Edit tour

Windows Analysis Report
RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Overview

General Information

Sample Name:	RC_S23_3274 Or_amento ADP 231019_5_5009.exe
Analysis ID:	1329385
MD5:	aa9c44eda9af9222c5cab2466bc44f5a
SHA1:	b5d7bcdf2637cee61c36d7a50d628288c3c5401e
SHA256:	b58a548a509a5a2453800587352c8a7ff970dba696e82a69343738ef94073a8f
Infos:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected GuLoader

Maps a DLL or memory area into another process

Writes to foreign memory regions

Tries to detect virtualization through RDTSC time measurements

Uses 32bit PE files

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

PE / OLE file has an invalid certificate

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

RC_S23_3274 Or_amento ADP 231019_5_5009.exe (PID: 7296 cmdline: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe MD5: AA9C44EDA9AF9222C5CAB2466BC44F5A)

wab.exe (PID: 5868 cmdline: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe MD5: 251E51E2FEDCE8BB82763D39D631EF89)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-usering/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.4527772431.00000000006B9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000004.00000002.4527139319.0000000003378000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: RC_S23_3274 Or_amento ADP 231019_5_5009.exe PID: 7296	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Code function: 0_2_00405841 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405841
Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Code function: 0_2_00406393 FindFirstFileW,FindClose,	0_2_00406393
Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: RC_S23_3274 Or_amento ADP 231019_5_5009.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: RC_S23_3274 Or_amento ADP 231019_5_5009.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: RC_S23_3274 Or_amento ADP 231019_5_5009.exe	String found in binary or memory: http://s.symcd.com06
Source: RC_S23_3274 Or_amento ADP 231019_5_5009.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: RC_S23_3274 Or_amento ADP 231019_5_5009.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: RC_S23_3274 Or_amento ADP 231019_5_5009.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: RC_S23_3274 Or_amento ADP 231019_5_5009.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: RC_S23_3274 Or_amento ADP 231019_5_5009.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: RC_S23_3274 Or_amento ADP 231019_5_5009.exe	String found in binary or memory: https://d.symcb.com/rpa0.

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Code function: 0_2_004052EE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052EE

Source: RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Code function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004032A0

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Code function: 0_2_00404B2B	0_2_00404B2B
Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Code function: 0_2_00407040	0_2_00407040
Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Code function: 0_2_00406869	0_2_00406869

Source: RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

File read: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Jump to behavior

Source: RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Jump to behavior

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

0_2_004032A0

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

File created: C:\Users\user\Videos\frifundne.ini

Jump to behavior

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

File created: C:\Users\user\AppData\Local\Temp\nsmDD6.tmp

Jump to behavior

Source: classification engine

Classification label: mal68.troj.evad.winEXE@3/27@0/0

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Code function: 0_2_004045AF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045AF

Source: RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Static file information: File size 2716872 > 1048576

Source: RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000004.00000002.4527139319.0000000003378000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4527772431.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RC_S23_3274 Or_amento ADP 231019_5_5009.exe PID: 7296, type: MEMORYSTR

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Code function: 0_2_10002DE0 push eax; ret	0_2_10002E0E
Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Code function: 0_2_02BB6495 push ebp; retf	0_2_02BB64A1
Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Code function: 0_2_02BB282B push esi; retf	0_2_02BB282D
Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Code function: 0_2_02BB5659 push ebp; iretd	0_2_02BB565A
Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Code function: 0_2_02BB2BA5 push cs; ret	0_2_02BB2BA9

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	File created: C:\Users\user\AppData\Local\Temp\nsy10D5.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	File created: C:\Users\user\AppData\Local\Temp\nsy10D5.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	File created: C:\Users\user\AppData\Local\Temp\nsy10D5.tmp\BgImage.dll	Jump to dropped file
Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	File created: C:\Users\user\AppData\Local\Temp\nsy10D5.tmp\nsDialogs.dll	Jump to dropped file

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	RDTSC instruction interceptor: First address: 00000000030678A1 second address: 00000000030678A1 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FD84DA31AAAh 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
Source: C:\Program Files (x86)\Windows Mail\wab.exe	RDTSC instruction interceptor: First address: 00000000037178A1 second address: 00000000037178A1 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FD84CDE01BAh 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Code function: 0_2_00405841 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405841
Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Code function: 0_2_00406393 FindFirstFileW,FindClose,	0_2_00406393
Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	API call chain: ExitProcess graph end node			graph_0-3955
Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	API call chain: ExitProcess graph end node			graph_0-4134

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Section loaded: C:\Windows\SysWOW64\mshtml.dll target: C:\Program Files (x86)\Windows Mail\wab.exe protection: read write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3230000			Jump to behavior
Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 31F9008			Jump to behavior

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Jump to behavior

Source: C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Code function: 0_2_00406072 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406072

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	211 Process Injection	1 Access Token Manipulation	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RC_S23_3274 Or_amento ADP 231019_5_5009.exe	3%	ReversingLabs	Win32.Trojan.Generic

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	RC_S23_3274 Or_amento ADP 231019_5_5009.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1329385
Start date and time:	2023-10-20 17:34:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	RC_S23_3274 Or_amento ADP 231019_5_5009.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@3/27@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 40 Number of non-executed functions: 35
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	159518
Entropy (8bit):	4.960817713633101
Encrypted:	false
SSDEEP:	3072:qmeDeJ8Ybe2o9CyT1IToXwm+fzK5rLFytdkXnZo3oqoFCd:Xe6CMgP+fzK5rLKd4o8Md
MD5:	BA09C308837D314771A94107D336BBEF
SHA1:	97BE35C8AAF44E61B20EA290E8A21D1AD4B46D73
SHA-256:	9A96BC0B5D62292B3F96B46B0F6D47B9199A30B4270D2B543DDC55F3A1B5A02D
SHA-512:	7400B6DEF68435C3FACD8C594061EAE8DD838BF458ED67BE5B4B46E3518F8BCEAAA5E6D051B8DF8A5655AE319BDF86F786A769A00A1AB616CFE8ACEFA8D7020B
Malicious:	false
Reputation:	low
Preview:	.....Y...L.O....U......e.[..x......s.......0.........a......t...4.....-.$...i..^.1.........x........<.....^.i...I..._........j...UU...Y.....................Q.h.............C.......m........... _......P.................{....F.......S...`_.d.9&.........>......................2.....!U!.$p..../......`....MX..o.......'.....1...........A,o.......... .......=.........aA.......m.qA.-................:K.......2.....`.5....`Z...V4......2...6.....\...........\|.Z.U.......;.............................c.C....9.......\|.....d.....\Lv#v>.T..#......z....+......I.'..........r.....1..................k..v....\...........,......./.=...................O3..R........(.....I..`..H............z.5.Y..................$....4...........V.........^.......J..........os.h...G.........%........-mL......[E....M..{$V...v......Y......-...T......U.........o...II.......b......(5...........................9!.?h.....!.......n.............._.\|.......Bg..... ..1.@....K.........h.............Jx....s....5...............

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Candlebeam.ove

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	228110
Entropy (8bit):	7.807421413329608
Encrypted:	false
SSDEEP:	6144:iAxNaAEIflpAT9SHNP2+Eee+GHXhXqvfN:ba8NpSCt2jeed98
MD5:	380C91DBCBAF6F66B2B7447DC6736247
SHA1:	8F91FCB0472CEC021A003B4CCB189087AD808B2D
SHA-256:	FCE133C9989B948E7DFE41B667527EB7100854047D0C5CFCBD39903D36EC4684
SHA-512:	01E05CA2CCDA8630EDFFC4DA449488DBC3017AF2DD2BA78893077D9C4C7229F36721C60F37B12C36A24E3A4183DBD00255DEB846BECE7CC6C8D949BEACD1255E
Malicious:	false
Reputation:	low
Preview:	...K.*................__........ ..C.........]....r.......g...LLL......ff....................=......S...........((((................._.!........&..........x...........u.&&........}}}}.......................~..........vv....................HHH..++++++.....................III.................((.!!......##........n.....................&............p.......GG....a.....................................................g.aaa..........................f...c....O.........................;;...P.........P....V.....F.................55....I....g............^.....+....;;....\|.////.(............................ccc..........?................._............................MM..4..........L.a................................u.xxx.....g.........uu.... ............q.........VVV.rr.......77.......G....FF..............J....{>'......Q!.............Sf.......[.B..........J.f...f...f...f.....zs....f....}........=X... ......f............ e..f...........f...4.............\*u......#.e:f!.f...\|............

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Dilators.rea

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	183697
Entropy (8bit):	4.922506908512051
Encrypted:	false
SSDEEP:	3072:iESZ53o/sRtTzP5xQyTXZTuLGkTNt8PahqoEN7RB3g2NEsfeJ:sD3omtTjjbZ6Lx5tdqoE1RtgbsfeJ
MD5:	A76AF828FEED0119F3B48B879AA6475B
SHA1:	7115B5170F61B3F1AEAC0C35828399702D911A44
SHA-256:	04B3CB7B2862551FB95142E5047FA259B8EDB90B37773DE6A1D5B5AEA33096A0
SHA-512:	09DFA9552F4824C880EA2F18BA06EF405503C359657CFE3937C417D35DD40A2A1992A46C36C1E0AE1EF0722ED30B54009367937B467C1602367C4FC388BED955
Malicious:	false
Reputation:	low
Preview:	.[6..7C....6l....D..y+.T........lA......G....8...&....g.5.R......a........L. ................M.4\|l.A....].4(..........w...ix..........C./..4;VY...#........k.x....y}........>................JU.......................>.I}....f...............T........X....O...i.....".........9.'...&.._........A........6........,?.....`..S...XD3.)..........[l......1..q.<.....u.................j.C .....,...."...9m.w...p.k.=..\|..........p..l/../..=.........{..].....s...........K.....~.....J.D........a..A...0............._.ob...1.......S.H....B_$)..#..#R.5......9...\|..5".H.s...s....ol/...Y.7.......B.I..............................b...................(y....Q......p.r........D..c..H...c.'......F....:........f............Q.........<Y........i..-.......#..t.g...................r...>..+...e.........k..nx...u....x.U....._.......h.x.;...n.7......[7t..-....EM..........`..6....1.....aq.....r...................K,..T......P......R+.=.k............z..&...........................2........q.s.....d2...........k

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Pneumonalgia.Tag

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	21592
Entropy (8bit):	2.7361148771818513
Encrypted:	false
SSDEEP:	384:20S3zLcO3oD1fBoPQAUEE4EEEyFx7zkTU:gDLc2oD1fBaQAUEE4EEEyFx7QTU
MD5:	09A9A9561F92CF1AD9DB06C51537D283
SHA1:	0C3AB141BF4965D8627612CAD5052BB5792CF1C4
SHA-256:	CEF877E61E5C914517BE93E4A87335C60D20CAE5C22447099D0D5B1F137FB8E1
SHA-512:	FDC2AB967BA403A2DCB88D4F8AE4F4E21F993D655F6D9662531E5FDE65689C8F86F868173667B694513E4CCB9D992B10EA82A8EB9C1BE3B11227DE03923C0BCA
Malicious:	false
Reputation:	low
Preview:	00008D00970083645316C5250C5EA57F5913A17E580099601E0DD6650548D67E1654DF5FBD52642AB35B0556CC2D751693764201B07E5A01B73F5B4484231648D67E16548E2F0654C6270654C63B160DD6271A4486370648D67E1650DA375F44C66F0E54DA375F44C63E5F4A8422162CBD52642AB35B0556CC2D600D846343059A565A0899741E0DC63B5F44C727075CC4210352DA375F44C66F0554C6271A449F37061CC2271F14D865072CBD52642AB35B0556CC2D650182515F089347590D98635316DE7E1616C33B160DD62F0654D63B160DD6271A0DD6271F0DD8650544D65FBD52642AB35B0556CC2D64019773700D9A721E0D84221A449F374455DA375F44C727075CC4210352DA3D5F44C63B160DD6271F0DD865052C83645316C5250C5EB5765A08A17E5800996066169974614C9F650744DA7E1654DA7E1654DA375F44C63B160DD6271F2C00000000888888880000EF0000A9A9A9001414007A00000000F6F6F6003700006B0000F50066008000000000EF00EDED00BCBC00626262620000001200000000006E6E6E6E6E6E00565600000000A6A600FD0000040404040400007171000084848400545400AC00C3000000A30000F300EF002B00E4E4E4E4000000B2B2B200000000AD000000002800A3A3000000009C9C9C9C9C00212100C2C2001000272700F5000000A000000000

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Reaccomodated.alc

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	175473
Entropy (8bit):	4.952914805781313
Encrypted:	false
SSDEEP:	3072:OXiPz6oRIsUlocyoU+rtDkXMZP1EFm7lvU8oujiri5jI1avBQ:KirV2BA0rPn7lvSujiriGsG
MD5:	8C233AF8B71E56514846C89E3B571E9C
SHA1:	5C426C0E7703DBDDA55C5310E69B27A3B7A68AC5
SHA-256:	DD151C263E741799C25331C54F70E0146C19406377E20C5DDE7B8E3ACEF0A0CE
SHA-512:	058B6FAE8FE2A712F2D62CF655BFB0F36767FA5A8839133ADEE11B90C26F4FE9F828EA7ACD13FDBC3B925315B36E2D0DD60C6BD2F3A52FE7D49B2FAC4201AE3D
Malicious:	false
Reputation:	low
Preview:	.....o.....S.._.............&....x....n.6.......J......._I..r....G...............d..............L............I}9O....z........"..L3................(......................'......................Qa......................z.....u...'............^............../........................G......^..........B..U..F........R.......................o]...........}......t........U.P.......n...v.L..................`.$....nJ.Q..............1u..J......E.i.....[....?,...[............................@..;..%.3...w9......................B.!=..G!.....u... ....{-.......D....Q....V...Y......i..........,...........\..w.H.i.0.d.........3.3...EF......z...............N...Bpo......=................Y.....Jz.h..M........._.t...uK....-".......................T.....&........,...<......"......?.......1.A...m........e...........v...F..A.............Lc..........1...>........z.6....1......K........_/f..$...............................!.....n.......a...........3....i.......h_..s..........l...U..........^..1...

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Tangentialarm.cov

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	174708
Entropy (8bit):	4.941841654549469
Encrypted:	false
SSDEEP:	3072:mnIerh+1vNWSXm7ycTgyJ6NHdQgNOKz7l3OK2Pu4RUUZ7hD9m1iMOgSj:mnAvNWsmxtJ6NHd0Kz4DPJaUrA18j
MD5:	4AFE73C90D8A610F565D7225E68A0C81
SHA1:	398434B5F228264A15342A822C424B7542EB42E0
SHA-256:	CCB71EDC227E59B370DA1618E8A8FFB363B54DBD2BBB4D97B9E1C3F633C14A71
SHA-512:	7711BEBC27A436DCF642C8C81873A466C64B8FEB8F3D2C50B250BB503B22B47A6069BE7BA4AB028091A134FEF367ECA1A70B5B48591E6258D5DAD69E76E20418
Malicious:	false
Reputation:	low
Preview:	.........<.8.....p.#.;w.2...E......d..........#.1....R.&z..[_..N.^...................8...s...p.....=.........r..=........}......4..........\|........`.......:.R......."...........p..m....o.........Q............Z4.........v...aZ............;.....de9.......................M..R.....@.......)+>.......o ..:............a.....[...I..l.......X.....p[.B../M..,..........U..\..w...e.......YC........5...........n.].p..]..-(........U......@..H...5.........Z.......e......6..............\....A...v..<..!.u...........b).d.........M.................\....H....].Z.........'..........+......#..`.....{..#.....h;......C...\2..............................E.._.........*e;...8....'.$..........[q.....b.M.......g........U...........N:.............................D.....}dg........\Qh.R@......V%.P........\|......................5~..........o....../.v.O.......5;......+........w..........I...../.................>.R..."..h".......'................7......e1....#.......XQ..}..;..........9/.......$........B.

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Uncivilization.non

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	153180
Entropy (8bit):	4.939515279368202
Encrypted:	false
SSDEEP:	3072:ja+qRUC6amcXFiXIE6aBNKGrNzD/9LeiSD4wcdlJycn:jCVRiYE/Bzb9K9D4wcdlo6
MD5:	8898C0E91EEE054C76CDC6E534B1FC3C
SHA1:	9C9413AC98BB0BCF0EA4F87C64921281B40E2FA0
SHA-256:	69D166695EAE8B68F2F3DC439DFB647781A3F1AD7A231EBD0DB19CEEDBAB8806
SHA-512:	CAFB8B02616F7D5657AD378D8946BB2C241BD33C1286FA2AB843F745D56D467751215FE98DF062D69F906BF566BBE09A09E4D01ABED8A6FAD4625579AB3A5F3C
Malicious:	false
Reputation:	low
Preview:	.....[..t.....><..:X......g.....v..R...Q..........+.hw......B".....j..B.y..\..`.......>..........3z....E.............(..P......N.......!......]....~...d..~......"...........M.e...<b...AG.....d......4.i.V...a........2...4....7.1..(..........................;...\......\|...............plA..%.L..%}.........-......<.......9.....T.......W...6......0...........h............<...........................!.......a..x.................;........+D.....z]m$......l..............l. .o..........[....`.{.:....8...3..c..vB.....n._..v.h....F..........u........ .(................t<.....Q......Ph.}.......A.N..-.............VH...l.........a...~ZW....5..................$.....a...+...h.......q.....~h........qU^.........O..d....F{............h6...j.......~D...CPG..o......-........................6......~..._Z.........c....?..x...u..N..)z.....@.................6.v............&........y.....<....<.\|.......D..t.b.g...............Jg....?<..a)...W..O...E........r..Z.......yI...";#G..........................

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\Unmolest71.txt

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	491
Entropy (8bit):	4.343114851769286
Encrypted:	false
SSDEEP:	12:WCyhu04hmxaotenX3T9C5EZPzI23WZWNNYGFlLle2b2FggSPpmy:1zh6ahX3T9C5E9zIsWEVFFbKSPpmy
MD5:	941BCBB58C1621FD624F2CA4A1C430EE
SHA1:	762574F9F7CBCF1B4660FC16CF8FBB90089FA8F8
SHA-256:	311AE6C58BCC8D81A20A8E4DF20A9384A605C94FE52C26C07523E0897A9B27DC
SHA-512:	47EA77CB31382F1845AD0C112CE9A7322D02D661B246807CCCB0AB320B160A4CBAB7D04F90EA5E650A16D1D483457BA07500D4B7BE047321DD736CC5A62EC449
Malicious:	false
Preview:	underafklingerne sills gartner blanketmaking,exergue martialisation dialysebehandlinger pepful unacrimoniously..jaketters sekterernes bordherrer chernomorish vasalstaten sowback svinemrbraders spermatial greensboro flsets dataskift brinksmanship mangos..doubtably disciplinrur condimental primitivist,glamourisation bollard mobbede.blazonment fyresedlernes xanthospermous edulcorated counterstand droskechauffren prtentisestes goshawk ostrogothian finerede placewoman programfejls gladiola..

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\antiformant.spa

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	111653
Entropy (8bit):	4.93540148122626
Encrypted:	false
SSDEEP:	1536:mvdp11Sp0Ejgb5pVOTZGqLFXChIJf2BNjRWJbh8ocP86aNcURe6x+V3wtrQxR/NU:YAjgb5niZGqLt4y/n9/E/NUB6SHSu
MD5:	4705EA0CD3C9EB5AE1DD9CA841BAFCEE
SHA1:	FA3486F073CEDF03736F84A2363617D362CB5216
SHA-256:	6169643668DDA3C54B676C83B8F5658E54034776EB3AB94020F3F1E256A32E9E
SHA-512:	0B7A0BEE222771E8F7415B3F70ED9720235A9A0F0224918F055D714037D00D65D2F2FFDF75959ADB9BEA704A473C86B1377C7D6C904DEEAFA057E19F086224C1
Malicious:	false
Preview:	.............]......c8........_...............TS..<:..,..O.:....................\|...u..V.7....3......a..I.=................U....Z.v.....{~.....z..........,....'...n..........A.u.....=m.........p..c.;Qh....j.?............9........&..O...U........N.........7........2..Q.k.....fV..p._....+.}.. ?......U.D.p.....2".....!..KF."z...........2.......................v..5.d.K....A............f..F..J......m.c............../)......>..=.....D.......#G..y..........m......[...ZFf.......n...............gf....Q..RD.......'6........K.....+..................1.}...............A................"#.u.....{.....+.........N.......[..y_..........g........@.....`...s..e....x.......+......./...k.?.G..:e...C^..:FJ`...........................9...2...z~....P.......'.F.....#....;..s...B. .l..........................#....;.%....w...........af"...!....S.v.W........u...V .......N..W...........J..............)..!..............Y.>.....D....q......*.).............$......>,.......7.............8..%.?,...pn....9..

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\ceratinous.est

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	204058
Entropy (8bit):	4.94163303143438
Encrypted:	false
SSDEEP:	3072:v4lCMPvKDfICmKzL1moIwMhLj1FSRfZVikVeUpoNVg1OY9jzj3dw1cl:AsMXKruKzL1hpMhLjmNZVip9HgX9jHTl
MD5:	610D7B814D2CC4BB297624DBAB33292E
SHA1:	9D9B981E4F121E57B716D6FF4CB25F63599B1A4B
SHA-256:	E4AE60142AE58975799D5BCF244118307EEC7B1227429BBDAC6A64C36AADD64F
SHA-512:	0050666C6310289577416AE891E5B001323C72A4A3C206F1AB7A31E53313837509EF593EA861419113D3527BC89377E90C2D8718BD1A27EC8BCA895D82DB2220
Malicious:	false
Preview:	....E...........k.h....&.........8....=}W..................LZ....r....I............k......!C................O..........^.!.....3f.h.................u$.............W...]..........V...S...Z..P......]..D..B....]^.........................o..........h......R.........\.............p.M..O....YI.m......../....i.........l...q..\|...9m.r...K...........S.J.....Z..e...C...xwU............E.....u.W.:.....\...c.a.......c4......O.......d......4.....Z_.................K...J..Rs~.......'.t.$........"..%.........P...U>......t.0........................P.............0C...tH......................\....(7....._.4...^..........u...........M..{.............o.....k...7...../......../..........................7.......><.................^........2......r....................>..R.{..G.3................I........'..mo...........n..........l...y...................s..%.........o.7M..}.......}.....b....C.......Sm..k:.6..w..A$.......hv.. &......%......W.}.f....$......r.v.............x:.....y9.........=......V.

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\drankere.int

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	203330
Entropy (8bit):	4.9390657330991266
Encrypted:	false
SSDEEP:	3072:bZr1TrewPG0EeDsOf6nqf6wIqdXIN/fjlWJJWSEu/DanH0/:bZrRreCG01f6IxI6YNXjlWeZA
MD5:	BB9867C6189B3E706EF667FC44F3D54C
SHA1:	1FB02D3A6474CC824C507152C07D69D9536BD33A
SHA-256:	255AC04B1B8C27FBAFC5BD4318145779B5C42C73E7F92B2182406F930E093F16
SHA-512:	3ECDB5642AB2173266BDFB9EEBE5FF57594A8A695EB3EE4B67886DF4D71601B902F881E020A630FCAAE93F6A174B11750B7FAAEB78E63AB2F1C7AA9C6B3CED05
Malicious:	false
Preview:	).q..........o.......?.q@...".....2..v....A.........<h.....2C.F....v6&(.B...\|...T........".~.......... ).......0:...........z..2P........~.........h.)......s....eV......................Ms....-9A....,.....tG...9......]..L.y...p6i........3.)f\|...U.....vM.K.s....3.......c.(...u(...............Y...1............."....;.....i........4...v..T}...x...y.0....4....Vc....4.................EB......\..z...d........................,.....a......../.....t(..V...&.................w..z.M........mv...iT.........S...6......(..<..'...g.....n{.........f.............d......k............!...#.b.........T....{........f.....}.=......\..F...5...B..A..........l.O.n:..................8......S.....'....h...E................................:B.....I.....@.4......q........}.v9H..rq......K#.N..8........>[..L...........`\.@..................u..{.......;.......&g.....PY........{...xr.X.....@e...n...........`..........d..0....[xr......'q.9....G.."B.K..........H............e...........R..t.....-....k..%

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\enchytraeid.fod

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	123394
Entropy (8bit):	4.946073104309169
Encrypted:	false
SSDEEP:	3072:v1cGJKLh5mhUHnbFvvDbyIGENCzp/Ck3JSgSMtO:dRKL6hyJjZDwpdZSxwO
MD5:	57942F8C67010250D2611CEC16555152
SHA1:	520F0297C889EFEAA7DABFCA379638C98C834E92
SHA-256:	9DA3FDC70176A73642C112C497976E81ED833B6D478EF65C9954F8B04723FC76
SHA-512:	677E39EE0E5EF52A0C619DB3F4DDC9C378D0B2AF32BB2CE8A8D66A12BB474D66EA43F7EE1313D7FCF294B7C45C4D7CE71438B55122E662C44DE7B043C1E48FAD
Malicious:	false
Preview:	............7F...c...-.5....;.\|......G...z.....i............%;.1.+.....P........d...K..=.........q.........3..... ..J...&..%!c.1"...z.....[..d........i........{.......?..._mV...:<m.....s.K...[...u..~...k..B.S..........f........a....j.0\P..O..n.L................O.............L......(#....K.........&.r>....N8..._......@m....~..............=.1H.........;....R.........9...........A.................B....T.'./.. ..............w...<...a..)...@.......+....@......... ........................I...........9.x......`.........(..Nc.............../......x.......6............<.......................s...J...............R....C.>I...6..?...W....S'.....x..........\..9.\......v.g#.......e.........N..................M...C.}............R....F@.....?.I.......b.........i....I.......1.D.........0..D.g........@..._.....S..x.E....."..8..c.............1... j..P.......G...}...{...s.....s......z.................rj.2.......7..4......P>w.....@3...........u.t..................4......I..~......q....z....O.

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\heartrot.fra

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	143731
Entropy (8bit):	4.932449070514557
Encrypted:	false
SSDEEP:	3072:+VEdch8WpNKNKgVV8F5+ezpmQs0VZzPkMhy8Y:+Bh8WpNAKgIzpls0DzPkMhQ
MD5:	6E6292F29F97CB099E86530BF554070F
SHA1:	0C2CA75911E7E4EA87CC6FE549BBD114B1BF958E
SHA-256:	A7F941F4A6D06D1B3956298ADAA5F009F4A34B96B0C373CEC34D371A6A482DE1
SHA-512:	2703D1BF2BB5BA365ABF833A9F7D7345B097CDF033CA0985A58E6CEE2ECF5A7243CA8055429E11BD4510D21D74CB3F2088E6E9E111C7EC1969DE8DBA9C00F4BE
Malicious:	false
Preview:	...!..\.3.P...V...............N....k....i...R........hP....6P.:...........o....4M.....................9.....B.K............q\......*.........4.........ai..Y..D>.G^<..(.........7......I.Q...K.h..i.........................w..A...L.......S.R; ~.0.g.......i..........}............B.....3.......e..a.q.\u............8........W.........K.r......3.........G.P.?)."..........L.........JRF.....RE.k....E.O....1...dG....#......A...>..Z....\|^c......S)t.O.w...a...........3....D...t............)............h$lN...6...........!..Z....../..sh.......[....P.3.....1..........................4....e\...P....3..{.........................s...V E..........,.."..........3............b....?...;.%......Z.............t.]...gd.........ho..@\...........g......C...../............[...4....c..................X..U.........a......V.................?...}.......h.c.{...........QR=.f.g.3..........8..nxo.......Q.z.......>...w......e[.X.f.1......s.n....R...)..........3...c.c............... ....t.........r._.:.

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\holdenes.ufo

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	112456
Entropy (8bit):	4.947252102362902
Encrypted:	false
SSDEEP:	3072:qEdHq0bL67Tj15njc8QBcAPUn2c/IGkjrET:3bL67Tj1VdQHPS2VET
MD5:	5803B9ED2388D5BE0FDB1CB71C25C24B
SHA1:	5FCFADF3CF58ABF517555F2C8C0B37EDD6E1624C
SHA-256:	96FD7A5C9B26669606D551286B38648DEACB025C664BD62102CDED2EC3543D99
SHA-512:	0401C31CD900FDF9EA2E812ABFA4544F445D4A7521D7E4CC4983441A5E6AA7D4F7F98C05606E0300AE8315EEF9A3F432093345E98D90E4D4B8D49F7A5EB97F14
Malicious:	false
Preview:	..T.w...fT..........P.n...."........O.....Nn..N..LY_.S._..............m...........]...........H#.....................!....U....\.....................P.....r...................C..V.dU..............[...'.S...n..~...........H..E...B...h...................Z.;..(..../..'..'.g.........<......\|_.../......L.......7.?.'.Q....&.A.........z.........).............k.q....b..e.qF......b.R..3....U.\..!.....9.....?....}...............8.M.......-.z...S..........j.......w...........7...................X.................7....},c.0.=.)F......F.DG.......n3..y....[$..Ag..P...............t..S.......\|..-...T.........\|......D....M=.......H.......(.}...y;.... Fn...H.......I...?c....@......g..............w...lJR.\......K.C.....'.0q.....C.............+.........,........................h.......~.......=....\|.......................Aj..Q......'r......Z0D......~?.........X.....JM.......C....3....0......6.....Us.....SI..P.........=...........`k....p.t..:..la.....O'......%........A.?.. ......U....x...T..

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\inflamedness.grd

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	181362
Entropy (8bit):	4.94529009320029
Encrypted:	false
SSDEEP:	3072:QD+CT+IAaYOlQtC9HhXN9KMp0UcUZktgGMGiSq7yX7sHvMpQovElSS463/:CaIAaPaQD7KM1clBM9MLsivTS4s/
MD5:	F4F5F4A46EF121DBAAA78911C1143457
SHA1:	60348A97143F5FB9FEED10659490CD63913FD1B8
SHA-256:	93F1E284240AE539D29AB87F0FE38E5EFED31B1FD701F7C23B65139393F6D29A
SHA-512:	A35545308259070A52D852A6A217274476BE2737419A2D4A9A8B4427A54844FB982F804563F3D67BDF83FCA699E06F9D0D4DD5CB907CB3267C334F247B2EFCC3
Malicious:	false
Preview:	b...3..z..4.............u......E..$...................=........v3..(........W...h...M...8...!Gm.RB.\|..........U..l+.....g/\|...n.......qW........>......6.....O..L..................j..../..........N.C.$[...=........>.6...W........o..*.....1...o....}..'............:.}.......................i.?....pC.'c..].......7......~.A..g.D.......^....amv.\|...........[....xl.}.....L...F..k.....PC............\x..........G...\.....S..%.....].......................e......=............$.....Dz.........f....9........Q.................P.....2...e.......i...g....7...J..........MO........-.Y.0.:.....w.......Nc..E:..........e....u.......Q....K..v......8p......\|+.3...M..?...39.0...a...../................ ......J........&.......n...>Tx..j.P.=..cA....................o.........#.........)..........P.........Q.......F...............DK.........P..~..c..=.....\....-.V...P.q................-..`..........a/.....8..... b........}.A..VN..\|y..']..6W....<.....".......~.:....I...~..............U.........V....

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\milieuaktivists.asc

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	188689
Entropy (8bit):	4.943382218928104
Encrypted:	false
SSDEEP:	3072:XaETShy5IJyrhnjzeYXEN059gRDreOGO0udKYrpbNkUHoS+ORnGAq+jYe0KncM:1Shy5IJyrZjzTXE82hFhxJpZNBYe0KcM
MD5:	134F441414B62AB7CA948B58E3017AAF
SHA1:	88CFA925BA4D4E7CD5D13E5944286FABA5E75644
SHA-256:	B03D43C07DD48241794D349DEC1D37DACF9742464F44486011C8E508E5355D2B
SHA-512:	ECA08F9A8028480818DBAF25856779CE00461B4FF4164EF2C252B72E5683B3E771CBFABB310C92D258E7E2F393FAA2AFAD52E139FCBC49A47E37843FA9E718F2
Malicious:	false
Preview:	Hv....B..L..........k.L... .......................?....i.+!.n.......z.......4...........Q..................\..}..yF..}z....o.........K....J.<..;.k....,.=......l..5.....8W....Ch..q..Xc....n..A....o......z.............w.\>5.......u"....}z.9.....}...0...F.....^......L..........j....~....o..0.j..........<9U.W..,....................`5..........U.N.&............H.................8o........u...}.\|j........5o............(........#.....%..Y.....F...........#....i..@.........._............../.m...N.........$..............Z6.l.......n.[.....l..........t.....ZM........H.......L...4.N...]....4E...........O...a.r......K 1..A..e.........................y.n.......o.........E.......M0...nq..... .......2.......b..........8....5...8..Zg.................(....a....(.].X.....U....8...$.....u...;k.....@...ir.......@.P.........C.......Bl...l^+.......n..a...b..........[.w._..........:.........P...................I.....i`:......................+...[....[......\..........I.......................!.

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\overassistents.urt

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	126121
Entropy (8bit):	4.924502541404553
Encrypted:	false
SSDEEP:	3072:J+FiqRphn5c8pNH2QqqHwsQmZ1+XnsXfcQQ2:JEi4tpNHFg+9/Q2
MD5:	73F4838D977B5E3A41711BF116751EE4
SHA1:	3948F80F2EDB3A0DCF36F7895FA876A0FD74E27D
SHA-256:	D496A5F5BE15B913F71197205F6DF9D2E9A91936A735000E1B4A67097486068C
SHA-512:	ECEFA9C897B167542281960EAEE0D3E7901280A1A3FC4C69D6FCB827C8F6F6DD5FCD56537E7E034148084E6FD044D0F816829E00A2BF025D8801BCBF10BFEE02
Malicious:	false
Preview:	~......2....P%....hAI.......A../.. .@.P.....\...R].;................8$....f..g..Z......D.....a........s....).......v/...........y<&........`........\....\..#.......B......Y`..........<n...m.~K........5...+..u....X.`. .......$....{...[.....W...E......r...e.....v..M..Z........>............q....L...=M'....c../...h,....W..,.........AC..K....i............g......~..%.............3...{...........k...........................................;.....:(...........t....X ...&.......r......N..s..........ZPY...._C.s\........O.?.....8...2...........l.../......F.......I....Bs...T+...)..Y.S..I. .}..............sM....................:l.!]r.l..l.........o.........V..........*7N..N..:...g....C.................t.d2............wV.~...].......;s...............d.+\|..................(............Q.....u<..V.....+....4...X......o..96.y.........I~................?.......,.\|....M..9T..e.a..K.F.\|...D.J........A....n..2M....\......$-..9.......Zk..M.G.m.......O........4...........4;...............

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\sagvoldere.clo

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	199997
Entropy (8bit):	4.95049480511275
Encrypted:	false
SSDEEP:	3072:NxLhJXks/x6CeXlKjvC9bbHoF4TDa/t69bMFzoDgF85RcXqWdRi16gLp:NF/XfQ1lIga/tabMFz+cXqUKj
MD5:	9AF958045DC9DE8AB158CC95776D6495
SHA1:	CEAB6CA9E6A7EED0E90DB72014BAAB2EED6A9768
SHA-256:	3C58A0C27D970C03989F2BC77DD6DD04C9D81990789117F82764FAF2E399B5D1
SHA-512:	AC246B614D4D91683517BF253803D8B2D5026B059350B97FAA8787D1AB2E2C26C71DFD9E6146EEEAF702437D4AC5B225B1D691ADC093ED92A3936D88118604B6
Malicious:	false
Preview:	.....(........F.T..+.y...<......k....,k/..........6=."l..2.i.......}..=\......-....qh..6...G-........_k.....0.................................[...p....r...;....W.......R.O1............)W..m..O!.......j.............vy...[..u...........`z.........................b..M...s.,......7.>^....L.x.8...........J..............dJ..?....8.?.........mG!.=.i...g...h.N.......eE...(....%...........8......'..4................6..lp:a.......~.......K.N.FN..<..............2........T........'.DX... .................z.............w..%......f.5....h.....f........i........i......T..V..............._.q..w.......#...cG>..E..G......8>...............1..(.....sD.......>.cA..=..]y..(..u....\|Y....D...........i........2..u....].s....7...R...........z........g....Q7..E...0.y..............N.....uT.....aN................7...K.....BR..........E.....+@k........:....6....c,X............K...\|;....$............5.%..........8m.oGZ..>...............s...=....{..........2..H..*...4....>........S..\|..Y......y........

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\sammenarbejde.sli

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	172337
Entropy (8bit):	4.930290634445037
Encrypted:	false
SSDEEP:	3072:AD7h/7PXM0G0TPtNBXQ20fKlwFKCxaE3Qey+HnsYAIFw:AD7h/DM0Bf0nFlWoo0w
MD5:	9AFCEEB728EA02955A15C79DA11CD3B8
SHA1:	DBC38A717BFB6C6A7968218F6CD8B57816C2E0F3
SHA-256:	FD2D705F2B616074B9A68B647663D8CAB5C7B59EA05054D26DF85DF4F9454A61
SHA-512:	F842087F98EA5712504F46FC5A020D4DDEAE6C12FE989C3154C98F349BD9F398CB3B8B0EEE69B2215BD81C2AF1910D98785F500D61BFD46616072D35DCEF3E28
Malicious:	false
Preview:	...FV.......=.T.j.."}e......~.p..........................{FT.{.W..g......`......^..i..............Z.....}.....$E...........b...........c...P...l.e...Z.h...................t.........!U......\|......."pa...........`....Y.........$...E..........~..kp...;.."...o.........`......&.........Vf................"..@..]C....$T...V..R......s......h...Gl6..'......9....x.\|.........................".L(........M.....v...;.,..z3..<............#...N.7G.d..\|3..t.I...n.....h}.{..`.0..".....@...@. .....1....$...........a..i....mz<.....E........].\|.....SX....m...............3......../.g.W...$....f......e.].......[.........@..YxH.3\..v....W.iR..0.q...V.2...&...e..4E.5.......v.........v..........1.... ...........d.......`.?..s............W.38p.............p.+.....2...w.......m..r.....y...Kq......vJ.................wbS........T....U1......F._........!.0..-.#.....*......}.U..F..Ed.)................>$.r~.........+.O..e.b...<..........V.......7T........O.Q.Z......}...w.6.B.t........i\|.....bus...........

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\skaarlgger.sku

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	107849
Entropy (8bit):	4.949054522185106
Encrypted:	false
SSDEEP:	3072:8Be1lMJzDg6Zb3bv72VATF1xj2jiC8YRVWN:2e1lIRxGVAT/IYoVWN
MD5:	E7A692F50EBE0758632CC700DAD8BC10
SHA1:	34B33DAD733C782A30143D6842A4AA43EF028B80
SHA-256:	C0CA200B4352018F1326951C065582598BE249596E7E782EAD1C2038B9C02EFE
SHA-512:	E0A9AA37B7CD1AC0FE2A91BC17A92B1F6CF381640BBB4961AA1C2B2A3B8E647669FE99DD6177CAF19E4C108C392B624FBF70FA9D77A1534630780E4D533C1363
Malicious:	false
Preview:	f.&..=.ha.~..U...........(........\|.......?.....h...`...v....4..;D.j...@..M.@..2......O......N.}.1...@.Y............l. .....*.....H...U..<.. ..............l....5................U6...........@.....p.i........W...K...]{...................,..[..^....}........k..'...e.....<..........R....W.....`....b,..`..t.....e................R.z!x..............(..B..............W......K....ew..\|.N............u.....R.X....B.....]....j....H...C............\|U.....;......$......+............k...~..C....J................<...9.....................O.p...-.....f....I...........K=<..... /.....f.....d..x.ly..+..../....................9...1w.x1..1...{.O.,.....S......D..Ql...../......o..E...........6.........nXZ.v......F.................4...Y.c.....@....>m... ...]....J.M....{..........J...n.....2....4.(..7......cW.....p.........).................E........=.-.G......s..\|............3....U...../..{..G.........A....7..AS.7.4.h..........A.....A.....(....B....R.......E..0.U.l...D..V...................Z...

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\startskammelens.mor

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	151901
Entropy (8bit):	4.922047081618049
Encrypted:	false
SSDEEP:	3072:ZXNcFVdShVO5SKJxJK7mR65fq573pIrSMHv3Rh8wfpzCrIn5w+lXc:ZXUdJX6mM5SJmGMHvH5cTn
MD5:	E56C98FFF0A57A36E95D1CFEE82E7146
SHA1:	19917AE2B55DB15294780E209BED73B23EF39DDA
SHA-256:	AFA757D9209092F3734EEA02CD4797BEE3E385D7FE6541B7483F9C3A04250C2C
SHA-512:	7D65EBF87F16E4C13F81E5BB333C8B0B71D3A09EEFAAB25A63741D20ACC786561F76D063000E5710B55461F2BAE6A6CA5154EA083B501D105A76400B5FE4C372
Malicious:	false
Preview:	.....X...r.s.....Y..........E.X...v...gs....a(..9..]3.'..................{.........X..................NJ........7..0..............9..o..................{..........[..............c............3.M{.e...@..9........L.Q..r.,.....o...W.............{A.P...................7..........n...e.1,e......y..........f....@d..T=..J.E......,....:..L......U......E...........A..9.=....z.F......2....4....u..9....{...........S6.....0....S...............L.....!.......B...#[...^.......N....i......`..y.....e.......d.............\|.w........x......6.........H./..._.............0...8....M.M-..U......~....\.......%....."....~....G.....s.....k%........M..x..5....C.........8............g...qy.'......{5....X.=....i......$.rS.......v.....1.s..^..........v....@...........t...Z..Jk.....Q......Ab.........1.......AO...1%...o.h....S....6..............".IK.../....%..w..............}..Gq........N..... .....r.......VY..._..........h..........N...........E.P...._.u...........n......?.eR.........@.d[}.

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\synesthesia.fir

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	115315
Entropy (8bit):	4.933716169936108
Encrypted:	false
SSDEEP:	3072:yoWq3doKVKbYeTjqsdmN0Yp+G51TlB4RVSNYj8:yeINdmN0A+G5TB46f
MD5:	8E72C193AF73C259F423EE05499B566B
SHA1:	17EF3655823771E35959D0F7DAEF7D130B7E2FBC
SHA-256:	3A5656609CDA0708F8F76EBC101ABD223685ADD36C8BCFC36B85F7C247F4661E
SHA-512:	7D42C95773BA148BE5551E2807E2850E944558FF2449F207434E78C00F0384A4BC99AB88A84C8CE477C54A46A9A99A3235B00DCCCAC94A5850424AACA2923C4B
Malicious:	false
Preview:	t...............@..]...E.....^..Q.w7.o.......#/...@J...................c..q...J......x......B..^...4........c........q)...t../0.(..T......p...........{........_...........L>.L.j..a.......g.........(:p~.~.......L.]ax.....M...........i?..!..^.....~...k...f..;....................o......=..........l..........u.....r.!.65.........:........>...(.....1....................w......a...A.....?....................`.........H...w)..Z ."...s..........Q..Z...............m..W..a............g..%.........v........<.../........H.......3...G...U...C}..:.....}F.#.........%.........o....7...........6.q......!d................j.~,..D.B....f......i.]...Y.........0.......a..O.......*...[....<......R.....EqK...............v.........b....5......\|M....ln.......,G.E...J......T..g...p0.....t...?.......).......Zw.......a...2............................&... ...).......j.?.......r#..........Y..M.u.h......../.T?.............x....o..7...I..............Z...........n...............T....'...........2..)..U...

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\trivalente.vid

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	169527
Entropy (8bit):	4.952881044983686
Encrypted:	false
SSDEEP:	3072:qzve04Mp9bVwS7h0cs0oRoVQzOsxdMh6Kh4q9FfQ7P:qzve0469bVp7+cs0oRoVQFMFz9lQ7P
MD5:	9C02DD0CDE6224AF894B17AE3C345FBC
SHA1:	4D5E753B3EE5F52549ADD9E60180E2534DA32484
SHA-256:	49DCDF0CE96754B433C373ADBBA4B5B8B048F7E5DD1A0F9424500B79636D4722
SHA-512:	E4B47319460911D3CAD2BA9D433C2B8C4AED414A5E85F7B427CA8E0AC0436CCF99C0D46BFDF1D8695C14F6EB06447961545837B23081E392F77796FCC243EEF1
Malicious:	false
Preview:	...\|..[...Q......o........w........)..............6.....e..).>..#.S..@....#................[A.....1......G........^..N`+.....R....9.........'.o......,..............J...................H .......x.....g...Q...7..8.'........Q..^...Y..$....^f..r....?..;.E......o.wG.........x...............e..:=.........m..9...J..)%.ZV....?...C;.p.........>..=#......5T.............v3..=.c.............[......./...............$...=............v....?...........6....C...\|....CQ.z.V?".P/...................Q..x............].....r`.h.....\........m......?.....3.......B..[....\.a.;.c.&........U.-..I.....:...)..1................G...U..f......q..}....m...........y..IB.m..m.....b...V..a...?..P..S......S..IE.......].............i.....l...w1.{...t....k........:........W-.&....wU....R..........Z;j........8...:.......,.[.........!.q.._0.......l..\..................^.T..........1........W.D..i....*........+}.....@..h......\.....\.D.....ns+@...r..........a..c....L...r......\..@.....................%.....C..........

C:\Users\user\AppData\Local\Temp\nsy10D5.tmp\BgImage.dll

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	5.220213965432121
Encrypted:	false
SSDEEP:	96:8e3k1LFJaO1/radJEaYtv1Zs4lkL8y3A2EN8Cmy3uTF4j7J3kWyy/:t0TJa2roqJyA2EN8diuTSje
MD5:	5DA88848798426643F9810237B58937D
SHA1:	E1830DCA870437116B93DECBA8D0BA81F1056D65
SHA-256:	27D3E3E359E1E04B173277221055D043E2F3BAAF78A5D6F7E3A0A5DFCB96222C
SHA-512:	859D0FEF023B6FB9C41589E4AA5BCFC23259639AAAD2FB51E1304725D6E28852BD6B6A68FFCA8C6A20ADAE4D735E6A03620890036ED57095F40318804153F586
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.W.p.9Cp.9Cp.9Cp.8C@.9C..dCy.9C$..Cq.9C$..Cq.9C..=Cq.9CRichp.9C........PE..L....z.W...........!................"........ ...............................`.......................................$....... ..d............................P....................................................... ...............................text...D........................... ..`.rdata....... ......................@..@.data........0......................@....reloc..v....P......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsy10D5.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.6557532861400945
Encrypted:	false
SSDEEP:	192:eK24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlASl:u8QIl975eXqlWBrz7YLOlA
MD5:	0FF2D70CFDC8095EA99CA2DABBEC3CD7
SHA1:	10C51496D37CECD0E8A503A5A9BB2329D9B38116
SHA-256:	982C5FB7ADA7D8C9BC3E419D1C35DA6F05BC5DD845940C179AF3A33D00A36A8B
SHA-512:	CB5FC0B3194F469B833C2C9ABF493FCEC5251E8609881B7F5E095B9BD09ED468168E95DDA0BA415A7D8D6B7F0DEE735467C0ED8E52B223EB5359986891BA6E2E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....z.W...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsy10D5.tmp\nsDialogs.dll

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.099620413135966
Encrypted:	false
SSDEEP:	192:oWa8cSzvTyl4tgi8pPjQM0PuAg0YNyZIFtSP:DaBSzm+t18pZ0WAg0RZIFg
MD5:	D6C3DD680C6467D07D730255D0EE5D87
SHA1:	57E7A1D142032652256291B8ED2703B3DC1DFA9B
SHA-256:	AEDB5122C12037BCF5C79C2197D1474E759CF47C67C37CDB21CF27428854A55B
SHA-512:	C28613D6D91C1F1F7951116F114DA1C49E5F4994C855E522930BB4A8BDD73F12CADF1C6DCB84FC8D9F983EC60A40AC39522D3F86695E17EC88DA4BD91C7B6A51
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L....z.W...........!.........0...............0.......................................................................6..k....0.......p...............................................................................0...............................text............................... ..`.rdata..{....0......................@..@.data...h!...@......................@....rsrc........p....... ..............@..@.reloc..v............"..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsy10D5.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.140229856656103
Encrypted:	false
SSDEEP:	96:J7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN738:HbGgGPzxeX6D8ZyGgmkN
MD5:	01E76FE9D2033606A48D4816BD9C2D9D
SHA1:	E46D8A9ED4D5DA220C81BAF5F1FDB94708E9ABA2
SHA-256:	EE052FD5141BF769B841846170AABF0D7C2BB922C74C623C3F109344534F7A70
SHA-512:	62EF7095D1BF53354C20329C2CE8546C277AA0E791839C8A24108A01F9483A953979259E0AD04DBCAB966444EE7CDD340F8C9557BC8F98E9400794F2751DC7E0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L....z.W...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.91573985412149
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RC_S23_3274 Or_amento ADP 231019_5_5009.exe
File size:	2'716'872 bytes
MD5:	aa9c44eda9af9222c5cab2466bc44f5a
SHA1:	b5d7bcdf2637cee61c36d7a50d628288c3c5401e
SHA256:	b58a548a509a5a2453800587352c8a7ff970dba696e82a69343738ef94073a8f
SHA512:	a0a5e07c8627f7149a6a535ff201fb2aae422bbf2505eb6426edf55fcb471cf78ef7e07066185276f072fb14191d6c5942efcb100ea82419b9be4a50938f051b
SSDEEP:	49152:cRqw2aja8QnXN81nUCV5VliUYmuyKLbokCQf8TlJoT9ESCPRGT8PsJ:cxPen9+n3r5YcsboCc29DKGYsJ
TLSH:	0CC5236DD214C0A3E65015345EE7DF316F269C5494604AA627F8BE1F3DBE3037C2A2EA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..OP.._...P...s...P...V...P..Rich.P..........PE..L....z.W.................d...........2............@

File Icon


Icon Hash:	0721587958601f07

Static PE Info

General

Entrypoint:	0x4032a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57017AB6 [Sun Apr 3 20:19:02 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e2a592076b17ef8bfb48b7e03965a3fc

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Stophanen@Yawns.Sny, OU="glossmeter Crawlers Rufgardins ", O=Hobnobs, L=Oberr\x9cdern, S=Grand Est, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	07/02/2023 01:33:52 06/02/2026 01:33:52
Subject Chain	E=Stophanen@Yawns.Sny, OU="glossmeter Crawlers Rufgardins ", O=Hobnobs, L=Oberr\x9cdern, S=Grand Est, C=FR
Version:	3
Thumbprint MD5:	0F35215EE81B423169B3103299C65A52
Thumbprint SHA-1:	C2A30D5F9BEF516DD0F2BEB279BCD342532FE24E
Thumbprint SHA-256:	D4C1A38CDE32A066072EF832E385C28FB553B08C020AC2FA327B35D646A18D78
Serial:	1E9F612F35843EF7C10B1A3B7D35A8A126FD888B

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080B0h]
call dword ptr [004080ACh]
cmp ax, 00000006h
je 00007FD84CDBEDA3h
push ebx
call 00007FD84CDC1EE4h
cmp eax, ebx
je 00007FD84CDBED99h
push 00000C00h
call eax
mov esi, 004082B8h
push esi
call 00007FD84CDC1E5Eh
push esi
call dword ptr [0040815Ch]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007FD84CDBED7Ch
push ebp
push 00000009h
call 00007FD84CDC1EB6h
push 00000007h
call 00007FD84CDC1EAFh
mov dword ptr [00434EE4h], eax
call dword ptr [0040803Ch]
push ebx
call dword ptr [004082A4h]
mov dword ptr [00434F98h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0042B208h
call dword ptr [00408188h]
push 0040A2C8h
push 00433EE0h
call 00007FD84CDC1A98h
call dword ptr [004080A8h]
mov ebp, 0043F000h
push eax
push ebp
call 00007FD84CDC1A86h
push ebx
call dword ptr [00408174h]
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x57000	0x309a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2952b0	0x2218
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x637b	0x6400	False	0.671484375	data	6.484796945043301	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14b0	0x1600	False	0.4401633522727273	data	5.033673390997287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2afd8	0x600	False	0.5188802083333334	data	4.039551377217298	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x22000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x57000	0x309a8	0x30a00	False	0.4110298843187661	data	4.7411066985802535	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x57430	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x57798	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.2446912338814622
RT_ICON	0x67fc0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.3060752575152407
RT_ICON	0x71468	0x7d43	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9907381420151558
RT_ICON	0x791b0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.32587800369685765
RT_ICON	0x7e638	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.31973311289560696
RT_ICON	0x82860	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.38163900414937757
RT_ICON	0x84e08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.41862101313320826
RT_ICON	0x85eb0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.5073770491803279
RT_ICON	0x86838	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5647163120567376
RT_DIALOG	0x86ca0	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x86de8	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0x86f28	0x100	data	English	United States	0.5234375
RT_DIALOG	0x87028	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x87148	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x87210	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x87270	0x84	data	English	United States	0.7348484848484849
RT_VERSION	0x872f8	0x36c	data	English	United States	0.4954337899543379
RT_MANIFEST	0x87668	0x340	XML 1.0 document, ASCII text, with very long lines (832), with no line terminators	English	United States	0.5540865384615384

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, WaitForSingleObject, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GlobalUnlock, lstrcpynW, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	17:34:55
Start date:	20/10/2023
Path:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
Imagebase:	0x400000
File size:	2'716'872 bytes
MD5 hash:	AA9C44EDA9AF9222C5CAB2466BC44F5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.4527772431.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	17:38:44
Start date:	20/10/2023
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe
Imagebase:	0x600000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.4527139319.0000000003378000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.6%
Dynamic/Decrypted Code Coverage:	13.8%
Signature Coverage:	20.3%
Total number of Nodes:	1525
Total number of Limit Nodes:	47

Executed Functions

Function 004032A0 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004032C3
GetVersion.KERNEL32 ref: 004032C9
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032F2
#17.COMCTL32(00000007,00000009), ref: 00403315
OleInitialize.OLE32(00000000), ref: 0040331C
SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 00403338
GetCommandLineW.KERNEL32(Bistandspengene Setup,NSIS Error), ref: 0040334D
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",00000000), ref: 00403360
CharNextW.USER32(00000000,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",00000020), ref: 00403387

Part of subcall function 0040642A: GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
Part of subcall function 0040642A: GetProcAddress.KERNEL32(00000000,?), ref: 00406457

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004034C1
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034D2
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034DE
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034F2
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034FA
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040350B
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403513
DeleteFileW.KERNELBASE(1033), ref: 00403527

Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,Bistandspengene Setup,NSIS Error), ref: 0040605D

OleUninitialize.OLE32(?), ref: 004035F2
ExitProcess.KERNEL32 ref: 00403613
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403626
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403635
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403640
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",00000000,?), ref: 0040364C
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403668
DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,?), ref: 004036C2
CopyFileW.KERNEL32(C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe,0042AA08,00000001), ref: 004036D6
CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000), ref: 00403703
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403732
OpenProcessToken.ADVAPI32(00000000), ref: 00403739
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040374E
AdjustTokenPrivileges.ADVAPI32 ref: 00403771
ExitWindowsEx.USER32(00000002,80040002), ref: 00403796
ExitProcess.KERNEL32 ref: 004037B9

Strings

C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe, xrefs: 004036D1
SeShutdownPrivilege, xrefs: 00403748
Bistandspengene Setup, xrefs: 00403343
~nsu, xrefs: 0040361E
C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114, xrefs: 004034A4, 004035C4, 0040366E, 00403678
.tmp, xrefs: 0040363A
Error launching installer, xrefs: 004035A9
"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe", xrefs: 00403353, 00403359, 0040354F
C:\Users\user\AppData\Local\Temp\, xrefs: 004034B6, 004034BB, 004034D1, 004034DD, 004034EC, 004034F9, 00403505, 0040350D, 00403623, 00403634, 0040363F, 0040364B, 00403658, 00403667, 00403718
1033, xrefs: 00403522
TEMP, xrefs: 00403506
C:\Users\user\Desktop, xrefs: 00403645, 0040364A, 00403677
NSIS Error, xrefs: 0040333E
\Temp, xrefs: 004034D8
TMP, xrefs: 0040350E
UXTHEME, xrefs: 004032E6, 004032EB, 004032F1
C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty, xrefs: 004035CF
Low, xrefs: 004034F4

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe"$.tmp$1033$Bistandspengene Setup$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114$C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty$C:\Users\user\Desktop$C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2488574733-3577499799
Opcode ID: 26eb6f9b16d8ac2476929461e4c221b8d9deac311ccc6cd13137edb9e6a9c942
Instruction ID: bc0dc6ca93ec9440221f6a1154d69e62cad873230aa3e7f423b6c7eed9202452
Opcode Fuzzy Hash: 26eb6f9b16d8ac2476929461e4c221b8d9deac311ccc6cd13137edb9e6a9c942
Instruction Fuzzy Hash: 60D1F470600300ABE710BF759D45B2B3AADEB8074AF51443FF581B62E1DB7D8A458B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00404B2B Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B43
GetDlgItem.USER32(?,00000408), ref: 00404B4E
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B98
LoadBitmapW.USER32(0000006E), ref: 00404BAB
SetWindowLongW.USER32(?,000000FC,00405123), ref: 00404BC4
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BD8
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BEA
SendMessageW.USER32(?,00001109,00000002), ref: 00404C00
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C0C
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C1E
DeleteObject.GDI32(00000000), ref: 00404C21
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C4C
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C58
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CEE
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D19
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D2D
GetWindowLongW.USER32(?,000000F0), ref: 00404D5C
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D6A
ShowWindow.USER32(?,00000005), ref: 00404D7B
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E78
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EDD
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EF2
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404F16
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F36
ImageList_Destroy.COMCTL32(?), ref: 00404F4B
GlobalFree.KERNEL32(?), ref: 00404F5B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FD4
SendMessageW.USER32(?,00001102,?,?), ref: 0040507D
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040508C
InvalidateRect.USER32(?,00000000,00000001), ref: 004050AC
ShowWindow.USER32(?,00000000), ref: 004050FA
GetDlgItem.USER32(?,000003FE), ref: 00405105
ShowWindow.USER32(00000000), ref: 0040510C

Strings

M, xrefs: 00404CD5
, xrefs: 004050E4
N, xrefs: 00404DB6

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: e520d1d30b512afb12423a7735dcee7f53e95ce598d54926476c1ad935aac9f3
Instruction ID: 92be4e2f0a71e0becefd48613cebd317121b53e3330ca333a75e7b8088edbb55
Opcode Fuzzy Hash: e520d1d30b512afb12423a7735dcee7f53e95ce598d54926476c1ad935aac9f3
Instruction Fuzzy Hash: 49027FB0900209EFDB209F95DD85AAE7BB5FB84314F10817AF610BA2E1C7799D42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000000.00000002.4528559441.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4528540751.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528571623.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528583295.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00406072 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,0042C228,?,004051E6,0042C228,00000000,00000000,0041C400), ref: 00406135
GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004061B3
GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 004061C6
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406202
SHGetPathFromIDListW.SHELL32(?,Call), ref: 00406210
CoTaskMemFree.OLE32(?), ref: 0040621B
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040623F
lstrlenW.KERNEL32(Call,00000000,0042C228,?,004051E6,0042C228,00000000,00000000,0041C400), ref: 00406299

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406239
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406181
Call, xrefs: 0040609C, 0040617C, 0040619D, 004061B2, 004061C5, 004061E1, 0040620C, 0040623E, 00406244, 0040625E, 00406272, 00406292, 00406298, 004062A4, 004062D7

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1230650788
Opcode ID: 9ac22be3adfbab36e9e2758bb774a502216386bf045014d88804defae461a58b
Instruction ID: 6a0e75f8176bdfaa808a817e977aa907b1c5d4b6119349843486ba00336cef2a
Opcode Fuzzy Hash: 9ac22be3adfbab36e9e2758bb774a502216386bf045014d88804defae461a58b
Instruction Fuzzy Hash: 45611E71A00105ABDF20AF65CC41AEE37A5EF45314F12817FE852BA2D0D73D8AA1CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00405841 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040586A
lstrcatW.KERNEL32(0042F250,\*.*), ref: 004058B2
lstrcatW.KERNEL32(?,0040A014), ref: 004058D5
lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058DB
FindFirstFileW.KERNEL32(0042F250,?,?,?,0040A014,?,0042F250,?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058EB
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 0040598B
FindClose.KERNEL32(00000000), ref: 0040599A

Strings

"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe", xrefs: 00405841
C:\Users\user\AppData\Local\Temp\, xrefs: 0040584E
\*.*, xrefs: 004058AC

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3105261078
Opcode ID: 310f22d1e18abc7c3bbe2dee3bc3119d14cc0d79031cc9c47b9afefb4b25f888
Instruction ID: caf420165dc21d0a99f0983ed575dd8be70d76c6b9b5ff92ec706b465e099e4b
Opcode Fuzzy Hash: 310f22d1e18abc7c3bbe2dee3bc3119d14cc0d79031cc9c47b9afefb4b25f888
Instruction Fuzzy Hash: DB41B171800A14EADB21AB65CD49BBF7678EF85764F10423BF801B11D1D77C4A82DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 00406393 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00430298,0042FA50,00405B55,0042FA50,0042FA50,00000000,0042FA50,0042FA50, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405861,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 0040639E
FindClose.KERNEL32(00000000), ref: 004063AA

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 395586dc4edb235965e2a282b5d7432a8e50c5a064bd8b1b9b8a05e290e3bc0b
Instruction ID: 351587cf9ce3a522800e1c73501a9738d9f8821b35168cd3fdb078f4a7df3edc
Opcode Fuzzy Hash: 395586dc4edb235965e2a282b5d7432a8e50c5a064bd8b1b9b8a05e290e3bc0b
Instruction Fuzzy Hash: C2D012315081209BC34157787E0C84B7B5C9F1A3317259F36F96AF12E1CB348C2286DC

Uniqueness

Uniqueness Score: -1.00%

Function 00403C3C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C78
ShowWindow.USER32(?), ref: 00403C95
DestroyWindow.USER32 ref: 00403CA9
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CC5
GetDlgItem.USER32(?,?), ref: 00403CE6
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CFA
IsWindowEnabled.USER32(00000000), ref: 00403D01
GetDlgItem.USER32(?,00000001), ref: 00403DAF
GetDlgItem.USER32(?,00000002), ref: 00403DB9
SetClassLongW.USER32(?,000000F2,?), ref: 00403DD3
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E24
GetDlgItem.USER32(?,00000003), ref: 00403ECA
ShowWindow.USER32(00000000,?), ref: 00403EEB
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403EFD
EnableWindow.USER32(?,?), ref: 00403F18
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F2E
EnableMenuItem.USER32(00000000), ref: 00403F35
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F4D
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F60
lstrlenW.KERNEL32(0042D248,?,0042D248,Bistandspengene Setup), ref: 00403F89
SetWindowTextW.USER32(?,0042D248), ref: 00403F9D
ShowWindow.USER32(?,0000000A), ref: 004040D1

Strings

Bistandspengene Setup, xrefs: 00403F7A

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Bistandspengene Setup
API String ID: 3282139019-953744084
Opcode ID: 1e8f8ab3894185fee3e819c4da667bb3c8cf9c8625066028452a86f04d68d7ae
Instruction ID: 977002fee4e807fcea2a4689fe207fdbad8331f3a024ab3ce592dbd86d7f0908
Opcode Fuzzy Hash: 1e8f8ab3894185fee3e819c4da667bb3c8cf9c8625066028452a86f04d68d7ae
Instruction Fuzzy Hash: 2EC1D171504204BFDB216F61EE89E2B3A69FB88706F04053EF641B21F0CB799991DB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403899 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040642A: GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
Part of subcall function 0040642A: GetProcAddress.KERNEL32(00000000,?), ref: 00406457

lstrcatW.KERNEL32(1033,0042D248), ref: 0040391A
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,76233420), ref: 0040399A
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 004039AD
GetFileAttributesW.KERNEL32(Call), ref: 004039B8
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114), ref: 00403A01

Part of subcall function 00405F97: wsprintfW.USER32 ref: 00405FA4

RegisterClassW.USER32(00433E80), ref: 00403A3E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A56
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A8B
ShowWindow.USER32(00000005,00000000), ref: 00403AC1
GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403AED
GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403AFA
RegisterClassW.USER32(00433E80), ref: 00403B03
DialogBoxParamW.USER32(?,00000000,00403C3C,00000000), ref: 00403B22

Strings

RichEdit20W, xrefs: 00403AE5, 00403AEB
RichEd20, xrefs: 00403AC7
.exe, xrefs: 004039A7
C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114, xrefs: 00403929, 00403931, 004039D4, 004039DA, 004039EA
Control Panel\Desktop\ResourceLocale, xrefs: 004038CD
RichEdit, xrefs: 00403AF4
"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe", xrefs: 0040389D
C:\Users\user\AppData\Local\Temp\, xrefs: 0040389E
1033, xrefs: 004038B9, 00403915
Call, xrefs: 00403961, 0040396A, 00403978, 004039C7, 004039CD
_Nb, xrefs: 00403A1D, 00403A85
.DEFAULT\Control Panel\International, xrefs: 00403905
RichEd32, xrefs: 00403AD5

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-3355066721
Opcode ID: 42654ec177014d1f03b4ff0d2635b06bf077c7dc75d3c24c479e90fc5b65b2ec
Instruction ID: d3915a60f35156ec108069fee93d058ae2b4a83f87b830a45993cae0616e5fa0
Opcode Fuzzy Hash: 42654ec177014d1f03b4ff0d2635b06bf077c7dc75d3c24c479e90fc5b65b2ec
Instruction Fuzzy Hash: EF61AA71640700AFD310AF659D46F2B3A6CEB84B4AF40113FF941B51E2DB7D6941CA2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402DEE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DFF
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe,00000400,?,?,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",00403536,?), ref: 00402E1B

Part of subcall function 00405C25: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",00403536,?), ref: 00405C29
Part of subcall function 00405C25: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",00403536,?), ref: 00405C4B

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe,C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",00403536,?), ref: 00402E67

Strings

"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe", xrefs: 00402DEE
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DF5
C:\Users\user\Desktop, xrefs: 00402E49, 00402E4E, 00402E54
Inst, xrefs: 00402ED3
C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe, xrefs: 00402E05, 00402E14, 00402E28, 00402E48
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6
Error launching installer, xrefs: 00402E3E
Null, xrefs: 00402EE5
soft, xrefs: 00402EDC

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-3972719206
Opcode ID: 2d58fb7518fc77c1929eb66d2bb22aca03531c5a37bc9e9edabb7a8ef5e27e55
Instruction ID: ecf8b1e823d6f98de7c15f593086dd5554d056807b59ad61161c89ef3c81dadd
Opcode Fuzzy Hash: 2d58fb7518fc77c1929eb66d2bb22aca03531c5a37bc9e9edabb7a8ef5e27e55
Instruction Fuzzy Hash: AF51F671900216ABDB109F61DE89B9F7BB8FB54394F21413BF904B62C1C7B89D409B6C

Uniqueness

Uniqueness Score: -1.00%

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty,?,?,00000031), ref: 004017CD

Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,Bistandspengene Setup,NSIS Error), ref: 0040605D

Part of subcall function 004051AF: lstrlenW.KERNEL32(0042C228,00000000,0041C400,762323A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,0042C228,00000000,0041C400,762323A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
Part of subcall function 004051AF: lstrcatW.KERNEL32(0042C228,0040318B), ref: 0040520A
Part of subcall function 004051AF: SetWindowTextW.USER32(0042C228,0042C228), ref: 0040521C
Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A

Strings

Call, xrefs: 00401785, 0040178E, 0040179B, 004017AD, 004017B9, 004017EF, 00401805, 00401823, 0040185F, 004018E0, 004018E9, 004018F3, 004018FE
C:\Users\user\AppData\Local\Temp\nsy10D5.tmp\System.dll, xrefs: 0040182D, 00401849
C:\Users\user\AppData\Local\Temp\nsy10D5.tmp, xrefs: 00401819, 00401837
C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty, xrefs: 00401796

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty$C:\Users\user\AppData\Local\Temp\nsy10D5.tmp$C:\Users\user\AppData\Local\Temp\nsy10D5.tmp\System.dll$Call
API String ID: 1941528284-3428117366
Opcode ID: 1c292b98166a31c9089d75ffbac55774b0fa1de423b16314c0e4ed2c7239b5d3
Instruction ID: fa226e2697354f8a36450ecb7523776f7f82d9f29d3b914395726c71c929f9d2
Opcode Fuzzy Hash: 1c292b98166a31c9089d75ffbac55774b0fa1de423b16314c0e4ed2c7239b5d3
Instruction Fuzzy Hash: 37418471900514BADF11BBB5CC46EAF7679EF45328F20823BF522B10E1DB3C8A519A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403027 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403091
GetTickCount.KERNEL32 ref: 00403138
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403161
wsprintfW.USER32 ref: 00403174

Strings

@, xrefs: 004030AB
... %d%%, xrefs: 0040316E

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$@
API String ID: 551687249-3859443358
Opcode ID: c7497415bb8dac91a47c0922d01840e0ec24c5b3dd3d0398628956ac72cbd470
Instruction ID: a151fef9e86e41fc3429002d146a23742bf049d8b35666da4da471479faf367b
Opcode Fuzzy Hash: c7497415bb8dac91a47c0922d01840e0ec24c5b3dd3d0398628956ac72cbd470
Instruction Fuzzy Hash: F9517C71901219EBDB10CF65DA44BAE3BA8AF05766F10417BF815B72C0C7789A41CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1

Part of subcall function 00405D06: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405D1C

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: c65befc1453d79e0c2e8f89943b80396fddc1db08f78317adda9697148674731
Instruction ID: c1a49ad6acc88ab736a24109aaa050e218125fd0ad183605519c9d8fb0938606
Opcode Fuzzy Hash: c65befc1453d79e0c2e8f89943b80396fddc1db08f78317adda9697148674731
Instruction Fuzzy Hash: EC510874D00219AADF209F94CA88AAEB779FF04344F50447BE501F72D0D7B99982DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040567E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C1
GetLastError.KERNEL32 ref: 004056D5
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056EA
GetLastError.KERNEL32 ref: 004056F4

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004056A4
C:\Users\user\Desktop, xrefs: 0040567E

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-1229045261
Opcode ID: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
Instruction ID: dfae01ed47dc7750d2476d71b6e364c3d252909874df994a371284b211a748b1
Opcode Fuzzy Hash: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
Instruction Fuzzy Hash: 18011A71D10619DADF009FA0CA447EFBFB8EF14304F00443AD549B6190E7799608CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004063BA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D1
wsprintfW.USER32 ref: 0040640C
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406420

Strings

\, xrefs: 004063E2
UXTHEME, xrefs: 004063C3
%s%S.dll, xrefs: 00406406

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
Instruction ID: 7b807a610878b0bc4ee9c08e82fc2c2c0a074289e2a27b7b834fb84ffe8ff7bb
Opcode Fuzzy Hash: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
Instruction Fuzzy Hash: 09F0F670500219A7DB10AB68ED0DF9B3A6CEB00304F50443AA946F10D1EBB8DA29CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 10001759 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(100015B1), ref: 10001786

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8

Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000000.00000002.4528559441.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4528540751.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528571623.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528583295.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Global$Free$Alloc$CloseHandleLibrarylstrcpy
String ID:
API String ID: 3864083275-3916222277
Opcode ID: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
Opcode Fuzzy Hash: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761

Uniqueness

Uniqueness Score: -1.00%

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsy10D5.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsy10D5.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsy10D5.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Strings

C:\Users\user\AppData\Local\Temp\nsy10D5.tmp, xrefs: 004023CA, 004023D8, 004023EF, 004023FF, 0040240A

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsy10D5.tmp
API String ID: 1356686001-491687687
Opcode ID: 1524d7add36cd9fcde37d92f9eca7493f501d411afb00e955b7e8f2a6300b093
Instruction ID: 52a733b9c8e4ab95676b633cdda8f3d85a752b7ae8d5fcc25206d9d14f9091af
Opcode Fuzzy Hash: 1524d7add36cd9fcde37d92f9eca7493f501d411afb00e955b7e8f2a6300b093
Instruction Fuzzy Hash: A4118E71A00108BFEB11AFA5DE89DAE777DEB44358F11403AF904B61D1DBB85E409668

Uniqueness

Uniqueness Score: -1.00%

Function 00405C54 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405C72
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",0040329E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405C8D

Strings

"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe", xrefs: 00405C54
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C59
nsa, xrefs: 00405C61

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3587040408
Opcode ID: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
Instruction ID: 1b208e64e042baf7dbd80c3cabdcb34a7d602449cab37475291322263c582f77
Opcode Fuzzy Hash: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
Instruction Fuzzy Hash: 7CF09076700708BFEB00DF59DD49A9BBBBCEB91710F10403AF940E7180E6B49A548B64

Uniqueness

Uniqueness Score: -1.00%

Function 00401FC3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE

Part of subcall function 004051AF: lstrlenW.KERNEL32(0042C228,00000000,0041C400,762323A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,0042C228,00000000,0041C400,762323A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
Part of subcall function 004051AF: lstrcatW.KERNEL32(0042C228,0040318B), ref: 0040520A
Part of subcall function 004051AF: SetWindowTextW.USER32(0042C228,0042C228), ref: 0040521C
Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C

Strings

`OC, xrefs: 0040203C

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID: `OC
API String ID: 334405425-799166930
Opcode ID: a5cae62df9271cba6e0a8105ee2c23d5e565d39ed8c01c1b40d5559beb439337
Instruction ID: b14b73648b0fa08bf6b9a57eaf8eef0284e6afbfa2af330353af538dc438c051
Opcode Fuzzy Hash: a5cae62df9271cba6e0a8105ee2c23d5e565d39ed8c01c1b40d5559beb439337
Instruction Fuzzy Hash: E0218431900219EBDF20AFA5CE49A9E7E71AF04358F20427FF511B51E1CBBD8A81DA5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F1D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,00406190,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F47
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00406190,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F68
RegCloseKey.ADVAPI32(?,?,00406190,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F8B

Strings

Call, xrefs: 00405F20

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Call
API String ID: 3677997916-1824292864
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: d8616479382e01d2a6f444a134d683a656a2531fa4940cd32d1faed75845c594
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: C701483110060AAFCB218F66ED08EAB3BA8EF44350F00403AFD44D2220D734D964CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405AAF: CharNextW.USER32(?,?,0042FA50,?,00405B23,0042FA50,0042FA50, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405861,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405ABD
Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405AC2
Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405ADA

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612

Part of subcall function 0040567E: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C1

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty,?,00000000,000000F0), ref: 00401645

Strings

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty, xrefs: 00401638

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty
API String ID: 1892508949-994715067
Opcode ID: fb737cf84381500ffe7b7272fa4cfc8a78306edaf174f15e8c7f369ee6fb2f62
Instruction ID: 8daf2e24a3ccb3758762820fdf3c9d17d57560494370e9091b2596199d157b81
Opcode Fuzzy Hash: fb737cf84381500ffe7b7272fa4cfc8a78306edaf174f15e8c7f369ee6fb2f62
Instruction Fuzzy Hash: 45119331504504ABCF207FA4CD41A9F36A1EF44368B25093BEA46B61F1DA3D4A81DE5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405152
CallWindowProcW.USER32(?,?,?,?), ref: 004051A3

Part of subcall function 00404160: SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00404172

Strings

, xrefs: 00405133

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 340d3c0ef1b6191d39bf660b6c525c67a0e16f797af015efc8e2bb8f4ca6604a
Instruction ID: 3a757cf3c9e7612e230a46be1b13aa2d047f9f757cddf2eb8b5381add8f22129
Opcode Fuzzy Hash: 340d3c0ef1b6191d39bf660b6c525c67a0e16f797af015efc8e2bb8f4ca6604a
Instruction Fuzzy Hash: 43017C71A00609ABEB218F51ED84B9B3B2AEB84750F504037F6047D1E0C77A8C929E2A

Uniqueness

Uniqueness Score: -1.00%

Function 00401B37 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(006CC398), ref: 00401BA7
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BB9

Strings

Call, xrefs: 00401B5E, 00401B64, 00401B7E

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: e6a2c73912112ff71fc33628da0d13833a7b58db45f4bb66cc56c7521ba72712
Instruction ID: 7a614025040163c027adcf1a42aafa75fa428ef26c0d2b57b4045ab01fe90682
Opcode Fuzzy Hash: e6a2c73912112ff71fc33628da0d13833a7b58db45f4bb66cc56c7521ba72712
Instruction Fuzzy Hash: 66219072A40100EBDB20EFA4CE85E5F77AAAF45324B25453BF106B32D1DA78A8518B5D

Uniqueness

Uniqueness Score: -1.00%

Function 10001058 Relevance: 4.6, APIs: 3, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(00000000), ref: 100010AA
GlobalAlloc.KERNEL32(00000040,00000000), ref: 100010B9
GlobalFree.KERNEL32(00000000), ref: 100010D6

Memory Dump Source

Source File: 00000000.00000002.4528559441.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4528540751.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528571623.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528583295.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Global$AllocFreeSize
String ID:
API String ID: 465308736-0
Opcode ID: 5aa5a656087daa40f777e4f1ed1206b7320d07011ea3681182fea69699b670d0
Instruction ID: f516a1bc6a14b8156c531ece61ee701a379590ab2ffb65a9b287619e966faa5a
Opcode Fuzzy Hash: 5aa5a656087daa40f777e4f1ed1206b7320d07011ea3681182fea69699b670d0
Instruction Fuzzy Hash: 2B012476800711A7F711EBB5AC859CB77ECEF882E07018026FA08C720AEFB0E9404B61

Uniqueness

Uniqueness Score: -1.00%

Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,000003CA,00000000,00000022,00000000,?,?), ref: 00402CF1

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsy10D5.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 92ab2df8331217a59a17599f40ffe36fb639f1bdbb8a7e9334f9d6b9ff154f8a
Instruction ID: f1a23a851f53a7f1557dfd10c54e6723b1dbb9afb6220ffeee8eb14207b379e7
Opcode Fuzzy Hash: 92ab2df8331217a59a17599f40ffe36fb639f1bdbb8a7e9334f9d6b9ff154f8a
Instruction Fuzzy Hash: 2BF08171A00204ABEB209F65DE8CABF767CEF80354B10803FF405B61D0DAB84D419B69

Uniqueness

Uniqueness Score: -1.00%

Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 10002963
GetLastError.KERNEL32 ref: 10002A6A

Memory Dump Source

Source File: 00000000.00000002.4528559441.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4528540751.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528571623.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528583295.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,000003CA,00000000,00000022,00000000,?,?), ref: 00402CF1

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 0040245B
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsy10D5.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 72679c68904c0da51367ebbef88f38aa05796d10a352d8d827880ed32402d475
Instruction ID: 9e7747ffe68dd38d2e91679843896ff1bba49b3e2177530597f16d8d521728a9
Opcode Fuzzy Hash: 72679c68904c0da51367ebbef88f38aa05796d10a352d8d827880ed32402d475
Instruction Fuzzy Hash: 47119E31911205EBEB10CFA0CA489AEB7B4EF44354B20843FE046B72C0DAB89A41EB19

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a9c322e8ee35951debce6987b64f542c18e5cc288577b89febbfcef92abd9e98
Instruction ID: 4c9169076b200d8212b617fce9ca5c7b60089ed15e840feb20b98911f3c40294
Opcode Fuzzy Hash: a9c322e8ee35951debce6987b64f542c18e5cc288577b89febbfcef92abd9e98
Instruction Fuzzy Hash: 7E0128316242209FE7095B389D05B6A3698F710715F10853FF851F76F1D678CC428B4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040642A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
GetProcAddress.KERNEL32(00000000,?), ref: 00406457

Part of subcall function 004063BA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D1
Part of subcall function 004063BA: wsprintfW.USER32 ref: 0040640C
Part of subcall function 004063BA: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406420

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
Instruction ID: 08b0c8f2ef2dcefd2b61a20e7fd6ba3d75d00ffdaa245a95e4079d340ab3ded5
Opcode Fuzzy Hash: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
Instruction Fuzzy Hash: D2E0863260462056D25197745E4493773AD9E99744302043EFA46F2080DB789C329B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405C25 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",00403536,?), ref: 00405C29
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",00403536,?), ref: 00405C4B

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction ID: a29eaa7254a97888a18cbfd792fe15e84c6d283973f4e4682f27fdddc38ff468
Opcode Fuzzy Hash: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction Fuzzy Hash: 71D09E71654601AFEF098F20DE16F2E7AA2FB84B00F11562CB682940E0DAB158199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405C00 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405805,?,?,00000000,004059DB,?,?,?,?), ref: 00405C05
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C19

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction ID: cd99531f96ac703a51573f19c9b8cc9de44b2267bcc9c0d579c2fc711e4bd44e
Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction Fuzzy Hash: 3AD0C972504520ABC2102738AE0889BBB55EB952717024B39FAA9A22B0CB304C568A98

Uniqueness

Uniqueness Score: -1.00%

Function 004056FB Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403293,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405701
GetLastError.KERNEL32 ref: 0040570F

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction ID: e63be1853aafe68c2793134b37a867bebc3d2beebaf226ad42ac31f610d1a78e
Opcode Fuzzy Hash: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction Fuzzy Hash: 7CC04C30225602DBDA105B60DE087177A94AB90741F118439A146E21A0DA348415ED2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402786 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004027A0

Part of subcall function 00405F97: wsprintfW.USER32 ref: 00405FA4

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 1f4eb151cda913b169ffb88545351cdbaf4989d3d31845bb092f08ab334f10a1
Instruction ID: 961aab187d6e804d52bb1e41e5d93eaf0119f522ae0a1b5a30e902dd9b89f162
Opcode Fuzzy Hash: 1f4eb151cda913b169ffb88545351cdbaf4989d3d31845bb092f08ab334f10a1
Instruction Fuzzy Hash: BCE04871601514EFDB01AF959E49DAF7769DB40328B14043BF501F00E1CA7D8C419E2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 014b14aad264ab3d9278ecb8b720997d0a3792ab61640f4b6d401bffeacc1512
Instruction ID: a822d11f1d05533bca3208a69e79300e3559a9020bae074bf72d5f6ed1f8f9d7
Opcode Fuzzy Hash: 014b14aad264ab3d9278ecb8b720997d0a3792ab61640f4b6d401bffeacc1512
Instruction Fuzzy Hash: BCE04F319001246ADB113EF10E8ED7F31695B40314B1405BFB551B66C6D9FC0D4246A9

Uniqueness

Uniqueness Score: -1.00%

Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,000003CA,00000000,00000022,00000000,?,?), ref: 00402CF1

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d9c78980a0f443f5658f5d159ba5a1d01dba279dc715946118e82bdfb2219104
Instruction ID: ed87ac6fe78c97b3ff6a715646c68139f6b7da630c9be1cec1260a384e7beadd
Opcode Fuzzy Hash: d9c78980a0f443f5658f5d159ba5a1d01dba279dc715946118e82bdfb2219104
Instruction Fuzzy Hash: 3AE0E676154108BFDB01DFA5EE47FE977ECAB44704F048035BA08D7091C674F5508768

Uniqueness

Uniqueness Score: -1.00%

Function 00405CD7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040320B,00000000,00416A00,000000FF,00416A00,000000FF,000000FF,00000004,00000000), ref: 00405CEB

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: cd54f3301e23830850d9ea58ef2d9b6b3716dac1cb42590a0fcdec79a0e610d3
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: 77E0EC3221425EABDF109E959C04EEB7B6CEB05360F048437FD16E2150D631E921ABA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405CA8 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403255,00000000,00000000,00403079,000000FF,00000004,00000000,00000000,00000000), ref: 00405CBC

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
Instruction ID: ab2ba72c7da8d0590a5026c7b9f2a747677d692c160b15db9e96a66b9068c41a
Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
Instruction Fuzzy Hash: 01E0EC3221425AABEF109E659C04EEB7B6CEB15361F104437F915F6150E631E861ABB4

Uniqueness

Uniqueness Score: -1.00%

Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5

Memory Dump Source

Source File: 00000000.00000002.4528559441.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4528540751.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528571623.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528583295.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19

Uniqueness

Uniqueness Score: -1.00%

Function 00404149 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00403F75), ref: 00404157

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2cd36f0d48dcadf8a0967ef3185ed5b2b885b7484726fb5ce8841cd1b5828a50
Instruction ID: 10f0f1b1c79289e67bc844ccbe5aec3c597dbf8b190d8890215e27c6ac549869
Opcode Fuzzy Hash: 2cd36f0d48dcadf8a0967ef3185ed5b2b885b7484726fb5ce8841cd1b5828a50
Instruction Fuzzy Hash: 27B0123A180A00BBDE118B00EE0AF857E62F7AC701F018438B340250F0CAF300E0DB08

Uniqueness

Uniqueness Score: -1.00%

Function 00403258 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",00403536,?), ref: 00403266

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

Memory Dump Source

Source File: 00000000.00000002.4528559441.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4528540751.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528571623.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528583295.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004052EE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040534C
GetDlgItem.USER32(?,000003EE), ref: 0040535B
GetClientRect.USER32(?,?), ref: 00405398
GetSystemMetrics.USER32(00000002), ref: 0040539F
SendMessageW.USER32(?,00001061,00000000,?), ref: 004053C0
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053D1
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053E4
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053F2
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405405
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405427
ShowWindow.USER32(?,00000008), ref: 0040543B
GetDlgItem.USER32(?,000003EC), ref: 0040545C
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040546C
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405485
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405491
GetDlgItem.USER32(?,000003F8), ref: 0040536A

Part of subcall function 00404149: SendMessageW.USER32(00000028,?,00000001,00403F75), ref: 00404157

GetDlgItem.USER32(?,000003EC), ref: 004054AE
CreateThread.KERNEL32(00000000,00000000,Function_00005282,00000000), ref: 004054BC
CloseHandle.KERNEL32(00000000), ref: 004054C3
ShowWindow.USER32(00000000), ref: 004054E7
ShowWindow.USER32(00000000,00000008), ref: 004054EC
ShowWindow.USER32(00000008), ref: 00405536
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040556A
CreatePopupMenu.USER32 ref: 0040557B
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040558F
GetWindowRect.USER32(?,?), ref: 004055AF
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055C8
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405600
OpenClipboard.USER32(00000000), ref: 00405610
EmptyClipboard.USER32 ref: 00405616
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405622
GlobalLock.KERNEL32(00000000), ref: 0040562C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405640
GlobalUnlock.KERNEL32(00000000), ref: 00405660
SetClipboardData.USER32(0000000D,00000000), ref: 0040566B
CloseClipboard.USER32 ref: 00405671

Strings

{, xrefs: 00405554

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: c4b52b2e618ac1b4ceb8eccc4828d65ce2d69768586c872b5e4af6598ace69d9
Instruction ID: 691c8e7aa241a152ccc1fa1da29986a8db7386483fecbbc97dabe6f77f48909a
Opcode Fuzzy Hash: c4b52b2e618ac1b4ceb8eccc4828d65ce2d69768586c872b5e4af6598ace69d9
Instruction Fuzzy Hash: D4B14971800608BFDB119FA0DD89EAE7B79FB48355F00803AFA41BA1A0CB755E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 004045AF Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004045FE
SetWindowTextW.USER32(00000000,?), ref: 00404628
SHBrowseForFolderW.SHELL32(?), ref: 004046D9
CoTaskMemFree.OLE32(00000000), ref: 004046E4
lstrcmpiW.KERNEL32(Call,0042D248,00000000,?,?), ref: 00404716
lstrcatW.KERNEL32(?,Call), ref: 00404722
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404734

Part of subcall function 00405779: GetDlgItemTextW.USER32(?,?,00000400,0040476B), ref: 0040578C

Part of subcall function 004062E4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00406347
Part of subcall function 004062E4: CharNextW.USER32(?,?,?,00000000), ref: 00406356
Part of subcall function 004062E4: CharNextW.USER32(?,00000000,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040635B
Part of subcall function 004062E4: CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040636E

GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,00000001,0042B218,?,?,000003FB,?), ref: 004047F7
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404812

Part of subcall function 0040496B: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A0C
Part of subcall function 0040496B: wsprintfW.USER32 ref: 00404A15
Part of subcall function 0040496B: SetDlgItemTextW.USER32(?,0042D248), ref: 00404A28

Strings

Call, xrefs: 00404710, 00404715, 00404720
C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114, xrefs: 004046FF
A, xrefs: 004046D2

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114$Call
API String ID: 2624150263-130763394
Opcode ID: 7c84fd604c64be66d5e66193ff5fa4d290b9f71cf9d700dc6b5080d1f641d0f0
Instruction ID: d238959ebaf25b01a045b7410cfe39ad7a074a1c0e4d09bd35cd2a97c430e078
Opcode Fuzzy Hash: 7c84fd604c64be66d5e66193ff5fa4d290b9f71cf9d700dc6b5080d1f641d0f0
Instruction Fuzzy Hash: 25A171B1900209ABDB11AFA5CD85AAFB7B8EF85314F10843BF601B72D1D77C89418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114

Strings

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty, xrefs: 00402154

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty
API String ID: 542301482-994715067
Opcode ID: 2d60422b51706b5f8de98bdbfcbd79ecc62fd17b82eb2d48cb5e1808d9985389
Instruction ID: c02b05589a316e099dfb0d7529d526a00835c5092bff723ddb1c3c0439b696db
Opcode Fuzzy Hash: 2d60422b51706b5f8de98bdbfcbd79ecc62fd17b82eb2d48cb5e1808d9985389
Instruction Fuzzy Hash: E5412A71A00208AFCF00DFA4CD88AAD7BB6FF48314B24457AF515EB2D1DBB99A41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00407040 Relevance: 2.8, Strings: 2, Instructions: 300COMMON

Download Yara Rule

Strings

p!C, xrefs: 00407274
p!C, xrefs: 00407190, 004071B2, 00407262, 00407234, 004071B7

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID:
String ID: p!C$p!C
API String ID: 0-3125587631
Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
Instruction ID: 15f69c865bc8d9ec0e9cf8060aa07673d574756af28658d99b75493111c5da86
Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
Instruction Fuzzy Hash: 1DC15831E042598BCF18CF68D4905EEB7B2FF99314F25826AD8567B380D7346A42CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040280A

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: a81ee3202ab0ebdc7edd9b8add70fe35bba4a5d97339da7cd4a9b36177af59e9
Instruction ID: 34d4ac1ca0ba7345d9811ef03afe410f99a72e11e7e6ea98f315d3ade0c6d005
Opcode Fuzzy Hash: a81ee3202ab0ebdc7edd9b8add70fe35bba4a5d97339da7cd4a9b36177af59e9
Instruction Fuzzy Hash: 32F08C71A012149BDB01EBA4DE49AAEB378FF45324F20457BE105F21E1E7B89A409B29

Uniqueness

Uniqueness Score: -1.00%

Function 00406869 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
Instruction ID: c1774f2f946c4964f784778ac851d6f11cf56bcc8977249e4dfbf1b2b48c2d4a
Opcode Fuzzy Hash: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
Instruction Fuzzy Hash: B2E17A71A0070ADFDB24CF58C880BAAB7F5EF45305F15892EE497A7291D738AA91CF14

Uniqueness

Uniqueness Score: -1.00%

Function 004042B1 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040434F
GetDlgItem.USER32(?,000003E8), ref: 00404363
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404380
GetSysColor.USER32(?), ref: 00404391
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040439F
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043AD
lstrlenW.KERNEL32(?), ref: 004043B2
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043BF
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043D4
GetDlgItem.USER32(?,0000040A), ref: 0040442D
SendMessageW.USER32(00000000), ref: 00404434
GetDlgItem.USER32(?,000003E8), ref: 0040445F
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044A2
LoadCursorW.USER32(00000000,00007F02), ref: 004044B0
SetCursor.USER32(00000000), ref: 004044B3
ShellExecuteW.SHELL32(0000070B,open,00432E80,00000000,00000000,00000001), ref: 004044C8
LoadCursorW.USER32(00000000,00007F00), ref: 004044D4
SetCursor.USER32(00000000), ref: 004044D7
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404506
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404518

Strings

(B@, xrefs: 004044BD
N, xrefs: 0040444D
Call, xrefs: 0040448E
open, xrefs: 004044C0

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: (B@$Call$N$open
API String ID: 3615053054-1706805125
Opcode ID: a63e6e2122d515d214c502fe3e454e68733c502862964fa3bbe4886b2a00d4bb
Instruction ID: 98cd9110a96fdc90c980e8b88af1c06473e6a142e5aecddf25117f52f4c400a7
Opcode Fuzzy Hash: a63e6e2122d515d214c502fe3e454e68733c502862964fa3bbe4886b2a00d4bb
Instruction Fuzzy Hash: 217181B1900209BFDB109F60DD89AAA7B79FB84745F00803AF745B62D1C778AD51CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,Bistandspengene Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Bistandspengene Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: Bistandspengene Setup$F
API String ID: 941294808-2545038397
Opcode ID: 2f348b4d91443a475dcd35d85824ce7e5a946905d26cbae13f88812008241038
Instruction ID: 99fcf956b6c6492db4cb7183bc7c026c58e5ce6762c1973727186ff321cad974
Opcode Fuzzy Hash: 2f348b4d91443a475dcd35d85824ce7e5a946905d26cbae13f88812008241038
Instruction Fuzzy Hash: 81418A71800209AFCF058F95DE459AFBBB9FF44315F04842EF991AA1A0C778EA54DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405D7F Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(004308E8,NUL), ref: 00405D8E
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00405F12,?,?), ref: 00405DB2
GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405DBB

Part of subcall function 00405B8A: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9A
Part of subcall function 00405B8A: lstrlenA.KERNEL32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCC

GetShortPathNameW.KERNEL32(004310E8,004310E8,00000400), ref: 00405DD8
wsprintfA.USER32 ref: 00405DF6
GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405E31
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E40
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E78
SetFilePointer.KERNEL32(0040A558,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A558,00000000,[Rename],00000000,00000000,00000000), ref: 00405ECE
GlobalFree.KERNEL32(00000000), ref: 00405EDF
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EE6

Part of subcall function 00405C25: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",00403536,?), ref: 00405C29
Part of subcall function 00405C25: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",00403536,?), ref: 00405C4B

Strings

[Rename], xