: 00F67528

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: d211274d799ec06196e93e83d674d2a2c465b3b68dea5e7e6da440c5e43750ba
Instruction ID: 017aa5e9539c55d2ddaf1788bb1e7f1d4c5e1cb9ef5d7e07ae5cbfc52c1223c0
Opcode Fuzzy Hash: d211274d799ec06196e93e83d674d2a2c465b3b68dea5e7e6da440c5e43750ba
Instruction Fuzzy Hash: 0E317C72504219BBDF12AF64EC08FDB3B69FF09764F150224FA26A61A0CB75DC14EB64

Function 00F06F80 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F06FBB

Part of subcall function 00F08CA8: __getptd_noexit.LIBCMT ref: 00F08CA8

__gmtime64_s.LIBCMT ref: 00F07054
__gmtime64_s.LIBCMT ref: 00F0708A
__gmtime64_s.LIBCMT ref: 00F070A7
__allrem.LIBCMT ref: 00F070FD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F07119
__allrem.LIBCMT ref: 00F07130
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F0714E
__allrem.LIBCMT ref: 00F07165
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F07183
__invoke_watson.LIBCMT ref: 00F071F4

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: 15979fab991911a4fd50c08b6b6c771056394a5a908519e11537d81e62a3b1ec
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: 4A7106B2E00717ABE714AE39CC41B9AB3A9AF40364F14427AF410D72C1FB74EA50B790

Function 00F4281F Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F4283A
GetMenuItemInfoW.USER32(00FA5890,000000FF,00000000,00000030), ref: 00F4289B
SetMenuItemInfoW.USER32(00FA5890,00000004,00000000,00000030), ref: 00F428D1
Sleep.KERNEL32(000001F4), ref: 00F428E3
GetMenuItemCount.USER32(?), ref: 00F42927
GetMenuItemID.USER32(?,00000000), ref: 00F42943
GetMenuItemID.USER32(?,-00000001), ref: 00F4296D
GetMenuItemID.USER32(?,?), ref: 00F429B2
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F429F8
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F42A0C
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F42A2D

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 11a3c0ce553ced296e68722d01276ffb788d6ec9af9f189c397880fb44461ca9
Instruction ID: 60e71aef52747eb6051c6d625f36fcea1acf9055a1d77538c2472c80b7dcc65e
Opcode Fuzzy Hash: 11a3c0ce553ced296e68722d01276ffb788d6ec9af9f189c397880fb44461ca9
Instruction Fuzzy Hash: 0961DCB1900249AFDB61CF64DC88AAEBFB8FB05314F940069FC42A7291D775AD45FB20

Function 00F66F55 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F66FD7
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F66FDA
GetWindowLongW.USER32(?,000000F0), ref: 00F66FFE
_memset.LIBCMT ref: 00F6700F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F67021
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F67099

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: afc1e49a4a7be06689deb1809ed05eb1906464c7075910ac9df7cd63657a8af4
Instruction ID: f8d5de4594809a4103d24a990b3d2fe452b5e28dfbe29fa401efee5e162b5dba
Opcode Fuzzy Hash: afc1e49a4a7be06689deb1809ed05eb1906464c7075910ac9df7cd63657a8af4
Instruction Fuzzy Hash: 10615B75A00248AFDB10DFA4CC81EEE77F8EB09714F10415AFA15EB2A2D774AD45EB60

Function 00F36EEE Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F36F15
SafeArrayAllocData.OLEAUT32(?), ref: 00F36F6E
VariantInit.OLEAUT32(?), ref: 00F36F80
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F36FA0
VariantCopy.OLEAUT32(?,?), ref: 00F36FF3
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F37007
VariantClear.OLEAUT32(?), ref: 00F3701C
SafeArrayDestroyData.OLEAUT32(?), ref: 00F37029
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F37032
VariantClear.OLEAUT32(?), ref: 00F37044
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F3704F

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6537ac6b75066b3664f2a55213e0ffcefec88d1df46bba884282921a9e9adefb
Instruction ID: 784ef3f70045ca6bd26e6c98dc45bc5a3932466ffd5cc8c9dab28a57eaafc286
Opcode Fuzzy Hash: 6537ac6b75066b3664f2a55213e0ffcefec88d1df46bba884282921a9e9adefb
Instruction Fuzzy Hash: 5F41717590421DAFCB14EFA4EC449AEBBB9FF08324F008069E915E7261DB71A949DF90

Function 00F55848 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F558A9
inet_addr.WSOCK32(?,?,?), ref: 00F558EE
gethostbyname.WSOCK32(?), ref: 00F558FA
IcmpCreateFile.IPHLPAPI ref: 00F55908
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F55978
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F5598E
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00F55A03
WSACleanup.WSOCK32 ref: 00F55A09

Strings

Ping, xrefs: 00F5592C

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 363c4df9217ac5fbdfc59028ef3e7f3ae0bc9878366e8a57cccdb9124836c42b
Instruction ID: 5e5215a66539ba7979275f5687128e9ddda93736963fda115b78252689d84a5e
Opcode Fuzzy Hash: 363c4df9217ac5fbdfc59028ef3e7f3ae0bc9878366e8a57cccdb9124836c42b
Instruction Fuzzy Hash: 8E518132604700DFD710AF25DC55B2AB7E4EF49B21F144529FA56EB2A1DB74E808EB41

Function 00F4B54F Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F4B55C
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F4B5D2
GetLastError.KERNEL32 ref: 00F4B5DC
SetErrorMode.KERNEL32(00000000,READY), ref: 00F4B649

Strings

UNKNOWN, xrefs: 00F4B601
READY, xrefs: 00F4B622
NOTREADY, xrefs: 00F4B608
READONLY, xrefs: 00F4B614
INVALID, xrefs: 00F4B61B

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: bc53298b097b0f79c28073486641567c2cc8807d69f9e621a6f7177287b3bfad
Instruction ID: 822c74e547c2e3dc5511740724ee2bd0c9439582184550fe7bcdc340195e0414
Opcode Fuzzy Hash: bc53298b097b0f79c28073486641567c2cc8807d69f9e621a6f7177287b3bfad
Instruction Fuzzy Hash: D531B035A002099FDB00EFA9DC85EADBBB4FF45350F184066F905E7292DB71DA06EB91

Function 00F39251 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Part of subcall function 00F3AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00F3AEC7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00F392D6
GetDlgCtrlID.USER32 ref: 00F392E1
GetParent.USER32 ref: 00F392FD
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F39300
GetDlgCtrlID.USER32(?), ref: 00F39309
GetParent.USER32(?), ref: 00F39325
SendMessageW.USER32(00000000,?,?,00000111), ref: 00F39328

Strings

ComboBox, xrefs: 00F3925E
ListBox, xrefs: 00F39293

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 9486fd789a7c053130b7a5d3ceb1d3135ffb222d7655d58d34c3f0f3308e4f4a
Instruction ID: f4d71b898e19bb3d432b1cad5a39a03cac6f0b96ea2a07d9f7021f7e8c59452e
Opcode Fuzzy Hash: 9486fd789a7c053130b7a5d3ceb1d3135ffb222d7655d58d34c3f0f3308e4f4a
Instruction Fuzzy Hash: 4D21C471E04208BBDF04AB61DC85EFEBBA8EF55320F100169F561972E1DBB59819EA20

Function 00F3933C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Part of subcall function 00F3AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00F3AEC7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00F393BF
GetDlgCtrlID.USER32 ref: 00F393CA
GetParent.USER32 ref: 00F393E6
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F393E9
GetDlgCtrlID.USER32(?), ref: 00F393F2
GetParent.USER32(?), ref: 00F3940E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00F39411

Strings

ComboBox, xrefs: 00F39349
ListBox, xrefs: 00F3937E

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 8458152bb7534d8e2a1a3558dfd9918f059cd3ce870ebf025a869829eebb9132
Instruction ID: 6bf3aaaf6f615e44f6a46a45e910642c3143bd41077b9060f72f814c72ef64b9
Opcode Fuzzy Hash: 8458152bb7534d8e2a1a3558dfd9918f059cd3ce870ebf025a869829eebb9132
Instruction Fuzzy Hash: 5121C875A042087BDF00EB65DC85EFEBBB8EF44310F104065F961971A1DBF55959EB20

Function 00F39425 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00F39431
GetClassNameW.USER32(00000000,?,00000100), ref: 00F39446
_wcscmp.LIBCMT ref: 00F39458
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F394D3

Strings

list, xrefs: 00F394B5
smallicons, xrefs: 00F3949B
largeicons, xrefs: 00F39467
SHELLDLL_DefView, xrefs: 00F39452
details, xrefs: 00F39481

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: f4430d679dc7b7a314fb6002ef8f817aef56a9e0e94f3d51d43f774214d3b78f
Instruction ID: 970c1bfa6d98fb7621a2ffe99aff36cc95d53623433226b0c0fd86b6d52421cb
Opcode Fuzzy Hash: f4430d679dc7b7a314fb6002ef8f817aef56a9e0e94f3d51d43f774214d3b78f
Instruction Fuzzy Hash: B3110637A5C307BAFB206620EC06DA6339CCF05334F208026F914A40E1FAE6A852B995

Function 00F589C0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F589EC
CoInitialize.OLE32(00000000), ref: 00F58A19
CoUninitialize.OLE32 ref: 00F58A23
GetRunningObjectTable.OLE32(00000000,?), ref: 00F58B23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00F58C50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00F72C0C), ref: 00F58C84
CoGetObject.OLE32(?,00000000,00F72C0C,?), ref: 00F58CA7
SetErrorMode.KERNEL32(00000000), ref: 00F58CBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F58D3A
VariantClear.OLEAUT32(?), ref: 00F58D4A

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 63b8025cacfa73c297bfda9bcfe232e1efc3f8974a7969669029dff378132a41
Instruction ID: b4d00a8681d5eb75f77b7757f93f84f3fea84055710fd07e15461c6f57ae369f
Opcode Fuzzy Hash: 63b8025cacfa73c297bfda9bcfe232e1efc3f8974a7969669029dff378132a41
Instruction Fuzzy Hash: 16C139B1608305AFC700DF64C88492BB7E9FF89399F00495DF989AB251DB71ED0ADB52

Function 00F47A39 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00F47B15

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: ff52d0abf1ee85ab26b615dd9713c2ef471598888303124d69a5366fe6d300f3
Instruction ID: 03d2d628c7cab06a41f3241ff9802baa6ce25ec7650d6ac2d41b2d3df2533754
Opcode Fuzzy Hash: ff52d0abf1ee85ab26b615dd9713c2ef471598888303124d69a5366fe6d300f3
Instruction Fuzzy Hash: 75B19071D1431A9FDB10EF94D884BBEBBF4EF48321F214469EA10EB291D734A945EB90

Function 00F414FF Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F41521
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F40599,?,00000001), ref: 00F41535
GetWindowThreadProcessId.USER32(00000000), ref: 00F4153C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F40599,?,00000001), ref: 00F4154B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F4155D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F40599,?,00000001), ref: 00F41576
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F40599,?,00000001), ref: 00F41588
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F40599,?,00000001), ref: 00F415CD
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F40599,?,00000001), ref: 00F415E2
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F40599,?,00000001), ref: 00F415ED

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: a146d227ed1166bd2e692823f124c08bab25e36b0dba74aaf404444a8dabd154
Instruction ID: 2be94f925497ef009b6917b2b126058f8f5129da50c5b82a202ceeddba989aef
Opcode Fuzzy Hash: a146d227ed1166bd2e692823f124c08bab25e36b0dba74aaf404444a8dabd154
Instruction Fuzzy Hash: A83193B1900308BFDB109F54ED44BAA7BA9FB95321F194015FD15C61A0F7B49D84BB61

Function 00F3A473 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00F3A844), ref: 00F3A782

Strings

TEXT, xrefs: 00F3A6B9
CLASSNN, xrefs: 00F3A524
CLASS, xrefs: 00F3A501
REGEXPCLASS, xrefs: 00F3A547
NAME, xrefs: 00F3A5B4
INSTANCE, xrefs: 00F3A690

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 14d7bbac58c8af452f6a881403c10851d01eeb6d0febc46b38aa62fe24b1c164
Instruction ID: c708e45ee919017f3fcd60d0bcc1cd20a12ea2a7bc1cbb668af2db9ff1f1d6db
Opcode Fuzzy Hash: 14d7bbac58c8af452f6a881403c10851d01eeb6d0febc46b38aa62fe24b1c164
Instruction Fuzzy Hash: 9C91C631A04649ABDB18EF71C8C2BE9FB74FF04324F148119E899A7191DF306959FBA1

Function 00EE2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00EE2EAE

Part of subcall function 00EE1DB3: GetClientRect.USER32(?,?), ref: 00EE1DDC
Part of subcall function 00EE1DB3: GetWindowRect.USER32(?,?), ref: 00EE1E1D
Part of subcall function 00EE1DB3: ScreenToClient.USER32(?,?), ref: 00EE1E45

GetDC.USER32 ref: 00F1CEB2
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F1CEC5
SelectObject.GDI32(00000000,00000000), ref: 00F1CED3
SelectObject.GDI32(00000000,00000000), ref: 00F1CEE8
ReleaseDC.USER32(?,00000000), ref: 00F1CEF0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F1CF7B

Strings

U, xrefs: 00F1CE50

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: b116ed13e143f1906316661efbcbf9adfda9fe04592f4cdb3718347983c3f8c9
Instruction ID: 86171abeaf84c61e383a9c73e9b2360748ae434b8e6afb4c5882aaa8b11cdc25
Opcode Fuzzy Hash: b116ed13e143f1906316661efbcbf9adfda9fe04592f4cdb3718347983c3f8c9
Instruction Fuzzy Hash: 6271B431840249DFCF219F64CC84AEA7BB6FF49360F144269FD556A2A6C7319C81EFA0

Function 00F58D5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00F6F910), ref: 00F58E3D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00F6F910), ref: 00F58E71
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F58FEB
SysFreeString.OLEAUT32(?), ref: 00F59015

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 98927cb1414f1aa6acd53a40cde61a572a992c4ee7d26d39193b90b24d562793
Instruction ID: 1d979fa8ff6c5d1868e4078c99c3ec8965888ed81465de3ffeae8eeb70f7ff3f
Opcode Fuzzy Hash: 98927cb1414f1aa6acd53a40cde61a572a992c4ee7d26d39193b90b24d562793
Instruction Fuzzy Hash: 3EF16E71A00119EFCF04DF94C888EAEB7B9FF49355F108058FA15AB251CB71AE4ADB50

Function 00F5F7A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F5F7C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F5F95C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F5F980
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F5F9C0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F5F9E2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F5FB5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00F5FB90
CloseHandle.KERNEL32(?), ref: 00F5FBBF
CloseHandle.KERNEL32(?), ref: 00F5FC36

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 5721b3e646092a3a311439c658e454c522fbd43caa6cdc9d80484c6ef826e690
Instruction ID: 9945013a02d28e5d73b6fa7029a6491f441f94291b76ee10daa001a25b650ab9
Opcode Fuzzy Hash: 5721b3e646092a3a311439c658e454c522fbd43caa6cdc9d80484c6ef826e690
Instruction Fuzzy Hash: 09E1D431604341DFC714EF24C881B6ABBE0EF84361F1484ADF9899B2A2DB35DC09EB52

Function 00F44D68 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F446AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F436DB,?), ref: 00F446CC

Part of subcall function 00F446AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F436DB,?), ref: 00F446E5

Part of subcall function 00F44AD8: GetFileAttributesW.KERNEL32(?,00F4374F), ref: 00F44AD9

lstrcmpiW.KERNEL32(?,?), ref: 00F44DE7
_wcscmp.LIBCMT ref: 00F44E01
MoveFileW.KERNEL32(?,?), ref: 00F44E1C

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: aee63fec8e37bc38b1890b81a2a24f10d410dd5f6cc22ad1e195790e53698337
Instruction ID: 65776b3d53ffb4d88419f1beaebdfb05e0e16b6f94b2c390428b39c1d3d0436a
Opcode Fuzzy Hash: aee63fec8e37bc38b1890b81a2a24f10d410dd5f6cc22ad1e195790e53698337
Instruction Fuzzy Hash: 265142B24083859BC724DB90DC81ADFB7ECAF85310F00092EB589E3151EE74B68C9766

Function 00F68677 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F68731

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: f69c82abe513706b19029555da652d522463f47784b343045f7b53d4c8513fa6
Instruction ID: 413a18df6de156c82292ccf7094a8f7c6690db965b0f235ac86c8cd5fe57bae8
Opcode Fuzzy Hash: f69c82abe513706b19029555da652d522463f47784b343045f7b53d4c8513fa6
Instruction Fuzzy Hash: BE51A370900249BFDF209F29DC85B993BA4EB053A4F604619FA15EB1E1CF72AD81FB50

Function 00EE2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00F1C477
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F1C499
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F1C4B1
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00F1C4CF
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F1C4F0
DestroyIcon.USER32(00000000), ref: 00F1C4FF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F1C51C
DestroyIcon.USER32(?), ref: 00F1C52B

Part of subcall function 00F6A4E1: DeleteObject.GDI32(00000000), ref: 00F6A51A

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 39d2795046e7fbbdb7884ee8b4aeb234c24a4514764fd8db5185d7f0de59e5f6
Instruction ID: b69f600ccdc986a5b3e914dc930daa714efb2c0cc9b50b40ab1014702f49087c
Opcode Fuzzy Hash: 39d2795046e7fbbdb7884ee8b4aeb234c24a4514764fd8db5185d7f0de59e5f6
Instruction Fuzzy Hash: 65515B70A50249AFDB20DF25DC45FAA77B9FB58720F10452CF952A72A0D7B0AD90EB90

Function 00F39930 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F3AC37: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F3AC57
Part of subcall function 00F3AC37: GetCurrentThreadId.KERNEL32 ref: 00F3AC5E
Part of subcall function 00F3AC37: AttachThreadInput.USER32(00000000,?,00F39945,?,00000001), ref: 00F3AC65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00F39950
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F3996D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00F39970
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F39979
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F39997
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F3999A
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F399A3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F399BA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F399BD

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 456daff69740186a4761c3890e8541d479967733310d56363011e44d03056931
Instruction ID: eba0e16b2a2e9b3b0c2bb6c1c3547a1dd054f604fe91698eba2b9b4f03c66bb9
Opcode Fuzzy Hash: 456daff69740186a4761c3890e8541d479967733310d56363011e44d03056931
Instruction Fuzzy Hash: 5E11217151060CBFF6106B20EC89F6A3B2CEB4D7A0F100029F264AB0E1C9F35C00EAA0

Function 00F38BE3 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00F38864,00000B00,?,?), ref: 00F38BEC
HeapAlloc.KERNEL32(00000000,?,00F38864,00000B00,?,?), ref: 00F38BF3
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F38864,00000B00,?,?), ref: 00F38C08
GetCurrentProcess.KERNEL32(?,00000000,?,00F38864,00000B00,?,?), ref: 00F38C10
DuplicateHandle.KERNEL32(00000000,?,00F38864,00000B00,?,?), ref: 00F38C13
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00F38864,00000B00,?,?), ref: 00F38C23
GetCurrentProcess.KERNEL32(00F38864,00000000,?,00F38864,00000B00,?,?), ref: 00F38C2B
DuplicateHandle.KERNEL32(00000000,?,00F38864,00000B00,?,?), ref: 00F38C2E
CreateThread.KERNEL32(00000000,00000000,00F38C54,00000000,00000000,00000000), ref: 00F38C48

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 5f49d491da4b25016044936881ad4604caf414a11dc69c6bcd80cd20537b3349
Instruction ID: ce8eb3de67159a8d580f949801b54ec0f450bed975dc0b9d597466818aabd7e1
Opcode Fuzzy Hash: 5f49d491da4b25016044936881ad4604caf414a11dc69c6bcd80cd20537b3349
Instruction Fuzzy Hash: D601BBB5240348FFE710ABA5EC4DF6B3BACEB89751F004421FA15DB1A1CAB59804EB20

Function 00F59228 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F5927C
VariantInit.OLEAUT32(?), ref: 00F5934D
VariantInit.OLEAUT32(?), ref: 00F5944E
VariantClear.OLEAUT32(?), ref: 00F59458
VariantClear.OLEAUT32(?), ref: 00F594B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 00F592DD, 00F5940B, 00F594C3
Incorrect Object type in FOR..IN loop, xrefs: 00F59431

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 0d8d41f4c59ecca600a12206ae121ca9ba9ec4f85c192ea2f444c28b52ff0cf6
Instruction ID: 1ac7b9298f50d7f1c694eaad93ebc098cf0bbc81388302c4f0d69d2ff6ceea0f
Opcode Fuzzy Hash: 0d8d41f4c59ecca600a12206ae121ca9ba9ec4f85c192ea2f444c28b52ff0cf6
Instruction Fuzzy Hash: D791B371E04219EBDF28DFA5C844FAE77B8EF45321F108159FA05AB280D7B09D09DBA0

Function 00F59872 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00F37432: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F3736C,80070057,?,?,?,00F3777D), ref: 00F3744F
Part of subcall function 00F37432: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F3736C,80070057,?,?), ref: 00F3746A
Part of subcall function 00F37432: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F3736C,80070057,?,?), ref: 00F37478
Part of subcall function 00F37432: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F3736C,80070057,?), ref: 00F37488

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00F5991B
_memset.LIBCMT ref: 00F59928
_memset.LIBCMT ref: 00F59A6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00F59A97
CoTaskMemFree.OLE32(?), ref: 00F59AA2

Strings

NULL Pointer assignment, xrefs: 00F59AF0

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 1a79a5e36576a3da33d612463f3986e55c2fd449f827587c560060a6e711d4aa
Instruction ID: 1334415e15042545ccdf757e228e96c57e30436abe5286fd08da1c9d3c76b651
Opcode Fuzzy Hash: 1a79a5e36576a3da33d612463f3986e55c2fd449f827587c560060a6e711d4aa
Instruction Fuzzy Hash: EF912871D0021DEBDB14DFA5DC85ADEBBB8EF08710F10416AF919A7281DBB09A45DFA0

Function 00F66DB2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F66E56
SendMessageW.USER32(?,00001036,00000000,?), ref: 00F66E6A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F66E84
_wcscat.LIBCMT ref: 00F66EDF
SendMessageW.USER32(?,00001057,00000000,?), ref: 00F66EF6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F66F24

Strings

SysListView32, xrefs: 00F66E28

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: ba946f198ad97c129deacb331653c1b0e609f877c11a023a93a10bf6fb8eb4b1
Instruction ID: 4e547b232734717affd8d8413bd55639f6f62a0fda09fa94ca19bf20986f1967
Opcode Fuzzy Hash: ba946f198ad97c129deacb331653c1b0e609f877c11a023a93a10bf6fb8eb4b1
Instruction Fuzzy Hash: D741A171A00308ABEF21DF64DC85BEE77E8EF08360F10046AF555E7192D7769D84AB64

Function 00F5EA47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00F43C99: CreateToolhelp32Snapshot.KERNEL32 ref: 00F43CBE
Part of subcall function 00F43C99: Process32FirstW.KERNEL32(00000000,?), ref: 00F43CCC
Part of subcall function 00F43C99: CloseHandle.KERNEL32(00000000), ref: 00F43D96

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F5EAB8
GetLastError.KERNEL32 ref: 00F5EACB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F5EAFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F5EB77
GetLastError.KERNEL32(00000000), ref: 00F5EB82
CloseHandle.KERNEL32(00000000), ref: 00F5EBB7

Strings

SeDebugPrivilege, xrefs: 00F5EAD6

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 76824cce8120c0263a263a5e4436e700b6fcdd14afc0f43e2705c56a2d186379
Instruction ID: 9d6154fe6c65480e5f0736b2feafa7a34a25f51c788f9dd52397898a6acfa907
Opcode Fuzzy Hash: 76824cce8120c0263a263a5e4436e700b6fcdd14afc0f43e2705c56a2d186379
Instruction Fuzzy Hash: 7141B171600205AFDB18EF14CC95F6DB7E5AF84325F088058F9469B3D3CBB9A908EB85

Function 00F4302E Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00F430CD

Strings

blank, xrefs: 00F4304F
warning, xrefs: 00F430B6
stop, xrefs: 00F4309E
info, xrefs: 00F4306E
question, xrefs: 00F43086

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: de2593359f17fc09998b49cd90b24a9a859501029d44dada10206e3e47bcbda9
Instruction ID: 5b8c2d8cafe861a47a25eb74b6677ed3d4ca90d8fd34f9e46d4954de29d8436e
Opcode Fuzzy Hash: de2593359f17fc09998b49cd90b24a9a859501029d44dada10206e3e47bcbda9
Instruction Fuzzy Hash: 6711EB36A0D347BAE7349A58DC42D6A7B9C9F05378F10012AFD00961C1EAB5AF4175A1

Function 00F44339 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F44353
LoadStringW.USER32(00000000), ref: 00F4435A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F44370
LoadStringW.USER32(00000000), ref: 00F44377
_wprintf.LIBCMT ref: 00F4439D
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F443BB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F44398

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: c050ba7e16a340c4fa74044c4748ba4313ae6c835a10cd2567e53e990b7620f4
Instruction ID: f185961cb7d0a1f300c2cb6d65d8f3a101b5d7852b205a186c4866faa99108df
Opcode Fuzzy Hash: c050ba7e16a340c4fa74044c4748ba4313ae6c835a10cd2567e53e990b7620f4
Instruction Fuzzy Hash: 0E018FF280020CBFE7109BA0ED89EF6776CE709301F4005A1FB15E2051EAB59E896B70

Function 00F6D4A8 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

GetSystemMetrics.USER32(0000000F), ref: 00F6D4E6
GetSystemMetrics.USER32(0000000F), ref: 00F6D506
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F6D741
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F6D75F
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F6D780
ShowWindow.USER32(00000003,00000000), ref: 00F6D79F
InvalidateRect.USER32(?,00000000,00000001), ref: 00F6D7C4
DefDlgProcW.USER32(?,00000005,?,?), ref: 00F6D7E7

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 3a992ed2e1d9ddc701983a67e4947cdbe1eeaaa849ce83f5e858f39936e1621a
Instruction ID: 6bf1c342fbd61cd20075f8910a6d35f993bd26e8f1b58f4bccccdd0229d507d2
Opcode Fuzzy Hash: 3a992ed2e1d9ddc701983a67e4947cdbe1eeaaa849ce83f5e858f39936e1621a
Instruction Fuzzy Hash: 55B1A971A00229EFDF18CF28C9C57AE7BB1BF04720F088169EC589A295D735AD50EB60

Function 00EE2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F1C347,00000004,00000000,00000000,00000000), ref: 00EE2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00F1C347,00000004,00000000,00000000,00000000,000000FF), ref: 00EE2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00F1C347,00000004,00000000,00000000,00000000), ref: 00F1C39A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F1C347,00000004,00000000,00000000,00000000), ref: 00F1C406

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ccfca72641be3b88091f7cd9dab54e824f60f5ed257db2960b7f2dc825247b14
Instruction ID: 5a425b0e910681683eb597c037eef27c6132a6364f41ad627776afb0436ca399
Opcode Fuzzy Hash: ccfca72641be3b88091f7cd9dab54e824f60f5ed257db2960b7f2dc825247b14
Instruction Fuzzy Hash: 3F4168316086CC9AC7358F2ADC8CBBB3B9ABB45314F18D83DE25BA6160C67198C5F711

Function 00F4716F Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00F47186

Part of subcall function 00F00F36: std::exception::exception.LIBCMT ref: 00F00F6C
Part of subcall function 00F00F36: __CxxThrowException@8.LIBCMT ref: 00F00F81

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00F471BD
EnterCriticalSection.KERNEL32(?), ref: 00F471D9
_memmove.LIBCMT ref: 00F47227
_memmove.LIBCMT ref: 00F47244
LeaveCriticalSection.KERNEL32(?), ref: 00F47253
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00F47268
InterlockedExchange.KERNEL32(?,000001F6), ref: 00F47287

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 0bc3c13a78fef2ca833362f76a7d06ba83cea7c73f6d13c81c7f3c39942c2df3
Instruction ID: 67e2938ac2647fe0e13e8b5894b91d785047b33c0b4ca521f8d5bc4cf878214b
Opcode Fuzzy Hash: 0bc3c13a78fef2ca833362f76a7d06ba83cea7c73f6d13c81c7f3c39942c2df3
Instruction Fuzzy Hash: 9B31907190420AEBCB10EF64DD85AAABB78FF45310F1441A5F9049B286DB709E14FBA0

Function 00F66205 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F6621D
GetDC.USER32(00000000), ref: 00F66225
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F66230
ReleaseDC.USER32(00000000,00000000), ref: 00F6623C
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F66278
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F66289
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F6905C,?,?,000000FF,00000000,?,000000FF,?), ref: 00F662C3
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F662E3

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: dbeec72a0da2a8a05126c7946b258a776cf7c181c751e7aab249a4b2eeb94cb7
Instruction ID: 3e4cce4903b6e0950a02e11e989c5c752766c81fd0035fc6043f2a0909c1be03
Opcode Fuzzy Hash: dbeec72a0da2a8a05126c7946b258a776cf7c181c751e7aab249a4b2eeb94cb7
Instruction Fuzzy Hash: 89316D72601214BFEF118F50DC4AFEA3BA9EF09761F040065FE18DA1A1C6B59C55DB74

Function 00F4EBAF Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

Part of subcall function 00EFFE06: _wcscpy.LIBCMT ref: 00EFFE29

_wcstok.LIBCMT ref: 00F4ED20
_wcscpy.LIBCMT ref: 00F4EDAF
_memset.LIBCMT ref: 00F4EDE2

Strings

X, xrefs: 00F4EE1F

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: e93de03d9f6a6dee132d85e9249d93caacb682ef7ccb75613018439f6237d4f4
Instruction ID: 98af422e8c1c03e732213a3cbdf463de938fb8c1cecff4c721b77b2ffbb62ea3
Opcode Fuzzy Hash: e93de03d9f6a6dee132d85e9249d93caacb682ef7ccb75613018439f6237d4f4
Instruction Fuzzy Hash: 8FC191719083459FD724EF24C881A5EBBE4FF85320F10492DF8999B2A2DB70ED45DB82

Function 00F56C19 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F56D16
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F56D37
WSAGetLastError.WSOCK32(00000000), ref: 00F56D4A
htons.WSOCK32(?,?,?,00000000,?), ref: 00F56E00
inet_ntoa.WSOCK32(?), ref: 00F56DBD

Part of subcall function 00F3ABF4: _strlen.LIBCMT ref: 00F3ABFE
Part of subcall function 00F3ABF4: _memmove.LIBCMT ref: 00F3AC20

_strlen.LIBCMT ref: 00F56E5A
_memmove.LIBCMT ref: 00F56EC3

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 5ad9015928112bab92f122d9d7edc246cb07e2d4294aed702cdfc2e0507aae54
Instruction ID: 57eb1d1fd59596ecfe7b35d77ef01f164c6524b01fbf2d606d9f3722fed83713
Opcode Fuzzy Hash: 5ad9015928112bab92f122d9d7edc246cb07e2d4294aed702cdfc2e0507aae54
Instruction Fuzzy Hash: 7E81E072504304ABD710EF25CC86F6BB3E9EF84724F50491CFA69AB2A2DA709D08D791

Function 00EE1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f443742ab57a9a72a6ab5ecd924d1dc1fa69510d2bfaee9113567d3eb10ab09c
Instruction ID: b14f13a1618903a08a4f59626076f161ae822bf495fd8c6c8aa93bd119901f14
Opcode Fuzzy Hash: f443742ab57a9a72a6ab5ecd924d1dc1fa69510d2bfaee9113567d3eb10ab09c
Instruction Fuzzy Hash: A5715C3090015DEFCB148F99CC48EEEBB79FF85324F148199F925AA291D730AA91DB60

Function 00F6B385 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01575730), ref: 00F6B41F
IsWindowEnabled.USER32(01575730), ref: 00F6B42B
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00F6B50F
SendMessageW.USER32(01575730,000000B0,?,?), ref: 00F6B546
IsDlgButtonChecked.USER32(?,?), ref: 00F6B583
GetWindowLongW.USER32(01575730,000000EC), ref: 00F6B5A5
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F6B5BD

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 06a13cf9aaac9ba9cbb1ba3f4361cc73b211363c9dc617d827272bd7f972ade2
Instruction ID: 2609feb72fcdcca3fca96764c6d842d8a59de5a13d5b8a171a77517e4d523579
Opcode Fuzzy Hash: 06a13cf9aaac9ba9cbb1ba3f4361cc73b211363c9dc617d827272bd7f972ade2
Instruction Fuzzy Hash: 44719074A45208AFDB20DF55C895FBA7BB9FF49320F144069F956D7262CB32AC81EB10

Function 00F5F532 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F5F55C
_memset.LIBCMT ref: 00F5F625
ShellExecuteExW.SHELL32(?), ref: 00F5F66A

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

Part of subcall function 00EFFE06: _wcscpy.LIBCMT ref: 00EFFE29

GetProcessId.KERNEL32(00000000), ref: 00F5F6E1
CloseHandle.KERNEL32(00000000), ref: 00F5F710

Strings

@, xrefs: 00F5F639

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 076448f7050ba7a7a359396e527646fbacf3cabeac488e66f3dd03761bb52b6e
Instruction ID: a52844eaf27be4023b1a2d813fce724486d8277650cd9075dceaf7b83aae32ec
Opcode Fuzzy Hash: 076448f7050ba7a7a359396e527646fbacf3cabeac488e66f3dd03761bb52b6e
Instruction Fuzzy Hash: B761C175A006199FCF14EF55C8819ADBBF4FF48310F1484A9E84ABB352CB30AD49DB90

Function 00F4127E Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00F412BD
GetKeyboardState.USER32(?), ref: 00F412D2
SetKeyboardState.USER32(?), ref: 00F41333
PostMessageW.USER32(?,00000101,00000010,?), ref: 00F41361
PostMessageW.USER32(?,00000101,00000011,?), ref: 00F41380
PostMessageW.USER32(?,00000101,00000012,?), ref: 00F413C6
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F413E9

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 205f0e62a905321c796a216c4520b35bab4833edcb0e2ec5b7f1ccc1563a1db0
Instruction ID: 548a9bee4d02c2d3d7cd585970bfdb5e273a85e4d306804e894d31e9c235c83a
Opcode Fuzzy Hash: 205f0e62a905321c796a216c4520b35bab4833edcb0e2ec5b7f1ccc1563a1db0
Instruction Fuzzy Hash: 6A5103A0E087D53DFB328634CC45BBA7EA97F06314F084589E8D5868D2D6D8ACC8F750

Function 00F41097 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00F410D6
GetKeyboardState.USER32(?), ref: 00F410EB
SetKeyboardState.USER32(?), ref: 00F4114C
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F41178
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F41195
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F411D9
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F411FA

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d705bca4460591bbea47646ef3cf108bf99cb4e61a328b288e104e583470140e
Instruction ID: 30fc8dc73e8ef386210b412cc6c1063f66e01d840b663c963395d7c1e7195c43
Opcode Fuzzy Hash: d705bca4460591bbea47646ef3cf108bf99cb4e61a328b288e104e583470140e
Instruction Fuzzy Hash: 855125A0A447D63DFB3683248C41BBABEAD7F46310F0C8589E9D5868C2D694EDC8F750

Function 00F456A4 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00F456B1
_wcsncpy.LIBCMT ref: 00F456E6
_wcsncpy.LIBCMT ref: 00F45718
_wcsncpy.LIBCMT ref: 00F4574B
_wcsncpy.LIBCMT ref: 00F4578D
_wcsncpy.LIBCMT ref: 00F457C7
_wcsncpy.LIBCMT ref: 00F457F6

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 9290382f4cf264532f97f29e82b0ee2aaadb200d698d415e3ff15f75996656cb
Instruction ID: b0e91b086071787e02056910aa3cee6c137defe737c8f40e29159b055579341f
Opcode Fuzzy Hash: 9290382f4cf264532f97f29e82b0ee2aaadb200d698d415e3ff15f75996656cb
Instruction Fuzzy Hash: DF41C4A5C20618B6CB11FBB49C869CFB7BC9F05710F108466F918E3162FA38A704E3E5

Function 00F436B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F446AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F436DB,?), ref: 00F446CC

Part of subcall function 00F446AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F436DB,?), ref: 00F446E5

lstrcmpiW.KERNEL32(?,?), ref: 00F436FB
_wcscmp.LIBCMT ref: 00F43717
MoveFileW.KERNEL32(?,?), ref: 00F4372F
_wcscat.LIBCMT ref: 00F43777
SHFileOperationW.SHELL32(?), ref: 00F437E3

Strings

\*.*, xrefs: 00F43771

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: ff84cc3ab48fdc98be5d8dd9c513b6f46b020e91d307af710a3aa043d9989ae3
Instruction ID: 2634df56e3fe329a8f512779e495fe230c50f770835fae4ab77efff97ba5732b
Opcode Fuzzy Hash: ff84cc3ab48fdc98be5d8dd9c513b6f46b020e91d307af710a3aa043d9989ae3
Instruction Fuzzy Hash: 3F417EB250C3859AC751EF64D841ADBBBE8EF89390F00092EB8D9D3151EA38D688D756

Function 00F672C3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F672DC
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F67383
IsMenu.USER32(?), ref: 00F6739B
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F673E3
DrawMenuBar.USER32 ref: 00F673F6

Strings

0, xrefs: 00F672D0

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 878cc1176845d8306fccf4c659c991cca9794a2328f64ece24e8ef3774f09c93
Instruction ID: 46f10c7326d834b33f2b212c7de0e50d8d50f0b322257564806b12fbbc7638cc
Opcode Fuzzy Hash: 878cc1176845d8306fccf4c659c991cca9794a2328f64ece24e8ef3774f09c93
Instruction Fuzzy Hash: A6410875A04309EFDB20EF50D888A9ABBF8FB05368F048129ED5597260D770AD55EB90

Function 00F6102D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00F6105C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F61086
FreeLibrary.KERNEL32(00000000), ref: 00F6113D

Part of subcall function 00F6102D: RegCloseKey.ADVAPI32(?), ref: 00F610A3
Part of subcall function 00F6102D: FreeLibrary.KERNEL32(?), ref: 00F610F5
Part of subcall function 00F6102D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00F61118

RegDeleteKeyW.ADVAPI32(?,?), ref: 00F610E0

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: e1f064b981ae8097e64fc3ae8b95081347e9a7301ab92b932fd32d2103b87d2a
Instruction ID: 45e363ebd0f0a0cfc93e623472fcaa3a91ece07f5f6c9ca327110ddade9da382
Opcode Fuzzy Hash: e1f064b981ae8097e64fc3ae8b95081347e9a7301ab92b932fd32d2103b87d2a
Instruction Fuzzy Hash: 18310BB1D01119BFDB15DB90EC89AFFB7BCEF09350F040169E511A2151EA749E89ABA0

Function 00F662FF Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F6631E
GetWindowLongW.USER32(01575730,000000F0), ref: 00F66351
GetWindowLongW.USER32(01575730,000000F0), ref: 00F66386
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00F663B8
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00F663E2
GetWindowLongW.USER32(00000000,000000F0), ref: 00F663F3
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00F6640D

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 54c937cf760c538a0dd244ca6248bd7114bb5dc97713833a303a598a80538706
Instruction ID: b002e4a5c0a1b808da9b67e14d235474efbb623f5614dd985abf0a29282b5497
Opcode Fuzzy Hash: 54c937cf760c538a0dd244ca6248bd7114bb5dc97713833a303a598a80538706
Instruction Fuzzy Hash: 4F31C231A042549FEB21CF18EC85F5937E1FB4AB20F1941A4F525DF3B2CB62AC44AB51

Function 00F56289 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F57EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F57ECB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F562DC
WSAGetLastError.WSOCK32(00000000), ref: 00F562EB
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F56324
connect.WSOCK32(00000000,?,00000010), ref: 00F5632D
WSAGetLastError.WSOCK32 ref: 00F56337
closesocket.WSOCK32(00000000), ref: 00F56360
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F56379

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 0da5de66b49bb3d8fd1deac45c87a42bcfcded1a3681812ab7021cd82f91b19a
Instruction ID: d5c29dfd523e04f1bc05f2e92eff47ba33314cf62d33164f114e1117611b2fd5
Opcode Fuzzy Hash: 0da5de66b49bb3d8fd1deac45c87a42bcfcded1a3681812ab7021cd82f91b19a
Instruction Fuzzy Hash: AC31E431600218AFDB10AF60DC85BBE7BF9EF44321F404069FE15E7291DB74AC08ABA1

Function 00F3F98F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F3F9A2
__wcsnicmp.LIBCMT ref: 00F3F9C3
__wcsnicmp.LIBCMT ref: 00F3F9DD

Strings

#notrayicon, xrefs: 00F3F99A
#OnAutoItStartRegister, xrefs: 00F3F9D7
#requireadmin, xrefs: 00F3F9BD

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: f4fc0a72db56003d830b369c799e970366ad851bdaa12704e93c4418e4be364d
Instruction ID: 806861167cccd5fc4c988e8bd696b661671cc9be9bae83eb5977907146416a86
Opcode Fuzzy Hash: f4fc0a72db56003d830b369c799e970366ad851bdaa12704e93c4418e4be364d
Instruction Fuzzy Hash: 45216B33D0921576D730EA259C02FB773D8DF55330F544037F88A86181EB989E46F2A2

Function 00F675FF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EE1D73
Part of subcall function 00EE1D35: GetStockObject.GDI32(00000011), ref: 00EE1D87
Part of subcall function 00EE1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EE1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F67664
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F67671
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F6767C
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F6768B
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F67697

Strings

Msctls_Progress32, xrefs: 00F67635

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8e8460756bc87a20be12282146027c766c49675d02cd89ff2f1c528250b2768c
Instruction ID: a75925fde9d8097af58372deccf7a3371a0a92707b4addc68ebc5c356d02aa2e
Opcode Fuzzy Hash: 8e8460756bc87a20be12282146027c766c49675d02cd89ff2f1c528250b2768c
Instruction Fuzzy Hash: 5A11B2B251021DBFEF119F64CC85EE77F6DEF08768F014115BA04A20A0C672AC21EBA0

Function 00F04109 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00F041D2,?), ref: 00F04123
GetProcAddress.KERNEL32(00000000), ref: 00F0412A
EncodePointer.KERNEL32(00000000), ref: 00F04136
DecodePointer.KERNEL32(00000001,00F041D2,?), ref: 00F04153

Strings

combase.dll, xrefs: 00F0411E
RoInitialize, xrefs: 00F04112

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 45672abab150ee3886d74707411c656722615e9e3bf29d17c677a28d87d64698
Instruction ID: a3c9a53c2b7a2bebacd6f9a1a7258d5558688743ae386562464833b3f43e61d5
Opcode Fuzzy Hash: 45672abab150ee3886d74707411c656722615e9e3bf29d17c677a28d87d64698
Instruction Fuzzy Hash: F3E0E5B0A90348AAEB205B70EC09B043AA5A757B82F108425F525D51E0CAF59189BE01

Function 00F041DE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00F040F8), ref: 00F041F8
GetProcAddress.KERNEL32(00000000), ref: 00F041FF
EncodePointer.KERNEL32(00000000), ref: 00F0420A
DecodePointer.KERNEL32(00F040F8), ref: 00F04225

Strings

combase.dll, xrefs: 00F041F3
RoUninitialize, xrefs: 00F041E7

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: c9c5c28f82beb0b1b998d06ec32e3bdedbc94e8a6d62e7b0049a29d8261ae76c
Instruction ID: cda50ebc781a1028f4c05609a4f06d42bd844a52959071b5f83013cdb9cd83bc
Opcode Fuzzy Hash: c9c5c28f82beb0b1b998d06ec32e3bdedbc94e8a6d62e7b0049a29d8261ae76c
Instruction Fuzzy Hash: A8E0B6F0E81308AFEB509B61FD0EB147AA4B716B42F204025F125E11A0CBB69608FA11

Function 00F46561 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F466B4
_memmove.LIBCMT ref: 00F465EF

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

_memmove.LIBCMT ref: 00F46662
_memmove.LIBCMT ref: 00F46749
_memmove.LIBCMT ref: 00F46762
_memmove.LIBCMT ref: 00F4677E

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 816739762f22c61dd1eac28b8b0fca2c1ad7aba257a2a36d8171e5a3a2347d18
Instruction ID: 90c83bea50f52f52e763116175f3cb32d45f02ecff4824aec6592646bfe510b4
Opcode Fuzzy Hash: 816739762f22c61dd1eac28b8b0fca2c1ad7aba257a2a36d8171e5a3a2347d18
Instruction Fuzzy Hash: 47619B3150069AABCF11EF20CC82EFE7BA4AF45318F054519FC59AB192DF39AD05EB51

Function 00F6026F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Part of subcall function 00F60EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F5FE38,?,?), ref: 00F60EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F60348
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F60388
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00F603AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F603D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F60417
RegCloseKey.ADVAPI32(00000000), ref: 00F60424

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: a7a06170d208e5b9580ab371cacfe48fe481b798f730b241c759fd9a58c0c0e4
Instruction ID: fe06af198e6423052073a2a765b02c6f36ebd63108f789a8ddedb11ca54da654
Opcode Fuzzy Hash: a7a06170d208e5b9580ab371cacfe48fe481b798f730b241c759fd9a58c0c0e4
Instruction Fuzzy Hash: 57517731608244AFC714EF64D885E6FBBE8FF88314F14482DF599972A2DB71E904EB52

Function 00F65802 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00F65864
GetMenuItemCount.USER32(00000000), ref: 00F6589B
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F658C3
GetMenuItemID.USER32(?,?), ref: 00F65932
GetSubMenu.USER32(?,?), ref: 00F65940
PostMessageW.USER32(?,00000111,?,00000000), ref: 00F65991

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 546caf7d2fae60519eb8a4f1cce96d9a1f38f3b3fb2a973e2407ee58440e5d94
Instruction ID: 71e64ffce3d1c637da16b336b507ae023d1f44558dc546316c201e948c47cfe8
Opcode Fuzzy Hash: 546caf7d2fae60519eb8a4f1cce96d9a1f38f3b3fb2a973e2407ee58440e5d94
Instruction Fuzzy Hash: 10518E72E00619EFCF11EFA4C845AAEB7B5EF48720F104069E855BB351CB75AE41EB90

Function 00F3F1FE Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F3F218
VariantClear.OLEAUT32(00000013), ref: 00F3F28A
VariantClear.OLEAUT32(00000000), ref: 00F3F2E5
_memmove.LIBCMT ref: 00F3F30F
VariantClear.OLEAUT32(?), ref: 00F3F35C
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F3F38A

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 98fab753a5c7584f812a749a51ee625a50b0a5cf23681993b65a569a1031f752
Instruction ID: 5eb6d57268ef39216d144b15f5ddeafc12f8be70bd8d9622880d57570112e04c
Opcode Fuzzy Hash: 98fab753a5c7584f812a749a51ee625a50b0a5cf23681993b65a569a1031f752
Instruction Fuzzy Hash: AE5138B5A00209EFDB14CF58D884AAAB7B8FF4C324F158569E959DB341D730E915CFA0

Function 00F42502 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F42550
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F4259B
IsMenu.USER32(00000000), ref: 00F425BB
CreatePopupMenu.USER32 ref: 00F425EF
GetMenuItemCount.USER32(000000FF), ref: 00F4264D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00F4267E

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 08ae0f17073fcbe68f00e357d06e199378523ebb9eeed078b3480a9d0f372b0c
Instruction ID: 894154c2289b0367bb4405a84bed074c245939c86553756d810bf9cdbc883b2d
Opcode Fuzzy Hash: 08ae0f17073fcbe68f00e357d06e199378523ebb9eeed078b3480a9d0f372b0c
Instruction Fuzzy Hash: 15519A70A00209EBDF60CF68D898BAEBFF5BF45324F554169FC119B290EBB09944EB51

Function 00EE1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00EE179A
GetWindowRect.USER32(?,?), ref: 00EE17FE
ScreenToClient.USER32(?,?), ref: 00EE181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00EE182C
EndPaint.USER32(?,?), ref: 00EE1876

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: a980e27a8a50cd391dc0d83cb34c132cde6b732bde822542ec42c633d6cfa3f3
Instruction ID: 187b7419e25e822a382fbc40e21a294903bf33656c485e8f6686f35d3563c3a2
Opcode Fuzzy Hash: a980e27a8a50cd391dc0d83cb34c132cde6b732bde822542ec42c633d6cfa3f3
Instruction Fuzzy Hash: 9C41C270500348EFC710DF25DC84FBA7BE8FB4A724F040269F6A4972A1C7719885EB61

Function 00F6B6D2 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00FA57B0,00000000,01575730,?,?,00FA57B0,?,00F6B5DC,?,?), ref: 00F6B746
EnableWindow.USER32(00000000,00000000), ref: 00F6B76A
ShowWindow.USER32(00FA57B0,00000000,01575730,?,?,00FA57B0,?,00F6B5DC,?,?), ref: 00F6B7CA
ShowWindow.USER32(00000000,00000004,?,00F6B5DC,?,?), ref: 00F6B7DC
EnableWindow.USER32(00000000,00000001), ref: 00F6B800
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00F6B823

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 4a04f3dfd81d64e8ac5163ea9315c3a2d3aaf5774dbdee4ff5369f45d5db83f3
Instruction ID: 40b938bb545f4ccd9f65be298d6e4b79a0ce0646cff7774b65288175efec623d
Opcode Fuzzy Hash: 4a04f3dfd81d64e8ac5163ea9315c3a2d3aaf5774dbdee4ff5369f45d5db83f3
Instruction Fuzzy Hash: A0418034A00144EFDB22CF24D489B947BE1FF45321F1841B9E958CF2A2C772A886EB91

Function 00F571B3 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00F54F57,?,?,00000000,00000001), ref: 00F571C1

Part of subcall function 00F53AB6: GetWindowRect.USER32(?,?), ref: 00F53AC9

GetDesktopWindow.USER32 ref: 00F571EB
GetWindowRect.USER32(00000000), ref: 00F571F2
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00F57224

Part of subcall function 00F452EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F45363

GetCursorPos.USER32(?), ref: 00F57250
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F572AE

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 7b5c149f1b36ab808ea49593bd7d3fd3def6028e53d0065ad9949e9e9ca0531b
Instruction ID: 3e5fa7259e2e26b02f192c9a88682e1904fad444a9b61f94009a6ac5a05a8f33
Opcode Fuzzy Hash: 7b5c149f1b36ab808ea49593bd7d3fd3def6028e53d0065ad9949e9e9ca0531b
Instruction Fuzzy Hash: 9C31D472509309ABD710EF14DC49B5BBBA9FF88314F000919F99597191C775EA08DB92

Function 00F38B3B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F383D1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F383E8
Part of subcall function 00F383D1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F383F2
Part of subcall function 00F383D1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F38401
Part of subcall function 00F383D1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F38408
Part of subcall function 00F383D1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F3841E

GetLengthSid.ADVAPI32(?,00000000,00F38757), ref: 00F38B8C
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F38B98
HeapAlloc.KERNEL32(00000000), ref: 00F38B9F
CopySid.ADVAPI32(00000000,00000000,?), ref: 00F38BB8
GetProcessHeap.KERNEL32(00000000,00000000,00F38757), ref: 00F38BCC
HeapFree.KERNEL32(00000000), ref: 00F38BD3

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 3f7e0116f051432d47f8ba4bab44da1f5d3b4d134a55c0b8d1551eab98939c6b
Instruction ID: 2db88d8b4f34c6d97335426985c13a649507b39e2a3be6d3bb1ffb0f0d7a86a9
Opcode Fuzzy Hash: 3f7e0116f051432d47f8ba4bab44da1f5d3b4d134a55c0b8d1551eab98939c6b
Instruction Fuzzy Hash: 5611A271900309FFDB109F54DC09BAEB778FB853B5F104018F85697150CB799A09EB60

Function 00F388D9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F3890A
OpenProcessToken.ADVAPI32(00000000), ref: 00F38911
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F38920
CloseHandle.KERNEL32(00000004), ref: 00F3892B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F3895A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00F3896E

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: f0306dbe4ad176a3e26df8ddf8bea7ff39729974ed032f70c69a350cfb9b331e
Instruction ID: b767ec99bcaaaf54512ed166ee2678a8205f4729090a78291a122d0febd1c772
Opcode Fuzzy Hash: f0306dbe4ad176a3e26df8ddf8bea7ff39729974ed032f70c69a350cfb9b331e
Instruction Fuzzy Hash: B7115C7250120DEBDF018FA4ED49BEE7BA9EF08768F044064FE04A2160C7B58D65AB61

Function 00F3BA52 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F3BA77
GetDeviceCaps.GDI32(00000000,00000058), ref: 00F3BA88
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F3BA8F
ReleaseDC.USER32(00000000,00000000), ref: 00F3BA97
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F3BAAE
MulDiv.KERNEL32(000009EC,?,?), ref: 00F3BAC0

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: a59d9a01f9fe5b2b9fb19885baefa45f8c5396b62a7891a748e7bcb69c51c538
Instruction ID: 05908999422d481796b3f7d0fc48d4e4011ca0788d7f38c54a176745424ff92a
Opcode Fuzzy Hash: a59d9a01f9fe5b2b9fb19885baefa45f8c5396b62a7891a748e7bcb69c51c538
Instruction Fuzzy Hash: E00171B5E00318BBEF109BA59D45A5EBFA8EB48761F004065FA04A7291D6719900DF90

Function 00F002E2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F00313
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F0031B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F00326
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F00331
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F00339
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F00341

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9a1cd249ea6b78497dbe4fd0efa69144246ed6945068ccd3abac48d35b843542
Instruction ID: ad7bce91a1c3dfed5a9f837cc8bf6ce390385f7673230e0b1792d4b06deb739e
Opcode Fuzzy Hash: 9a1cd249ea6b78497dbe4fd0efa69144246ed6945068ccd3abac48d35b843542
Instruction Fuzzy Hash: F3016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BE15C47941C7F5A868CBE5

Function 00F45490 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F454A0
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F454B6
GetWindowThreadProcessId.USER32(?,?), ref: 00F454C5
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F454D4
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F454DE
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F454E5

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: ba6802b3620d15c30e85554ff6b3faef275de388f855d68905258d978e30b267
Instruction ID: 79c89587bd96181d7f6f1e7f5a7eaa18b0e1674f74bd7ec3e7d9ed7adaca2ba4
Opcode Fuzzy Hash: ba6802b3620d15c30e85554ff6b3faef275de388f855d68905258d978e30b267
Instruction Fuzzy Hash: 9BF06D3224011CBBE3215BA2EC0EEAB7E7CEBCAB11F000169FA10D10A196E11A05A6B5

Function 00F472D9 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00F472EC
EnterCriticalSection.KERNEL32(?,?,00EF1044,?,?), ref: 00F472FD
TerminateThread.KERNEL32(00000000,000001F6,?,00EF1044,?,?), ref: 00F4730A
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00EF1044,?,?), ref: 00F47317

Part of subcall function 00F46CDE: CloseHandle.KERNEL32(00000000,?,00F47324,?,00EF1044,?,?), ref: 00F46CE8

InterlockedExchange.KERNEL32(?,000001F6), ref: 00F4732A
LeaveCriticalSection.KERNEL32(?,?,00EF1044,?,?), ref: 00F47331

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e7e56854c7707a9dc4fc7da3a90d1dda96b94c417c5799776055443a2d2a52e7
Instruction ID: 7ba2c19099460261fe9adf9e2b2e146388417748554f20340211b022c4e52e1e
Opcode Fuzzy Hash: e7e56854c7707a9dc4fc7da3a90d1dda96b94c417c5799776055443a2d2a52e7
Instruction Fuzzy Hash: C4F05E36544716EBE7112B64FD9C9EA7B2AFF4A312B000531FA12910A0CBB55815FFA0

Function 00F38C54 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F38C5F
UnloadUserProfile.USERENV(?,?), ref: 00F38C6B
CloseHandle.KERNEL32(?), ref: 00F38C74
CloseHandle.KERNEL32(?), ref: 00F38C7C
GetProcessHeap.KERNEL32(00000000,?), ref: 00F38C85
HeapFree.KERNEL32(00000000), ref: 00F38C8C

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a2dd3e03ef27e7eb7ff2bad6393ff92a6f0bdb00e72fdb2c3f67f9e8dd014aca
Instruction ID: aa4c2a058a767c17f51b2c1fb629df8a10729c39c9e33fe53c9570e20f9edf35
Opcode Fuzzy Hash: a2dd3e03ef27e7eb7ff2bad6393ff92a6f0bdb00e72fdb2c3f67f9e8dd014aca
Instruction Fuzzy Hash: CAE0C236004009FBDA011FE1FC0C90ABB69FB8A362B108230F22981170CBB29428EB50

Function 00F58702 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F58728
CharUpperBuffW.USER32(?,?), ref: 00F58837
VariantClear.OLEAUT32(?), ref: 00F589AF

Part of subcall function 00F4760B: VariantInit.OLEAUT32(00000000), ref: 00F4764B
Part of subcall function 00F4760B: VariantCopy.OLEAUT32(00000000,?), ref: 00F47654
Part of subcall function 00F4760B: VariantClear.OLEAUT32(00000000), ref: 00F47660

Strings

AUTOIT.ERROR, xrefs: 00F5883D
Incorrect Parameter format, xrefs: 00F58760, 00F58922

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: eb87742d78a5b32af80cff05345a9b72e6654ac57585c89f0f4286a59dfb1c00
Instruction ID: b3bdbb1158a9969f9d4ca35389af0ccf1254ae679fc148e03d735ddefc9da279
Opcode Fuzzy Hash: eb87742d78a5b32af80cff05345a9b72e6654ac57585c89f0f4286a59dfb1c00
Instruction Fuzzy Hash: A391C131608341DFC700DF24C48096ABBF4EF89754F14892EF98A9B362DB31E90ADB52

Function 00F42D8E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EFFE06: _wcscpy.LIBCMT ref: 00EFFE29

_memset.LIBCMT ref: 00F42E7F
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F42EAE
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F42F61
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F42F8F

Strings

0, xrefs: 00F42E6B

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: f63c038cfff353b611ad38b8556c0c38762d0a587b40cdd71a7e3c316868bf92
Instruction ID: 0f23bd4b558be31db113f4edaf584fb1107c38ef3d686a14173fe9efc21f2f21
Opcode Fuzzy Hash: f63c038cfff353b611ad38b8556c0c38762d0a587b40cdd71a7e3c316868bf92
Instruction Fuzzy Hash: 1951AC71A083019ED7A49F28D84476BBBF4AB85330F840A3DFC95D3191DB64CD48B792

Function 00F3D87B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F3D8E3
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F3D919
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F3D92A
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F3D9AC

Strings

DllGetClassObject, xrefs: 00F3D91F

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: e4bb1ead1c8625e4d06378e303afb51c1a7b38f02780c1c677eacf5eb86f6b41
Instruction ID: a862639dc490fc4e175cf3e06a551b56cdfa36be10dac41e8be01863fd2553d6
Opcode Fuzzy Hash: e4bb1ead1c8625e4d06378e303afb51c1a7b38f02780c1c677eacf5eb86f6b41
Instruction Fuzzy Hash: 3C41A172601204EFDB05DF55E884B9ABBB9EF45324F1180A9EC099F246D7B4DD44EBA0

Function 00F42A4B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F42AB8
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F42AD4
DeleteMenu.USER32(?,00000007,00000000), ref: 00F42B1A
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00FA5890,00000000), ref: 00F42B63

Strings

0, xrefs: 00F42AAD

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 32dc8ddfbd83160bdb06e949853035f924777845c03ccb411b966b80872fa346
Instruction ID: e1a3034c8593865cc817dead3733c8c2e43cdd25f2478ae6e9d3ff6447b6d9c2
Opcode Fuzzy Hash: 32dc8ddfbd83160bdb06e949853035f924777845c03ccb411b966b80872fa346
Instruction Fuzzy Hash: 3641CE716043029FD720DF24DC85B2ABBE8EF85320F54462EFCA6972A1D774E904DB62

Function 00F5D8B9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F5D8D9

Part of subcall function 00EE79AB: _memmove.LIBCMT ref: 00EE79F9

Strings

winapi, xrefs: 00F5D94A
stdcall, xrefs: 00F5D95B
none, xrefs: 00F5D9B4
cdecl, xrefs: 00F5D930

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: c55ba67395d7397c8a6a2cc885b74ff1b7ee3d937f4c251d9496bd8c0baf1aee
Instruction ID: 1ab95692ba54e05386282a8d577b0c555c4e8a69efea5aa01254dc296a060000
Opcode Fuzzy Hash: c55ba67395d7397c8a6a2cc885b74ff1b7ee3d937f4c251d9496bd8c0baf1aee
Instruction Fuzzy Hash: 8631A371904619AFDF10EF55CC919EEB3B4FF05320F10862AE965A76D1CB71AE09EB80

Function 00F39152 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Part of subcall function 00F3AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00F3AEC7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F391D6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F391E9
SendMessageW.USER32(?,00000189,?,00000000), ref: 00F39219

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

Strings

ComboBox, xrefs: 00F39160
ListBox, xrefs: 00F39195

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: ba7fc03852013a9b198ace40858a257ac058118ac7f0e18e5f6f35d8b4a0ba19
Instruction ID: 9056efbf6f2b09d60b513f187691227f71ba3fc3cfb0ad0b96ef3b56be8c6640
Opcode Fuzzy Hash: ba7fc03852013a9b198ace40858a257ac058118ac7f0e18e5f6f35d8b4a0ba19
Instruction Fuzzy Hash: CE21F6729081087ADB14AB75DC85DFFB7B8DF45370F104129F865A72E0DBB94D4AB620

Function 00F51943 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F51962
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F51988
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F519B8
InternetCloseHandle.WININET(00000000), ref: 00F519FF

Part of subcall function 00F52599: GetLastError.KERNEL32(?,?,00F5192D,00000000,00000000,00000001), ref: 00F525AE
Part of subcall function 00F52599: SetEvent.KERNEL32(?,?,00F5192D,00000000,00000000,00000001), ref: 00F525C3

Strings

, xrefs: 00F519A9

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 3126fb2f18f7f40e7e3137d89f708425f35aa773f26de773187b6fb0b1a70197
Instruction ID: 2e81b254a14fcafe7ac66d4e30ba8fb8525288b8a58ddf82067942f58f9d854e
Opcode Fuzzy Hash: 3126fb2f18f7f40e7e3137d89f708425f35aa773f26de773187b6fb0b1a70197
Instruction Fuzzy Hash: F421C5B2500209BFEB119F60DC95FBF77ACFB49756F10021AFA0596140EB64AE09B7A1

Function 00F66419 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EE1D73
Part of subcall function 00EE1D35: GetStockObject.GDI32(00000011), ref: 00EE1D87
Part of subcall function 00EE1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EE1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F66493
LoadLibraryW.KERNEL32(?), ref: 00F6649A
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F664AF
DestroyWindow.USER32(?), ref: 00F664B7

Strings

SysAnimate32, xrefs: 00F6646E

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 4995f232b31cc8b51b013146d286ebedf6df1e95da69e06185f7f63a53443710
Instruction ID: 7b2c42fae09fb63878bf996ef4426b617f0b1612e9de15c6b04c7fb8f99ce88b
Opcode Fuzzy Hash: 4995f232b31cc8b51b013146d286ebedf6df1e95da69e06185f7f63a53443710
Instruction Fuzzy Hash: E6219D71A00209ABEF108E65EC80EBB37ADEF49374F108629FA14D2190CB72DC51B760

Function 00F46E45 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00F46E65
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F46E98
GetStdHandle.KERNEL32(0000000C), ref: 00F46EAA
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00F46EE4

Strings

nul, xrefs: 00F46EDF

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: d405e8fad11e4eedc332eb5ba9d434e03c3cde910ecab00ba2b05f938ee4949e
Instruction ID: ac27f02beb572f18ff7b375f366d14aea73629d5817a05d7dd60550d40f8ce28
Opcode Fuzzy Hash: d405e8fad11e4eedc332eb5ba9d434e03c3cde910ecab00ba2b05f938ee4949e
Instruction Fuzzy Hash: EF21A179A00209ABDF209F29DC04A9A7FF4AF46731F204629FDA0D72D0DB709C54EB56

Function 00F46F13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00F46F32
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F46F64
GetStdHandle.KERNEL32(000000F6), ref: 00F46F75
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00F46FAF

Strings

nul, xrefs: 00F46FAA

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 1e09e41b19f0db0f7e498baa3181090a499345b062433d49f4cb0a6e95ec8385
Instruction ID: db13d2fc8d53bb20830da6314528b68860c769460cbcbd9f85d1c427d8d5446c
Opcode Fuzzy Hash: 1e09e41b19f0db0f7e498baa3181090a499345b062433d49f4cb0a6e95ec8385
Instruction Fuzzy Hash: A021B371A00305ABDB209F69AC04A997BF8AF56734F204659FCF0D72D0E7709889AB52

Function 00F4ACCA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F4ACDE
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F4AD32
__swprintf.LIBCMT ref: 00F4AD4B
SetErrorMode.KERNEL32(00000000,00000001,00000000,00F6F910), ref: 00F4AD89

Strings

%lu, xrefs: 00F4AD45

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 3322b00cfe204b560dfac2fde07009169feb62d14b3447df369b27e441b99526
Instruction ID: ddaada8a337a9d036569d0b1df17c11f0041066f63c84a1b79c699b87ae91a50
Opcode Fuzzy Hash: 3322b00cfe204b560dfac2fde07009169feb62d14b3447df369b27e441b99526
Instruction Fuzzy Hash: F7216031A0010DAFCB10DF65DD85EAE7BF8EF89714B004069F909AB252DA71EA45DB61

Function 00F3A30F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

Part of subcall function 00F3A15C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00F3A179
Part of subcall function 00F3A15C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F3A18C
Part of subcall function 00F3A15C: GetCurrentThreadId.KERNEL32 ref: 00F3A193
Part of subcall function 00F3A15C: AttachThreadInput.USER32(00000000), ref: 00F3A19A

GetFocus.USER32 ref: 00F3A334

Part of subcall function 00F3A1A5: GetParent.USER32(?), ref: 00F3A1B3

GetClassNameW.USER32(?,?,00000100), ref: 00F3A37D
EnumChildWindows.USER32(?,00F3A3F5), ref: 00F3A3A5
__swprintf.LIBCMT ref: 00F3A3BF

Strings

%s%d, xrefs: 00F3A3B9

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 5cc71319f13416af5457215a78abb06e5962603abcdcfd069da28c23be5d9bce
Instruction ID: 4a27dc76efbac2d3c9451a392da2d7c5d970ff42725c3ac3a14fc619b6b230ce
Opcode Fuzzy Hash: 5cc71319f13416af5457215a78abb06e5962603abcdcfd069da28c23be5d9bce
Instruction Fuzzy Hash: 3E11D6716002097BDF11BF61DC85FEA37BCEF45720F004075FD58AA252CA755949AB72

Function 00F5EC69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F5ED1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F5ED4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00F5EE7E
CloseHandle.KERNEL32(?), ref: 00F5EEFF

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 89a751c063be59049c3881814e75581688c8a83e607bb892df30a642a64924d8
Instruction ID: 7436dcbf059eab7b03d1b7b8df48de3d7e10ad2311baa0043045fb241a4b49d1
Opcode Fuzzy Hash: 89a751c063be59049c3881814e75581688c8a83e607bb892df30a642a64924d8
Instruction Fuzzy Hash: 868194B16043009FD724EF25DC86F2AB7E5AF48720F14881DF999EB392DB70AD048B51

Function 00F600C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Part of subcall function 00F60EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F5FE38,?,?), ref: 00F60EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F60188
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F601C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F6020E
RegCloseKey.ADVAPI32(?,?), ref: 00F6023A
RegCloseKey.ADVAPI32(00000000), ref: 00F60247

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: d79c480e8974e4dbc6ec7a58b8aac15882679c8766925b4f7dfabc9de5102eb9
Instruction ID: 5c4bf6afc50fa0f84df98caaa16111962220e823e08d53a33e640f694ff500c2
Opcode Fuzzy Hash: d79c480e8974e4dbc6ec7a58b8aac15882679c8766925b4f7dfabc9de5102eb9
Instruction Fuzzy Hash: A6515931208244AFD704EBA4DC85F6BB7E8FF88314F14892EF59997292DB70E904DB52

Function 00F5D9DC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F5DA3B
GetProcAddress.KERNEL32(00000000,?), ref: 00F5DABE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00F5DADA
GetProcAddress.KERNEL32(00000000,?), ref: 00F5DB1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F5DB35

Part of subcall function 00EE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F4793F,?,?,00000000), ref: 00EE5B8C
Part of subcall function 00EE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F4793F,?,?,00000000,?,?), ref: 00EE5BB0

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 36a49215792ea397c4efc24f2acfb6f7c3921480dcc815acda10fe893854cd8b
Instruction ID: 12801b038c7a0925aec9235f376f32a77e7b3da32a04ba188a6a072c48132fdd
Opcode Fuzzy Hash: 36a49215792ea397c4efc24f2acfb6f7c3921480dcc815acda10fe893854cd8b
Instruction Fuzzy Hash: EB514A35A05209DFCB10EFA8C4849AEF7F5FF49324B158069E919AB312DB34ED49DB90

Function 00F4E5FD Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F4E6AB
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00F4E6D4
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F4E713

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F4E738
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F4E740

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: cf2a5141e9ca54412f55c58c00a1f2fd9dee903323c5634816e9f65436f89fc0
Instruction ID: 3f12bfe43be80bedb7c77658700f7458065741c22c00b654a304b700535b75b9
Opcode Fuzzy Hash: cf2a5141e9ca54412f55c58c00a1f2fd9dee903323c5634816e9f65436f89fc0
Instruction Fuzzy Hash: F5510A75A00209DFCB01EF65C981AADBBF5FF48314F1480A9E849AB362CB31ED11EB50

Function 00F6A088 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f96dc5b9ad0832a8dd5779f64e840a27cd4d2e60e5b4bebb13ac2dd6e94de44
Instruction ID: 3bfff716d0f2e998fc6e4ac8a2aea47daef1b4a913f2e6308d06628924c26182
Opcode Fuzzy Hash: 3f96dc5b9ad0832a8dd5779f64e840a27cd4d2e60e5b4bebb13ac2dd6e94de44
Instruction Fuzzy Hash: 9841C136D00648AFDB10DF28CC45FA9BBA8EB0B360F150265E926B72E1C770AD41FE51

Function 00EE2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00EE2357
ScreenToClient.USER32(00FA57B0,?), ref: 00EE2374
GetAsyncKeyState.USER32(00000001), ref: 00EE2399
GetAsyncKeyState.USER32(00000002), ref: 00EE23A7

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: b40c89481a367325ea41e27706cbfbf787d8a7645473c1c4630e27149308c781
Instruction ID: 0ccba08e85ff3a5d734bcd78ef45a04ef9feb994e7392ceb9fb85a7094d5aaa7
Opcode Fuzzy Hash: b40c89481a367325ea41e27706cbfbf787d8a7645473c1c4630e27149308c781
Instruction Fuzzy Hash: D241B33594410AFBCF159F69CC44AEDBB78FB05324F20432AF929A22A1C7356D94EF91

Function 00F36700 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F3673D
TranslateAcceleratorW.USER32(?,?,?), ref: 00F36789
TranslateMessage.USER32(?), ref: 00F367B2
DispatchMessageW.USER32(?), ref: 00F367BC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F367CB

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 9d57049cc2808905a12b17859b8c00b507e29489dd2dfc4e7d804cdc8238acf9
Instruction ID: f35eb3a61b19bb93e52583c6a6e69b300d3ee6736aeec69f56dba33574687697
Opcode Fuzzy Hash: 9d57049cc2808905a12b17859b8c00b507e29489dd2dfc4e7d804cdc8238acf9
Instruction Fuzzy Hash: F631C671D0050ABFDB208F74DC44FB67BE8AF06738F548165E421D71A1EB65A449F750

Function 00F38CE1 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F38CF2
PostMessageW.USER32(?,00000201,00000001), ref: 00F38D9C
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00F38DA4
PostMessageW.USER32(?,00000202,00000000), ref: 00F38DB2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00F38DBA

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 32ffbb2494be061f4c4355ccaf59016b0210dded14bf618b3d475a81adaccc98
Instruction ID: 5dccbdf380b8b800f2b3d8bdfc43bcf934b94fae0df416d5e8b8b6a3f3b00eb7
Opcode Fuzzy Hash: 32ffbb2494be061f4c4355ccaf59016b0210dded14bf618b3d475a81adaccc98
Instruction Fuzzy Hash: DF31EE72900319EBDF00CF68ED4CA9E3BB5FB14365F104229F925EA2D1C7B49915EB90

Function 00F3B4AE Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00F3B4C6
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F3B4E3
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F3B51B
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F3B541
_wcsstr.LIBCMT ref: 00F3B54B

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 2f0e15cd1640b2eda32c2ce1efbea5896a708fe7118eda32a39141a747c80621
Instruction ID: 58db0ee1561f2eee3d17a76352530f592d80f05c0a8b599807a1023dec33c054
Opcode Fuzzy Hash: 2f0e15cd1640b2eda32c2ce1efbea5896a708fe7118eda32a39141a747c80621
Instruction Fuzzy Hash: BE21C872604105BAEB259B39DC19B7B7B98DB45770F044039F905CA1A1EFA5DC40B7A0

Function 00F6B17F Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

GetWindowLongW.USER32(?,000000F0), ref: 00F6B1C6
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00F6B1EB
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F6B203
GetSystemMetrics.USER32(00000004), ref: 00F6B22C
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00F50FA5,00000000), ref: 00F6B24A

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: b2940f0a0095afedc6f0a2d492e15ad431558611143bbe31ccff8a2b7e74bcae
Instruction ID: 7c2474c01b05b37fd6a0921c756697199253e2c4c5cd0fab9abf758f4bbcf780
Opcode Fuzzy Hash: b2940f0a0095afedc6f0a2d492e15ad431558611143bbe31ccff8a2b7e74bcae
Instruction Fuzzy Hash: 30216D72914619AFCB119F38DC18B6A37A4FB06731F154729F936D61E0E7309C94EB90

Function 00F395C9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F395E2

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F39614
__itow.LIBCMT ref: 00F3962C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F39654
__itow.LIBCMT ref: 00F39665

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: f37a0d2d1109c3e3fef18c36e923fbfc884d0efd9afd80c38ee1ce54437be3c0
Instruction ID: 242cda62bdfe946e69bfc491234f0812324bd0802d75ba55481c72a4b67e8d80
Opcode Fuzzy Hash: f37a0d2d1109c3e3fef18c36e923fbfc884d0efd9afd80c38ee1ce54437be3c0
Instruction Fuzzy Hash: 2921D731B09258BBDB10AB65DC8AEAE7BACDF59730F040029F904E7291D6F18D45A7A1

Function 00EE12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00EE134D
SelectObject.GDI32(?,00000000), ref: 00EE135C
BeginPath.GDI32(?), ref: 00EE1373
SelectObject.GDI32(?,00000000), ref: 00EE139C

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 3c604cb9e259366939a7dd6994b1271abf0087378a7d0f226406fc99c2546f22
Instruction ID: 90221f3574f52f7c645d85e29f3c64a0b9fbe39074591779c5d6944d6a9e707c
Opcode Fuzzy Hash: 3c604cb9e259366939a7dd6994b1271abf0087378a7d0f226406fc99c2546f22
Instruction Fuzzy Hash: E72159B080064CEBDB108F26EC087AD7BB8EB01B25F14426AE810A65B0D3B598D5EF90

Function 00F44B3A Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F44B61
__beginthreadex.LIBCMT ref: 00F44B7F
MessageBoxW.USER32(?,?,?,?), ref: 00F44B94
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F44BAA
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F44BB1

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: c7a4752acddab44ec055d9bd926690a787f19a2c5aaad81dd230935bdfdb141d
Instruction ID: f392f7b185cb410b86a315c883904bb52e89e6b91edcfca3b8f1c38f2147258f
Opcode Fuzzy Hash: c7a4752acddab44ec055d9bd926690a787f19a2c5aaad81dd230935bdfdb141d
Instruction Fuzzy Hash: 641108B690564CBBCB019BA8DC04B9A7FECEB46320F144269FC24E3251D6B1D904A7A1

Function 00F3852A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F38546
GetLastError.KERNEL32(?,00F3800A,?,?,?), ref: 00F38550
GetProcessHeap.KERNEL32(00000008,?,?,00F3800A,?,?,?), ref: 00F3855F
HeapAlloc.KERNEL32(00000000,?,00F3800A,?,?,?), ref: 00F38566
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F3857D

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 73f29324f5f3e2803e5a9a1966761fb4f1cc77df4ed97d39a01ffeb903d1f987
Instruction ID: 84377f23c0e59629d14d4fecb96a59ea9e1db148b27b3033475b428d775717ba
Opcode Fuzzy Hash: 73f29324f5f3e2803e5a9a1966761fb4f1cc77df4ed97d39a01ffeb903d1f987
Instruction Fuzzy Hash: 60016271700208FFDB114FA6EC48D6B7F6CFF463B5B140529F819C2220DA728D15EA60

Function 00F452EB Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F45307
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F45315
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F4531D
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F45327
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F45363

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: d4e23d14105960d2e68ea089ceee0dea6f6108eb0686afc0d62ef066a7dce5a5
Instruction ID: 9aed45f3840a7172e4b1a92e2e907f37a31fcc5bb5a4428fc4f5b4be94b12bce
Opcode Fuzzy Hash: d4e23d14105960d2e68ea089ceee0dea6f6108eb0686afc0d62ef066a7dce5a5
Instruction Fuzzy Hash: 8D016D32C01A1DDBDF10EFA4EC886EDBB79FB09B51F05045AE851F2241CBB09554A7A1

Function 00F37432 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F3736C,80070057,?,?,?,00F3777D), ref: 00F3744F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F3736C,80070057,?,?), ref: 00F3746A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F3736C,80070057,?,?), ref: 00F37478
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F3736C,80070057,?), ref: 00F37488
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F3736C,80070057,?,?), ref: 00F37494

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 1c7d044f751ab1da388070f0e149a8111913fcad405c0c7e198a92b80e58c8b8
Instruction ID: e80ec9ebfe2fb55ac0ffe5ec9a06ba43f58c26203dae3f6d53c153c72687e2c2
Opcode Fuzzy Hash: 1c7d044f751ab1da388070f0e149a8111913fcad405c0c7e198a92b80e58c8b8
Instruction Fuzzy Hash: 8B015EB2605308FBDB20AF64EC44AAA7FADEB45762F144064F908D2220D771ED44AAA0

Function 00F383D1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F383E8
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F383F2
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F38401
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F38408
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F3841E

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 47bb84bbc3aaab419376c99d1d870ec7df56c5d81939e59537e6141d3bdb7594
Instruction ID: 02201f77ad1bef8cd4ce22b34935a9b14a2e37bfcd75b6d5d39fa38cdc5ac4cb
Opcode Fuzzy Hash: 47bb84bbc3aaab419376c99d1d870ec7df56c5d81939e59537e6141d3bdb7594
Instruction Fuzzy Hash: B6F04431604309BFD7105F65EC89EA73BACEF8A7A4F000425F955C6150CAA59C45FA60

Function 00F38432 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F38449
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F38453
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F38462
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F38469
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F3847F

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c91c81c7b324bb153dff5d7a46231b4cbbd7cc1856d95a04082ef6dac8260f3e
Instruction ID: 4a893675a5fadf8892e000ae54e9aaf128970ac925dc1e8aca5851134f99b370
Opcode Fuzzy Hash: c91c81c7b324bb153dff5d7a46231b4cbbd7cc1856d95a04082ef6dac8260f3e
Instruction Fuzzy Hash: 62F04F31200309BFEB115FA5EC88E673BACEF4A7A4F044125F955C7150CAA69945FA60

Function 00F3C4A5 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00F3C4B9
GetWindowTextW.USER32(00000000,?,00000100), ref: 00F3C4D0
MessageBeep.USER32(00000000), ref: 00F3C4E8
KillTimer.USER32(?,0000040A), ref: 00F3C504
EndDialog.USER32(?,00000001), ref: 00F3C51E

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 080c84671c259ae426bdb46edd63be870ae17cf237bf4eeb20796dbaf1cc9db0
Instruction ID: 5614543aad6e3d276f117a9e297f7f3e6a0dac3c27fcb3be3c4926a231e319ab
Opcode Fuzzy Hash: 080c84671c259ae426bdb46edd63be870ae17cf237bf4eeb20796dbaf1cc9db0
Instruction Fuzzy Hash: 31018630900708ABEB209B24ED4EFA677B8FF00716F040669F593B10E1DBF16958AB91

Function 00EE13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00EE13BF
StrokeAndFillPath.GDI32(?,?,00F1BA08,00000000,?), ref: 00EE13DB
SelectObject.GDI32(?,00000000), ref: 00EE13EE
DeleteObject.GDI32 ref: 00EE1401
StrokePath.GDI32(?), ref: 00EE141C

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 6b2b75bef23842834cd8bb3fca12c1a6ad6e06dc2d31cf6668d0669dc40a4cda
Instruction ID: 24633e671e82a5bea2e13abe87ff4c13f480f48f7cd21559342bb26eeba5e676
Opcode Fuzzy Hash: 6b2b75bef23842834cd8bb3fca12c1a6ad6e06dc2d31cf6668d0669dc40a4cda
Instruction Fuzzy Hash: 46F0EC70004B4CEBDB115F66EC4C7583FA4AB02B26F089264E43A595F2C7794999EF51

Function 00F4C423 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F4C4BE
CoCreateInstance.OLE32(00F72D6C,00000000,00000001,00F72BDC,?), ref: 00F4C4D6

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

CoUninitialize.OLE32 ref: 00F4C743

Strings

.lnk, xrefs: 00F4C452, 00F4C47A, 00F4C484

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 8eab746b51cbccf73382876c3a499057cddc2270045a8fdadbd20175baa56c9c
Instruction ID: 460f939160cf505bffde325d3a5d2f835856a5ab89581145fc12915e0a3d0a9b
Opcode Fuzzy Hash: 8eab746b51cbccf73382876c3a499057cddc2270045a8fdadbd20175baa56c9c
Instruction Fuzzy Hash: B8A14D71104349AFD300EF64C891EABB7E8EF94304F00592DF55AA7192EB70EE49CB92

Function 00EF2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00F00F36: std::exception::exception.LIBCMT ref: 00F00F6C
Part of subcall function 00F00F36: __CxxThrowException@8.LIBCMT ref: 00F00F81

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Part of subcall function 00EE7BB1: _memmove.LIBCMT ref: 00EE7C0B

__swprintf.LIBCMT ref: 00EF302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00EF2EC6

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: c87cd04fdcfe60794d7c7b9cacf525650075bfb4fef4eb0918f5a51ceef1022a
Instruction ID: e9265f8ab60835691342656419603893124cee2c6df4300198fd757de2f17065
Opcode Fuzzy Hash: c87cd04fdcfe60794d7c7b9cacf525650075bfb4fef4eb0918f5a51ceef1022a
Instruction Fuzzy Hash: 5E918B725086499FC714EF24D895D7EB7E4EF85310F00592EF586AB2A2EF20EE04DB52

Function 00F4B9C7 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE48A1,?,?,00EE37C0,?), ref: 00EE48CE

CoInitialize.OLE32(00000000), ref: 00F4BA47
CoCreateInstance.OLE32(00F72D6C,00000000,00000001,00F72BDC,?), ref: 00F4BA60
CoUninitialize.OLE32 ref: 00F4BA7D

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

Strings

.lnk, xrefs: 00F4BA29, 00F4BA37

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 294a381c6e39576a267bd310f60facdd17795d0fcd59a1b8231e80339d206a14
Instruction ID: 466097e37f8033e26e53b5fd4a13125db8bea2caa7d714b27ceb4055b6efad40
Opcode Fuzzy Hash: 294a381c6e39576a267bd310f60facdd17795d0fcd59a1b8231e80339d206a14
Instruction Fuzzy Hash: 73A158756043459FCB10DF15C494D1ABBE5FF88324F148998F899AB3A2CB31ED45CB92

Function 00F0518D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F0521D

Part of subcall function 00F10270: __87except.LIBCMT ref: 00F102AB

Strings

pow, xrefs: 00F051F5, 00F05212

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: b2d2c41bf05d68e867a799b71b9e6cdf66924c16044098320f086849111d4402
Instruction ID: fa171c19fb8f163317912b601fe2c3f5e9fcb902f74a6a86cedd105d46b8394c
Opcode Fuzzy Hash: b2d2c41bf05d68e867a799b71b9e6cdf66924c16044098320f086849111d4402
Instruction Fuzzy Hash: 39512371E1C60597DB11B714CD413AB3B94AF40B60F248958F0A5862E9EEF88DC8BE46

Function 00F0017B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00F001C0
+, xrefs: 00F001B7

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 80ac67d65af6e8a2e3827790602e5b15bf466c340444f1ffe90c3377ff214af6
Instruction ID: 9185fa920b44877ce6f89b217afcc199ffb0add4faa63ad91bbb428413bccb2a
Opcode Fuzzy Hash: 80ac67d65af6e8a2e3827790602e5b15bf466c340444f1ffe90c3377ff214af6
Instruction Fuzzy Hash: 0C51333590428A9FCF25DF28C884BFAB7A4EF95730F144055EC919B2E0CB349C42E760

Function 00EF3297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EF33D7
_memmove.LIBCMT ref: 00EF3470
_free.LIBCMT ref: 00EF3496
_memmove.LIBCMT ref: 00EF3549

Strings

Oa, xrefs: 00EF3482

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _memmove$_free
String ID: Oa
API String ID: 2620147621-3945284152
Opcode ID: c3d169a4a0cfcf37673b2b133a6143c03f6ce097424d7a3da9684a38108b0890
Instruction ID: 4d4276afa23b438feb1d7fa9d07e942ffe5ccf9cf9f15f7609193cda437cac80
Opcode Fuzzy Hash: c3d169a4a0cfcf37673b2b133a6143c03f6ce097424d7a3da9684a38108b0890
Instruction Fuzzy Hash: E5515AB1A083059FDB24CF28D881B2ABBE1FF85314F45592DEA89D7351DB31DA01DB52

Function 00EF62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EF63A8
_memmove.LIBCMT ref: 00EF6444
_memset.LIBCMT ref: 00EF6468

Strings

ERCP, xrefs: 00EF6313

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 54d59984f8e851a8efb2d7053453c743d134e79f0d688e86ef73a0ff43cf303b
Instruction ID: 5bcf0ca71c5d2f67f49a916654b00d7918bf9c265e81f75aaf8500c50f28b4c4
Opcode Fuzzy Hash: 54d59984f8e851a8efb2d7053453c743d134e79f0d688e86ef73a0ff43cf303b
Instruction Fuzzy Hash: F551D171900309DBDB24DF65C8817BAB7F4FF44318F20856EE95ADB281E770AA84DB90

Function 00F39AB7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F417ED: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F39558,?,?,00000034,00000800,?,00000034), ref: 00F41817

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F39B01

Part of subcall function 00F417B8: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F39587,?,?,00000800,?,00001073,00000000,?,?), ref: 00F417E2

Part of subcall function 00F4170F: GetWindowThreadProcessId.USER32(?,?), ref: 00F4173A
Part of subcall function 00F4170F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F3951C,00000034,?,?,00001004,00000000,00000000), ref: 00F4174A
Part of subcall function 00F4170F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F3951C,00000034,?,?,00001004,00000000,00000000), ref: 00F41760

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F39B6E
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F39BBB

Strings

@, xrefs: 00F39BD3

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: a5faa42a7381d3d38e6caf47e41f62ebfdc949c089b9f07fd7ee7302dacf19fe
Instruction ID: ea4f4b02c71fceeb07594a47adf49e3e54791fd176eb0d92614fa389ace2dd8d
Opcode Fuzzy Hash: a5faa42a7381d3d38e6caf47e41f62ebfdc949c089b9f07fd7ee7302dacf19fe
Instruction Fuzzy Hash: 42414D76D0021CAFDB10DFA4CC81ADEBBB8EB49310F104095FA55B7190DAB56E85DB60

Function 00F67978 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F6F910,00000000,?,?,?,?), ref: 00F67A11
GetWindowLongW.USER32 ref: 00F67A2E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F67A3E

Strings

SysTreeView32, xrefs: 00F679E3

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 328d76c44514eb2b027e0b94c39141496953bff9722a8e1540cdcd6e2c6ab74b
Instruction ID: 476c5cec96c4c01ac864f334fe0f4cdf8c404dffaf507ff4636971df94adf3df
Opcode Fuzzy Hash: 328d76c44514eb2b027e0b94c39141496953bff9722a8e1540cdcd6e2c6ab74b
Instruction Fuzzy Hash: 1031CF3160460AABDB119F78DC41BEA77A9EB45338F244725F875E32E0C735ED50AB50

Function 00F6740B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F67493
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F674A7
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F674CB

Strings

SysMonthCal32, xrefs: 00F6745E

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 94f4cb0822d758e02e498c96dc091074ab2693dfdae4572e8770219a1b516985
Instruction ID: 818d263a1e2a3530ce45b13fca88edb1514cbc5d7fe9767a87a35bbf5133ea6e
Opcode Fuzzy Hash: 94f4cb0822d758e02e498c96dc091074ab2693dfdae4572e8770219a1b516985
Instruction Fuzzy Hash: 8621D132604219BBDF21DF94DC46FEA3B69EF48724F110214FE146B190DAB5A894EBA0

Function 00F67BC5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F67C7C
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F67C8A
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F67C91

Strings

msctls_updown32, xrefs: 00F67BF6

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5322dfc07ae6d84a31edec4f6cacec9783075a12717f7f29fdcd41d643f56e14
Instruction ID: 822b9483094dae33496fdcb3f47bdd050fec72ceda9853c668e966b7b07c9c69
Opcode Fuzzy Hash: 5322dfc07ae6d84a31edec4f6cacec9783075a12717f7f29fdcd41d643f56e14
Instruction Fuzzy Hash: 9B2162B5604209AFDB00DF14DC81DB737EDEF4A768B050559FA119B2A1CB71EC51EBA0

Function 00F66CE2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F66D6D
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F66D7D
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F66DA2

Strings

Listbox, xrefs: 00F66D3A

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: fce9fe749d20ba0658c519689e85395962e259011824fd96bd1c7e83709bf4e9
Instruction ID: 4600456e2997eddb23d38563e45c0e57f0219a7e82898a50e52bb694984d17dd
Opcode Fuzzy Hash: fce9fe749d20ba0658c519689e85395962e259011824fd96bd1c7e83709bf4e9
Instruction Fuzzy Hash: 94218172B10118BFEF118F54DC85FBB3BAAEF89764F118128F915DB1A0C671AC51A7A0

Function 00F67740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F677A4
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F677B9
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F677C6

Strings

msctls_trackbar32, xrefs: 00F6777B

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: bc412ea1907f43dff87396de46e169ee92cf6af017caf3e299a9b1497c63c06c
Instruction ID: 10e0d68f38251c47892419d47917f451d22076cca859af14926142338f49221e
Opcode Fuzzy Hash: bc412ea1907f43dff87396de46e169ee92cf6af017caf3e299a9b1497c63c06c
Instruction Fuzzy Hash: 7F11E772654308BAEF106F64CC45FE737A9EF89B28F010218F651A60E0D672E851EB20

Function 00EE4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00EE4C2E), ref: 00EE4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00EE4CB5

Strings

kernel32.dll, xrefs: 00EE4C9E
GetNativeSystemInfo, xrefs: 00EE4CAF

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 897dcc255c33e8aa7af93b964e80ceea64a60038bb351cb49af551146acbaf19
Instruction ID: c84f08e757e50614e0d55bcb61ebce6f252bec68d4c66d8819965372e85b0485
Opcode Fuzzy Hash: 897dcc255c33e8aa7af93b964e80ceea64a60038bb351cb49af551146acbaf19
Instruction Fuzzy Hash: 6DD05B7051072BCFD7209F31ED18606B6D5AF05799B31DC3ED895D7190E7B0D484D651

Function 00EE4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00EE4CE1,?), ref: 00EE4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00EE4DB4

Strings

kernel32.dll, xrefs: 00EE4D9D
Wow64RevertWow64FsRedirection, xrefs: 00EE4DAE

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 594ab8d621418a7c5a42a7a2100f2c1657a6d86fb33a018180000185027d5fae
Instruction ID: 8dba433dd6f0b2f0a26cc0d80102a463b3362edc21d68941066961f466dae18f
Opcode Fuzzy Hash: 594ab8d621418a7c5a42a7a2100f2c1657a6d86fb33a018180000185027d5fae
Instruction Fuzzy Hash: 86D0C770900717CFDB208F32EC08A8272E4AF0238CB11883AD8D2E61A0E7B0C880DA10

Function 00EE4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00EE4D2E,?,00EE4F4F,?,00FA52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EE4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00EE4D81

Strings

kernel32.dll, xrefs: 00EE4D6A
Wow64DisableWow64FsRedirection, xrefs: 00EE4D7B

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 3174f3e9defe903a132f868efed0a5e414511c2749afe180a0ea7033f711de4d
Instruction ID: 8492355481c4df14e8ce8c55c94fba2de96035a4b8d42bc6076ff107e4b6f070
Opcode Fuzzy Hash: 3174f3e9defe903a132f868efed0a5e414511c2749afe180a0ea7033f711de4d
Instruction Fuzzy Hash: 14D02E70900717CFDB208F32EC0824672E8BF0A38AB01C83ED492E26A0E7B0C880DB11

Function 00F60E72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00F610C1), ref: 00F60E80
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F60E92

Strings

RegDeleteKeyExW, xrefs: 00F60E8C
advapi32.dll, xrefs: 00F60E7B

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: fc8dc6284367dc514c9f27cd652a086bb26ace75365fd2a6038df1b1f6b24de6
Instruction ID: 3fa53fd7cf428aa2395981537321456fc90e68e5cb4013002757b9c56ad75297
Opcode Fuzzy Hash: fc8dc6284367dc514c9f27cd652a086bb26ace75365fd2a6038df1b1f6b24de6
Instruction Fuzzy Hash: E5D01270910723CFE7205F35D90854776D4AF15391B168C3EE495D2150DAB0C480E651

Function 00F591F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00F58E09,?,00F6F910), ref: 00F59203
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F59215

Strings

GetModuleHandleExW, xrefs: 00F5920F
kernel32.dll, xrefs: 00F591FE

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 56424c31a248a8a535cba6b1b79939240544361aa46716025a292ed5eb48ed5c
Instruction ID: de8714ccbf310d54c06d6a97927973384fa76ee6ef029917df16ca089e12aecb
Opcode Fuzzy Hash: 56424c31a248a8a535cba6b1b79939240544361aa46716025a292ed5eb48ed5c
Instruction Fuzzy Hash: 21D01730958717DFDB209F31ED0860676E5AF063AAF11883AD996D6590EBB0C888EA51

Function 00F21A6D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F21A71
__swprintf.LIBCMT ref: 00F21AA2

Strings

WIN_XPe, xrefs: 00F21AE1
%.3d, xrefs: 00F21A7C

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 55e1a77f67dc40485027208f8fb44383dfdb318322ebf84c2777c7d9281f31d0
Instruction ID: 6ba6933429723d25bee5903e2824d98c22011d05b318096c4529435fd7283a4c
Opcode Fuzzy Hash: 55e1a77f67dc40485027208f8fb44383dfdb318322ebf84c2777c7d9281f31d0
Instruction Fuzzy Hash: A1D0127380912DEACB149BD1AC85AFE737CF718300F145052F402E1040E269CB84FE29

Function 00F374A5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd28ed7a5227497791821d0dab9fc95158a798503f5c951c80e22840e54eddf
Instruction ID: 8c0bd2bf865eda573919839b754dfdccc460f88b9d64c4b7131bc367a446b17f
Opcode Fuzzy Hash: fcd28ed7a5227497791821d0dab9fc95158a798503f5c951c80e22840e54eddf
Instruction Fuzzy Hash: C8C17EB5A04216EFCB24DF98C894EAEB7B5FF48724F144598E805EB251D730ED81EB90

Function 00F5E13E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00F5E1D2
CharLowerBuffW.USER32(?,?), ref: 00F5E215

Part of subcall function 00F5D8B9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F5D8D9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00F5E415
_memmove.LIBCMT ref: 00F5E428

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 484dbfd3d507e46bfd14bc11e553070ea282caaa0609265a5d31508b87b5475f
Instruction ID: 822998a0571963c084507ee66f545faf123d1e6dae6c5f0352b676d55f2407a6
Opcode Fuzzy Hash: 484dbfd3d507e46bfd14bc11e553070ea282caaa0609265a5d31508b87b5475f
Instruction Fuzzy Hash: 94C16C71A083419FC714DF24C480A6ABBE4FF88314F14896DF9999B352D731EA49DB82

Function 00F581A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F581D8
CoUninitialize.OLE32 ref: 00F581E3

Part of subcall function 00F3D87B: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F3D8E3

VariantInit.OLEAUT32(?), ref: 00F581EE
VariantClear.OLEAUT32(?), ref: 00F584BF

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 657c5fa595e1465b845d4a4aff7913fb32e870400a889a379becd2f31d960209
Instruction ID: faf06bb0387eef7ae0542fa372b574ad1762b835bbafc8a0cd0a0b1c0133cb56
Opcode Fuzzy Hash: 657c5fa595e1465b845d4a4aff7913fb32e870400a889a379becd2f31d960209
Instruction Fuzzy Hash: 25A16B756047459FCB10DF15C881B2ABBE4BF88361F14845CFA9AAB3A2CB34ED09DB41

Function 00F37858 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F72C7C,?), ref: 00F37A12
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F72C7C,?), ref: 00F37A2A
CLSIDFromProgID.OLE32(?,?,00000000,00F6FB80,000000FF,?,00000000,00000800,00000000,?,00F72C7C,?), ref: 00F37A4F
_memcmp.LIBCMT ref: 00F37A70

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: dbecbc4f63dae8c656f3e4b8e1e11a3d5120fc0562fbeb1e2cb8ccb7a7708310
Instruction ID: f4aea7897d63813395736295c669f3acb084d50cadaee7addb59367066f50478
Opcode Fuzzy Hash: dbecbc4f63dae8c656f3e4b8e1e11a3d5120fc0562fbeb1e2cb8ccb7a7708310
Instruction Fuzzy Hash: B5812C71A00209EFCF14DF94C984EEEB7B9FF89325F204199E515AB260DB71AE05DB60

Function 00F36BD3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F36BE4
SysAllocString.OLEAUT32(00000000), ref: 00F36C8D
VariantCopy.OLEAUT32 ref: 00F36CBC
VariantClear.OLEAUT32(?), ref: 00F36CE3

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: c192e2d96cc7c3c7e1a049938e182e5e580e5650d55334cc738b3ebc387e6c96
Instruction ID: f7b5993a74dce61d3de4681287b96414365752ed78d67d857461aacbb1cc79ab
Opcode Fuzzy Hash: c192e2d96cc7c3c7e1a049938e182e5e580e5650d55334cc738b3ebc387e6c96
Instruction Fuzzy Hash: EE51C331704306BBDB20AF65D891B29F3E5EF48330F20D82FE596DB691DB748880AB15

Function 00F69826 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0157E888,?), ref: 00F69895
ScreenToClient.USER32(00000002,00000002), ref: 00F698C8
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00F69935

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5cdf2f7cef58bcf66c3ffe0f929187885bac15c08de15e5c9b9601531ec8ec59
Instruction ID: 96e91273819bb2e4f6a17961961de595b0ee8f1ed73e215831894a21cf7161e7
Opcode Fuzzy Hash: 5cdf2f7cef58bcf66c3ffe0f929187885bac15c08de15e5c9b9601531ec8ec59
Instruction Fuzzy Hash: 23518134A04208EFCF10DF64D9809AE7BB9FF85330F148159F8659B2A1D771AD41EB90

Function 00F56AC0 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00F56AE7
WSAGetLastError.WSOCK32(00000000), ref: 00F56AF7

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F56B5B
WSAGetLastError.WSOCK32(00000000), ref: 00F56B67

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: c3cfdb7cc428b16a02c01f33b5a5ad206304c0d836219ec25fa7ae5723d3c5ad
Instruction ID: ee5cdecfd4c7a3c3d543938a11941dd51445f4d4dcf3141a11ddf44de5ed6618
Opcode Fuzzy Hash: c3cfdb7cc428b16a02c01f33b5a5ad206304c0d836219ec25fa7ae5723d3c5ad
Instruction Fuzzy Hash: E841B475740204AFEB20AF25DC86F3A77E9AF44B20F448058FA59EB3D3DA709C019791

Function 00F56530 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00F6F910), ref: 00F565BD
_strlen.LIBCMT ref: 00F565EF

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 6ed4fc670d5f182582979a01589f2bb4f9c228403bc6e54c4f4e316548bb67b3
Instruction ID: 03106639abcc247f74f88c94a97033c4f446e4be483c90b74a2c7e2f59075519
Opcode Fuzzy Hash: 6ed4fc670d5f182582979a01589f2bb4f9c228403bc6e54c4f4e316548bb67b3
Instruction Fuzzy Hash: DA41B631900108ABCB14EB65EDD1FAEB3E9EF44314F548155F929EB292DF30AD04EB51

Function 00F4B880 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F4B92A
GetLastError.KERNEL32(?,00000000), ref: 00F4B950
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F4B975
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F4B9A1

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 7d42c1bd40eddb11346978e253c50719f123145238eef630aed80e9c6ad3f5cb
Instruction ID: 9a90ba4a87caf105f888960ef864db30ad82bf4ec93eaef866c9c2a27e78be24
Opcode Fuzzy Hash: 7d42c1bd40eddb11346978e253c50719f123145238eef630aed80e9c6ad3f5cb
Instruction Fuzzy Hash: 2B413839600658DFCB10EF16C484A19BBF1EF89320B199098ED5AAB363CB35FD00DB91

Function 00F68883 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F68910

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: de822283e8c9b9f450cc2e88af067bf76d7f1d21163e2b361aaa3386951cdfe3
Instruction ID: b1d66880bd65929fad06810985cc4325111771b0b3d60509f6fba81e767e354e
Opcode Fuzzy Hash: de822283e8c9b9f450cc2e88af067bf76d7f1d21163e2b361aaa3386951cdfe3
Instruction Fuzzy Hash: D831D230A01108BFEF209E64DC45BBD37A5EB06BA0F544619FA51E72E1CF319982FA52

Function 00F6AB69 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00F6AB92
GetWindowRect.USER32(?,?), ref: 00F6AC08
PtInRect.USER32(?,?,00F6C07E), ref: 00F6AC18
MessageBeep.USER32(00000000), ref: 00F6AC89

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: afa88980d26d427df085e0e6be7cfbff426e1e911ff17b137ea96fda1852a30e
Instruction ID: 6eed84b34574e1cbc10c3beaf23402037fed6d36ea6210ffd14a882be2fdb0ff
Opcode Fuzzy Hash: afa88980d26d427df085e0e6be7cfbff426e1e911ff17b137ea96fda1852a30e
Instruction Fuzzy Hash: 65419E70A00219DFCF11CF58C884B697BF5FF49710F1880A9E824AB261D735E815EF92

Function 00F40E07 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00F40E58
SetKeyboardState.USER32(00000080,?,00000001), ref: 00F40E74
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00F40EDA
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00F40F2C

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 807f47c9d6d87591acb26c2073b52ba3510ec3315d17981b1b157a46cf4b5a06
Instruction ID: 8058f181b879651ae8c9656f8a4087e92f38dac5c016a851140c8f888405f4ee
Opcode Fuzzy Hash: 807f47c9d6d87591acb26c2073b52ba3510ec3315d17981b1b157a46cf4b5a06
Instruction Fuzzy Hash: BD313731D4420CAEFB308A248C05BFA7F65EB48330F18461AFA91521D2CBB58DA5B795

Function 00F40F42 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00F40F97
SetKeyboardState.USER32(00000080,?,00008000), ref: 00F40FB3
PostMessageW.USER32(00000000,00000101,00000000), ref: 00F41012
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00F41064

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9a1b24b69e33a4ce32ce7e7a732d261c2d448cdfc893ea37cb076871a6b67e2a
Instruction ID: 3dba803747dbc43a94f277e722db646ca1af3c6385c5c4b645653e248ef4b225
Opcode Fuzzy Hash: 9a1b24b69e33a4ce32ce7e7a732d261c2d448cdfc893ea37cb076871a6b67e2a
Instruction Fuzzy Hash: BF313A30D40688DEFF348A299C08BFABF65BB45331F08421AEC95521D1C7798DD5B7A1

Function 00F16345 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F1637B
__isleadbyte_l.LIBCMT ref: 00F163A9
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F163D7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F1640D

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: c0f91bb3f94766fc962e415d76e1dda973fdbc2a4aea645f6a422391c9719a47
Instruction ID: 834f8601d64b46204e91465d1447728f2e6d02b483b84efbed2bd76ff19dada7
Opcode Fuzzy Hash: c0f91bb3f94766fc962e415d76e1dda973fdbc2a4aea645f6a422391c9719a47
Instruction Fuzzy Hash: 8B318E31A00246AFDB21CF65CC44BBA7BA9FF41360F154129E865C7291E731E990FBA0

Function 00F64F57 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00F64F6B

Part of subcall function 00F43685: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F4369F
Part of subcall function 00F43685: GetCurrentThreadId.KERNEL32 ref: 00F436A6
Part of subcall function 00F43685: AttachThreadInput.USER32(00000000,?,00F450AC), ref: 00F436AD

GetCaretPos.USER32(?), ref: 00F64F7C
ClientToScreen.USER32(00000000,?), ref: 00F64FB7
GetForegroundWindow.USER32 ref: 00F64FBD

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: e22bd7f9fcda8fd367279e164e61d95a254cb46493941e71a6c7827d6f41c98c
Instruction ID: 9917128d84a837c4f5fbd7491461356e6a1c8012fe572ad051dd7a2f3d8f991a
Opcode Fuzzy Hash: e22bd7f9fcda8fd367279e164e61d95a254cb46493941e71a6c7827d6f41c98c
Instruction Fuzzy Hash: AB312FB2900108AFDB00EFA5CC859EFB7F9EF88300F11506AE515E7242EA759E05CBA0

Function 00F6C502 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

GetCursorPos.USER32(?), ref: 00F6C53C
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F1BB2B,?,?,?,?,?), ref: 00F6C551
GetCursorPos.USER32(?), ref: 00F6C59E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F1BB2B,?,?,?), ref: 00F6C5D8

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: babc8a47f7f024e1155febbb5634783b926287327c7664dc9bc7432db8d6ce13
Instruction ID: 8b59fa7b8755c0ba1ec75e8bc9be192108437d3e932ce67ccce82b9b391ab22d
Opcode Fuzzy Hash: babc8a47f7f024e1155febbb5634783b926287327c7664dc9bc7432db8d6ce13
Instruction Fuzzy Hash: F9319376600458AFCB158F54CC58EBA7BF9EB49720F48406AF9868B261D731AD50EBA0

Function 00F3897E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F38432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F38449
Part of subcall function 00F38432: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F38453
Part of subcall function 00F38432: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F38462
Part of subcall function 00F38432: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F38469
Part of subcall function 00F38432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F3847F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F389CB
_memcmp.LIBCMT ref: 00F389EE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F38A24
HeapFree.KERNEL32(00000000), ref: 00F38A2B

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d53fd2c05d3423898f9bc2072940e138d7d6f6fc100632f598104afe89d8f394
Instruction ID: 77bfbe773aa1354d0c78cf05d093c3d7329d2f7f9caa4eeecf3c8aad0245e486
Opcode Fuzzy Hash: d53fd2c05d3423898f9bc2072940e138d7d6f6fc100632f598104afe89d8f394
Instruction Fuzzy Hash: 2A219A31E41209FFCF10CFA4C945BEEBBB8EF403A1F04405AE854A7240DB78AA06EB51

Function 00F00B0C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00F00B2E

Part of subcall function 00EE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F4793F,?,?,00000000), ref: 00EE5B8C
Part of subcall function 00EE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F4793F,?,?,00000000,?,?), ref: 00EE5BB0

_fprintf.LIBCMT ref: 00F00B65
OutputDebugStringW.KERNEL32(?), ref: 00F36111

Part of subcall function 00F04C1A: _flsall.LIBCMT ref: 00F04C33

__setmode.LIBCMT ref: 00F00B9A

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 46e76c8fc2a9a44ea7862d2223c02427dce851e7d5333b0b61927c70805f1d42
Instruction ID: 679b6947446812b22a58e7300356f868e19663289c137cbe25de7b925070cb15
Opcode Fuzzy Hash: 46e76c8fc2a9a44ea7862d2223c02427dce851e7d5333b0b61927c70805f1d42
Instruction Fuzzy Hash: 5C1150B29045087EDB0477B49C43EBD7BAD9F81320F14412AF218A71D2EE6558457795

Function 00F5187D Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F518B9

Part of subcall function 00F51943: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F51962
Part of subcall function 00F51943: InternetCloseHandle.WININET(00000000), ref: 00F519FF

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 038ee64889fa3471cb9b4f06adeadb2059353fef44149983cea70ac551a6e9d7
Instruction ID: 74704760e221411b07cf7fccd8bc6a965690feb3d780928e86833d0f96d2abea
Opcode Fuzzy Hash: 038ee64889fa3471cb9b4f06adeadb2059353fef44149983cea70ac551a6e9d7
Instruction Fuzzy Hash: 13210132200A05BFEB119F608C10F7ABBA9FF49712F00002AFF2196250DB71E819B790

Function 00F43A6E Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00F6FAC0), ref: 00F43AA8
GetLastError.KERNEL32 ref: 00F43AB7
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F43AC6
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00F6FAC0), ref: 00F43B23

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: cb613b01d9ce2b910cd3efa9386a0a68a9ee22cb50eedc441e9ef540f2d36d9e
Instruction ID: dbe05dcd24c27bb06c2efb3ae20591095b8bcdc123f9b127c11d4895be58d11f
Opcode Fuzzy Hash: cb613b01d9ce2b910cd3efa9386a0a68a9ee22cb50eedc441e9ef540f2d36d9e
Instruction Fuzzy Hash: 6C21A3759083059F8300DF29D88195FBBE8EF55764F144A2EF8A9C72A1D730DE49DB82

Function 00F15262 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F15281

Part of subcall function 00F0588C: __FF_MSGBANNER.LIBCMT ref: 00F058A3
Part of subcall function 00F0588C: __NMSG_WRITE.LIBCMT ref: 00F058AA
Part of subcall function 00F0588C: RtlAllocateHeap.NTDLL(01560000,00000000,00000001,00000000,?,?,?,00F00F53,?), ref: 00F058CF

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 56cd19eacda754e9fa852abc5d5fd493cf3d53c528f699b541e3e15a7998a4d9
Instruction ID: b891fb9a41cde02d831fdd7d7f9f2b2a72027f9309ddedaf577faeeadcf2c0f3
Opcode Fuzzy Hash: 56cd19eacda754e9fa852abc5d5fd493cf3d53c528f699b541e3e15a7998a4d9
Instruction Fuzzy Hash: CB11C633901A55EFDB202F70BC057AE3798AF95BB0F204539F9449A290DE788D81B7A1

Function 00EE4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EE4560

Part of subcall function 00EE410D: _memset.LIBCMT ref: 00EE418D
Part of subcall function 00EE410D: _wcscpy.LIBCMT ref: 00EE41E1
Part of subcall function 00EE410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EE41F1

KillTimer.USER32(?,00000001,?,?), ref: 00EE45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EE45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F1D5FE

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: ee508347f93cb6239c60c4281d0ae342df890d14f5c6bb3fd67e2cde278f5166
Instruction ID: 0b74f626074995487b0f48b65b01ba00e72c9a03f30ff65dcd85f75abfa357bf
Opcode Fuzzy Hash: ee508347f93cb6239c60c4281d0ae342df890d14f5c6bb3fd67e2cde278f5166
Instruction Fuzzy Hash: 9C21FCB19047889FEB328B24DC55BE7BBFD9F0131CF08009DE69966181D77419C8EB51

Function 00F5647F Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F4793F,?,?,00000000), ref: 00EE5B8C
Part of subcall function 00EE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F4793F,?,?,00000000,?,?), ref: 00EE5BB0

gethostbyname.WSOCK32(?,?,?), ref: 00F564AF
WSAGetLastError.WSOCK32(00000000), ref: 00F564BA
_memmove.LIBCMT ref: 00F564E7
inet_ntoa.WSOCK32(?), ref: 00F564F2

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: a19f859edbcbf3c8015c05199e9fe1016b7da968d8c32d520202de9b461f27ed
Instruction ID: 5886e695ec52566b204917db9749aec8f32663e64e66ac3bc1bc0add7d5d119d
Opcode Fuzzy Hash: a19f859edbcbf3c8015c05199e9fe1016b7da968d8c32d520202de9b461f27ed
Instruction Fuzzy Hash: 10115132900109AFCB04EBA5ED86DEEB7F8AF44311B144065F506B71A2DF71AE18EB51

Function 00F38E03 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00F38E23
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F38E35
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F38E4B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F38E66

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ca62ea2c289bb88ad62b43121999c62c1e1c3ac701c86a44105e76a7d8c1f09
Instruction ID: 145a69bbb7a570c54ec7c934083360ffc24766f47df85715358f7ef05243f5cd
Opcode Fuzzy Hash: 8ca62ea2c289bb88ad62b43121999c62c1e1c3ac701c86a44105e76a7d8c1f09
Instruction Fuzzy Hash: 0D114C79900218FFDB10DFA5CC84E9DBB74FB08750F204095F910B7250DA716E51EB90

Function 00EE1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

DefDlgProcW.USER32(?,00000020,?), ref: 00EE12D8
GetClientRect.USER32(?,?), ref: 00F1B77B
GetCursorPos.USER32(?), ref: 00F1B785
ScreenToClient.USER32(?,?), ref: 00F1B790

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 8f5e4af15b79ef6135343fa9641ca2eebee3d76241d17e12f5371361628535f1
Instruction ID: ce45cf42c079cc9834995c2baf3616492c1e1eb8512efe111659753835c50b02
Opcode Fuzzy Hash: 8f5e4af15b79ef6135343fa9641ca2eebee3d76241d17e12f5371361628535f1
Instruction Fuzzy Hash: 77112835A0005DEBCB10DFA5DC859EE77B8FB09300F400495FA12E7260C770BA95ABA5

Function 00F41473 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F4001E,?,00F41071,?,00008000), ref: 00F41490
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00F4001E,?,00F41071,?,00008000), ref: 00F414B5
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F4001E,?,00F41071,?,00008000), ref: 00F414BF
Sleep.KERNEL32(?,?,?,?,?,?,?,00F4001E,?,00F41071,?,00008000), ref: 00F414F2

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: a32833431594c7611373e3b2b07125aac1981da6625f19e048774a8837f0e6dc
Instruction ID: 1456ebc0bbeeb4516b39304bea4a67728d29df6a8867dcecc0a35321c8be7c07
Opcode Fuzzy Hash: a32833431594c7611373e3b2b07125aac1981da6625f19e048774a8837f0e6dc
Instruction Fuzzy Hash: 06114832D0052DDBCF00DFA5E948AEEBF78FB0A751F014155ED50B6290DB749590EBA1

Function 00F17137 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00F1715B

Part of subcall function 00F17842: __fltout2.LIBCMT ref: 00F1786B

__cftog_l.LIBCMT ref: 00F17181
__cftoe_l.LIBCMT ref: 00F171B3

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 6fde88a9cf2aece9a194275657120722b55714b2b2b3514fdf47173f9aaa11eb
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 5A014B3244824ABBCF126E84DC058EE3F36BF18394B598415FE5C69131D336C9B1BB81

Function 00F6B2F9 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F6B318
ScreenToClient.USER32(?,?), ref: 00F6B330
ScreenToClient.USER32(?,?), ref: 00F6B354
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F6B36F

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 73a817bb37679ba79bb93eb9733faaae8302f070208d9e7284ebccc26978c8ce
Instruction ID: a9e8095971cd521d8c02e7f486ac79ffe8ae16dc1e5f64bd87dfcbf8caff2d45
Opcode Fuzzy Hash: 73a817bb37679ba79bb93eb9733faaae8302f070208d9e7284ebccc26978c8ce
Instruction Fuzzy Hash: 9E114675D0020DEFDB41CF98D4449EEBBB5FB08310F104166E924E3220D775AA559F50

Function 00F6B669 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F6B678
_memset.LIBCMT ref: 00F6B687
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00FA6F20,00FA6F64), ref: 00F6B6B6
CloseHandle.KERNEL32 ref: 00F6B6C8

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 561303e55a89d0224200214a04bf2a0989bdea7f24ceb6ad9575b479d9243ace
Instruction ID: e5dfd7fbfadd1e606e53caf5141d336e5088fb6285d7017ae5e6110ef810168c
Opcode Fuzzy Hash: 561303e55a89d0224200214a04bf2a0989bdea7f24ceb6ad9575b479d9243ace
Instruction Fuzzy Hash: 64F0F4F56403087EE2106765BC0AF777A5CEB06755F044025FA18D5192F7755C10B7B8

Function 00F46C83 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00F46C8F

Part of subcall function 00F4776D: _memset.LIBCMT ref: 00F477A2

_memmove.LIBCMT ref: 00F46CB2
_memset.LIBCMT ref: 00F46CBF
LeaveCriticalSection.KERNEL32(?), ref: 00F46CCF

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 59b670860f08ffeb8fac17f12ddc191028cd1e3c624d2a6747afad38d5225ad9
Instruction ID: 9f0cace0972bf305c89ad2c51fe92bbb7741cdb127fa7f9587c2d0da9ea6d016
Opcode Fuzzy Hash: 59b670860f08ffeb8fac17f12ddc191028cd1e3c624d2a6747afad38d5225ad9
Instruction Fuzzy Hash: D9F0543A204104ABCF016F55EC85E4ABB29FF45361F04C065FE085E25ACB75A811FBB4

Function 00F3A15C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00F3A179
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F3A18C
GetCurrentThreadId.KERNEL32 ref: 00F3A193
AttachThreadInput.USER32(00000000), ref: 00F3A19A

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 358b9561ea43f091ad7636392053d0c9f215cf6f878bc418ecc3d5953b9b6b64
Instruction ID: eecdf8f8b23bd7c2bb49462cf25f50ee022f00049dee31b98b9a8a110639fe3f
Opcode Fuzzy Hash: 358b9561ea43f091ad7636392053d0c9f215cf6f878bc418ecc3d5953b9b6b64
Instruction Fuzzy Hash: 16E0C93254522CBADB206BA2EC0DED77F5CEF267B1F408025F55995060C6B28544EBA1

Function 00EE2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00EE2231
SetTextColor.GDI32(?,000000FF), ref: 00EE223B
SetBkMode.GDI32(?,00000001), ref: 00EE2250
GetStockObject.GDI32(00000005), ref: 00EE2258
GetWindowDC.USER32(?,00000000), ref: 00F1C003
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F1C010
GetPixel.GDI32(00000000,?,00000000), ref: 00F1C029
GetPixel.GDI32(00000000,00000000,?), ref: 00F1C042
GetPixel.GDI32(00000000,?,?), ref: 00F1C062
ReleaseDC.USER32(?,00000000), ref: 00F1C06D

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 0a7460b3a4e746b3937ce7ad10d011990ae159f78d85a189b5a076a37dcf6e50
Instruction ID: c6b12c31799d1857869b25290cc67a157f1dfe8bac839e1e8bf69dd11dba4b64
Opcode Fuzzy Hash: 0a7460b3a4e746b3937ce7ad10d011990ae159f78d85a189b5a076a37dcf6e50
Instruction Fuzzy Hash: EDE03032904148EBDB215FA5FC0D7D83B10EB06336F048366FA79980E187B14994EB11

Function 00F38A3A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00F38A43
OpenThreadToken.ADVAPI32(00000000,?,?,?,00F3860E), ref: 00F38A4A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F3860E), ref: 00F38A57
OpenProcessToken.ADVAPI32(00000000,?,?,?,00F3860E), ref: 00F38A5E

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 05a5055108809f38c29570af9889a7f8ded329545c13da6072c884707855eb37
Instruction ID: 53a995182525f7a5cc2d96df2825448137fea70b278ddfe48e02dc80323b4eba
Opcode Fuzzy Hash: 05a5055108809f38c29570af9889a7f8ded329545c13da6072c884707855eb37
Instruction Fuzzy Hash: 9FE04F36A05315BFDB205FB07D0DB563BA8AF50BA2F144828F245C9040DA68944AAB50

Function 00F220B6 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F220B6
GetDC.USER32(00000000), ref: 00F220C0
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F220E0
ReleaseDC.USER32(?), ref: 00F22101

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 599fcf7bbe0c895a2221d758f16fb1297a7db158c2f6d500995e1e93ec016b00
Instruction ID: 3af0995f031c5e6cfcfe3f027849fbda497c9dc3dae9a1b1aabd81025bc1478a
Opcode Fuzzy Hash: 599fcf7bbe0c895a2221d758f16fb1297a7db158c2f6d500995e1e93ec016b00
Instruction Fuzzy Hash: 81E0E5B5800208EFCB019FA1E90869D7BF1FB4C351F108025F86AE7221CBB98185AF40

Function 00F220CA Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F220CA
GetDC.USER32(00000000), ref: 00F220D4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F220E0
ReleaseDC.USER32(?), ref: 00F22101

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4cd18a5478675221b036ec2616ab7b6c7bc52d137a8020e4bccdf3e20424127c
Instruction ID: fc7632fecfa3038e2edeaa91dc6cf014b72600eea3e49c5f86fb45044a4085e7
Opcode Fuzzy Hash: 4cd18a5478675221b036ec2616ab7b6c7bc52d137a8020e4bccdf3e20424127c
Instruction Fuzzy Hash: 07E012B5800208AFCB019FB1E90869D7BF1FF4C351F108029F96AE7220CBB99146AF40

Function 00F3B5B5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00F3B780

Strings

Container, xrefs: 00F3B6FD
AutoIt3GUI, xrefs: 00F3B6F8

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 8f3e7c7c566fa76889a267b821e0607bc5c4ad491122ebab7b6778b1d21827a7
Instruction ID: 6ae398e25ab9ca6d852cc43d9cd5c8e57e63b2478a1381619bcc3779505a1dbe
Opcode Fuzzy Hash: 8f3e7c7c566fa76889a267b821e0607bc5c4ad491122ebab7b6778b1d21827a7
Instruction Fuzzy Hash: 75914871600701AFDB14DF64C8A5B6ABBF8FF48720F14856DEA0ACB291DBB0E841DB50

Function 00F4B038 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00EFFE06: _wcscpy.LIBCMT ref: 00EFFE29

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

__wcsnicmp.LIBCMT ref: 00F4B0B9
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00F4B182

Strings

LPT, xrefs: 00F4B0B3

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 558d0746a33607880f299b12f530b3548ecdd012e878ac2fda6db3001531fecb
Instruction ID: 6d92b60c9de6cefbf43e9d2ce8c1a1b5a1765c48b3213d765e6581be71cf42b3
Opcode Fuzzy Hash: 558d0746a33607880f299b12f530b3548ecdd012e878ac2fda6db3001531fecb
Instruction Fuzzy Hash: 95617376E00219AFCB14DF94C895EAEBBF4EF48310F144069F956AB292DB70EE40DB50

Function 00F288DA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F28981
_memmove.LIBCMT ref: 00F289DB

Strings

Oa, xrefs: 00F28A55, 00F2E332, 00F2E34E

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _memmove
String ID: Oa
API String ID: 4104443479-3945284152
Opcode ID: e5aca61fa76280d8379818ec08a78310740abeb5a12b79fa8d5603e90283cd0b
Instruction ID: 2f7770cffaa84f1c8b7a3e429765782552b2a2644483a2398b3662518080a394
Opcode Fuzzy Hash: e5aca61fa76280d8379818ec08a78310740abeb5a12b79fa8d5603e90283cd0b
Instruction Fuzzy Hash: 02515070E01619DFDB24CF68D880ABEBBF1FF44314F248519E85AE7240EB31A996DB51

Function 00EF2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00EF2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00EF2AE1

Strings

@, xrefs: 00EF2AD5

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 9a46bcde028fc218602e892e545c0427d1723339b640d775bdeadf0d1de510d7
Instruction ID: 0c4c73ca3fb457ec486710d2457c4b989ba60cc5f5f5310b71cf5e6facf10536
Opcode Fuzzy Hash: 9a46bcde028fc218602e892e545c0427d1723339b640d775bdeadf0d1de510d7
Instruction Fuzzy Hash: D7514CB14187889BD320AF11DC85BAFB7F8FF84314F82485DF1D9511A2DB709929CB56

Function 00F497DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00EE506B: __fread_nolock.LIBCMT ref: 00EE5089

_wcscmp.LIBCMT ref: 00F498CD
_wcscmp.LIBCMT ref: 00F498E0

Strings

FILE, xrefs: 00F49819

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 35f85bcaeab1823d864c8b3f798b01c81631a4294daf8bac2eda99386ffb4f7e
Instruction ID: 7afbe6ccb6a43f9cb46e61166c47650e962d55e6717d8c832760d3ee9a911f31
Opcode Fuzzy Hash: 35f85bcaeab1823d864c8b3f798b01c81631a4294daf8bac2eda99386ffb4f7e
Instruction Fuzzy Hash: 4B41F872A0464EBADF209AA1CC85FEF7BFDDF45714F00046AF900B7180DAB59D0597A1

Function 00F526A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F526B4
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F526EA

Strings

|, xrefs: 00F526BB

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: b4bfb6aee2f133ccf6c6040d2b47afef541036be823aa160d9307cadaec82392
Instruction ID: 3e5eb4252b29a31e79fc0e072f32831a023316a10842a368a28d5f4853889f57
Opcode Fuzzy Hash: b4bfb6aee2f133ccf6c6040d2b47afef541036be823aa160d9307cadaec82392
Instruction Fuzzy Hash: 5E313771800119AFCF45EFA1DC85EEEBFB9FF18310F100169F914A6166EB315A46EB60

Function 00F67AA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00F67B93
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F67BA8

Strings

', xrefs: 00F67AFC

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 68735ae91372aedc7e71145b10485c53af0ec3db48ed72ebac889bd3da21db40
Instruction ID: 87a14e3eeaa30b403ce8ac2ad40331bbd80e51e3d9cb85b9477516735aba1d3d
Opcode Fuzzy Hash: 68735ae91372aedc7e71145b10485c53af0ec3db48ed72ebac889bd3da21db40
Instruction Fuzzy Hash: AF412774A043099FDB14DFA9C880BDABBB9FF49704F10016AE914AB395D770A941EFA0

Function 00F66A95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00F66B49
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F66B85

Strings

static, xrefs: 00F66AE5

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: a13bffd2dab149a1438e7e5204aceb1907899350487e460d57bbaf2b023c001b
Instruction ID: a5e780052a771a839668314824ff36ff23cc72622176c1d65c34ddffb49ad7f8
Opcode Fuzzy Hash: a13bffd2dab149a1438e7e5204aceb1907899350487e460d57bbaf2b023c001b
Instruction Fuzzy Hash: 90318F71500608AEEB10DF74DC81AFB73A9FF88724F109619F9A9D7190DB35AC81E760

Function 00F42B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F42C09
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F42C44

Strings

0, xrefs: 00F42C02

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: b70e0c5b3d8ceab2017c63326bdd33e4f67d97e52e6fbc4aea318bc2bf1979cb
Instruction ID: dbe30ef16bed0174203c1ca4c1c2f308b5d2f2d66807df48cbc114cdcf158eaa
Opcode Fuzzy Hash: b70e0c5b3d8ceab2017c63326bdd33e4f67d97e52e6fbc4aea318bc2bf1979cb
Instruction Fuzzy Hash: CB31D171A002099BEB648F48D9C5BAEBFB8FF45370F544039FE85A61A0D7709A40EB10

Function 00F53AFF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00F53B7C

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Strings

AUTOITCALLVARIABLE%d, xrefs: 00F53B6E
, $, xrefs: 00F53BBC

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 67c51a7b0d5591b6cd69aafef550ca3ea393a69942a2426c8061e33c2fce9302
Instruction ID: e164a0b8bc488c09d9e6d06567e76c270cde39eb60fb04eb04d54282f61de7c6
Opcode Fuzzy Hash: 67c51a7b0d5591b6cd69aafef550ca3ea393a69942a2426c8061e33c2fce9302
Instruction Fuzzy Hash: 4E216131600259ABCF14EF69DC92EAD77A4BF45740F404498F905BB281DA34EA46EBA2

Function 00F66706 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F66793
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F6679E

Strings

Combobox, xrefs: 00F66760

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: c4ad44f81acf9baaa29dc493db50c29cfab15d4a9f47665c97f9d741bd660089
Instruction ID: 71506fb5079ff053a75fb3de873eb818c2375dbcc40cee1ce2bd83f5854f7340
Opcode Fuzzy Hash: c4ad44f81acf9baaa29dc493db50c29cfab15d4a9f47665c97f9d741bd660089
Instruction Fuzzy Hash: 3D1194757002087FEF21DF24DC80EBB376AEB89378F114129F914D7290DA759C51A7A0

Function 00F66C39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00EE1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EE1D73
Part of subcall function 00EE1D35: GetStockObject.GDI32(00000011), ref: 00EE1D87
Part of subcall function 00EE1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EE1D91

GetWindowRect.USER32(00000000,?), ref: 00F66CA3
GetSysColor.USER32(00000012), ref: 00F66CBD

Strings

static, xrefs: 00F66C80

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: afd1194db23145384249346202ab10473bcde1d41675b48c93e13b435af0540a
Instruction ID: 4cfa7c7e43edd64aebdc030bf34d8309480b5631a9683e74c2c701b2c8b413ed
Opcode Fuzzy Hash: afd1194db23145384249346202ab10473bcde1d41675b48c93e13b435af0540a
Instruction Fuzzy Hash: 2E213A72A1020AAFDB04DFA8DC45AFA7BB8FB08315F044629FD55E3250D775E850EB50

Function 00F66952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00F669D4
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F669E3

Strings

edit, xrefs: 00F669B8

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: dbd915e3f769aeadf880e0248f34309e463665f819093fdaa0bd75cb2742d6ba
Instruction ID: 283d46bce0a0cdfaf84929b43dfcccbb4ca3ccb0c6e2d0ed97ee05ec764eccc6
Opcode Fuzzy Hash: dbd915e3f769aeadf880e0248f34309e463665f819093fdaa0bd75cb2742d6ba
Instruction Fuzzy Hash: 6C113D71900108ABEB105F74DC44AAB3B69EB05374F514724F9A5D71E0C676DC91BB60

Function 00F42CA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F42D1A
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00F42D39

Strings

0, xrefs: 00F42D10

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 551f5da91741a017b8e56639937b01d013c4b3db6e64c548d8d2ebde840dc5fc
Instruction ID: 887c4df4c16fc3e81270eaa8c1b85d9b5c41926387c03b9985cff713a41f7352
Opcode Fuzzy Hash: 551f5da91741a017b8e56639937b01d013c4b3db6e64c548d8d2ebde840dc5fc
Instruction Fuzzy Hash: 87112272E01118ABCB60DB98DC84B9D7BB9AF02320F440131FD11AB2A0D730AE05F790

Function 00F522EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F52342
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F5236B

Strings

<local>, xrefs: 00F52333

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 72daf4e229d5f1a86817faf16e614c5a3b6a2bf8d004764ba0176c41c373faf6
Instruction ID: fcdb9ccbfa773be5fb695c849d1940ed5a27e22ec45d8ebce5c6a84e962dab5b
Opcode Fuzzy Hash: 72daf4e229d5f1a86817faf16e614c5a3b6a2bf8d004764ba0176c41c373faf6
Instruction Fuzzy Hash: AA11E371501625BADB248F11CC88FBBFF68FF07362F10422AFE5552000D2746949E6F0

Function 00F390C7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Part of subcall function 00F3AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00F3AEC7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F39135

Strings

ComboBox, xrefs: 00F390D4
ListBox, xrefs: 00F390FF

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: f917ab6c910feac2a7d486501309029adbf9aae3b036ad95c05d3f1d1db5d7e8
Instruction ID: 381e62c31304b20df57ed15b6132df46c260b8df6aabec72460585747bb65fb7
Opcode Fuzzy Hash: f917ab6c910feac2a7d486501309029adbf9aae3b036ad95c05d3f1d1db5d7e8
Instruction Fuzzy Hash: CA012872A09319ABDF04FB65CC958FE73A9EF06330F100619F876672D1EAB55808E650

Function 00F38FBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Part of subcall function 00F3AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00F3AEC7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00F3902D

Strings

ComboBox, xrefs: 00F38FCC
ListBox, xrefs: 00F38FF7

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 96a6fac4e358d6ec4ae7031c8b28dcea0f19b2bf707c4f1998fea01a17ef971f
Instruction ID: 358fcae8b09334a9b084bc799291df9adacafacc3cd67608f198085bc0ed6ebd
Opcode Fuzzy Hash: 96a6fac4e358d6ec4ae7031c8b28dcea0f19b2bf707c4f1998fea01a17ef971f
Instruction Fuzzy Hash: A701F772B452086BDF14E7B1CC92EFE73A8DF05350F24002AB85673281EEA55E08E271

Function 00F39044 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Part of subcall function 00F3AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00F3AEC7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00F390B0

Strings

ComboBox, xrefs: 00F39051
ListBox, xrefs: 00F3907C

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: f2a6a1665d7ba2a52c3ed4a64c6eda4a5c82992ea2a9bac65840008183655760
Instruction ID: 93e708a31c5d249f2fe23ab65e4c1374b6e5ebe9affb0363f55dd395fbaaf7c4
Opcode Fuzzy Hash: f2a6a1665d7ba2a52c3ed4a64c6eda4a5c82992ea2a9bac65840008183655760
Instruction Fuzzy Hash: 7C01DBB2B4520867DF14F7B5CD82EFE73AC9F15320F241015785673292EAA59E0CA272

Function 00F44FCF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F44FED
_wcscmp.LIBCMT ref: 00F44FFF

Strings

#32770, xrefs: 00F44FF9

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 1f65b82280b2ffcd2edd99b28a4971c8fb0ad6c08d3d88d424f588b3f19c7a0b
Instruction ID: a09fa2915287eddae4047e69ba4e05d4b1d688c804f3008697cabc4e6db2faf8
Opcode Fuzzy Hash: 1f65b82280b2ffcd2edd99b28a4971c8fb0ad6c08d3d88d424f588b3f19c7a0b
Instruction Fuzzy Hash: 07E0D17290422D2BD710A759AC05FA7F7ACEB45770F050057FD04D3151D5619A4597D1

Function 00F1B441 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F1B494: _memset.LIBCMT ref: 00F1B4A1

Part of subcall function 00F00AC0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F1B470,?,?,?,00EE100A), ref: 00F00AC5

IsDebuggerPresent.KERNEL32(?,?,?,00EE100A), ref: 00F1B474
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00EE100A), ref: 00F1B483

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F1B47E

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: a45c90b99aa6cee02e017f00383c6fb004a06c79971fee471307537987ab2c73
Instruction ID: 605570f4a4dba85004da7273f3c7507d1280124eb64797fa903ae1c22af7a42d
Opcode Fuzzy Hash: a45c90b99aa6cee02e017f00383c6fb004a06c79971fee471307537987ab2c73
Instruction Fuzzy Hash: A2E06D74200745CBD360EF65E8047827BE0AB04704F01892CE456C2742EBB8E488EBA1

Function 00F659CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F659D7
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F659EA

Part of subcall function 00F452EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F45363

Strings

Shell_TrayWnd, xrefs: 00F659D0

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c630b9a46656482706928ec4f1a8ec43717bbd50f60ac0701af653f688947d78
Instruction ID: cf7fa0b766cfc495cabb0265426036f4fb0a69e8288a318b6ca571af97cbc91b
Opcode Fuzzy Hash: c630b9a46656482706928ec4f1a8ec43717bbd50f60ac0701af653f688947d78
Instruction Fuzzy Hash: 83D0C931384315B7E664BB70AC0BF967A14AB01B50F05182AB666AA1D1C9E4AC059654

Function 00F65A01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F65A17
PostMessageW.USER32(00000000), ref: 00F65A1E

Part of subcall function 00F452EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F45363

Strings

Shell_TrayWnd, xrefs: 00F65A10

Memory Dump Source

Source File: 00000000.00000002.2112134819.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2112115699.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112187656.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112236099.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112258235.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_PARATRANSFARI REMINDER.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: fa2c830eb8f36024c8e3b83f6ea551f3778d0d736625e15c1877c26c13ca14a5
Instruction ID: b063224ca5e89f041a8a15f524ec108bf062cce91b15bf6890ee9acb119288e6
Opcode Fuzzy Hash: fa2c830eb8f36024c8e3b83f6ea551f3778d0d736625e15c1877c26c13ca14a5
Instruction Fuzzy Hash: 29D0C9313803157BE664BB70AC0BF967A14AB05B50F05182AB666AA1D1C9E4AC059654

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PARATRANSFARI REMINDER.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Temp\Marquand

C:\Users\user\AppData\Local\Temp\aut24E5.tmp

C:\Users\user\AppData\Local\Temp\aut2544.tmp

C:\Users\user\AppData\Local\Temp\togging

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
PARATRANSFARI REMINDER.exe

Function 00EE3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00EE4FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Function 00EE4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00F491FE Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00EE3023 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 68
windowregistryCOMMON

Function 00EE3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00EE71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00EE3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00EE3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00EE3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 01658178 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00EE39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01657F58 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141
fileCOMMON

Function 00EE410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre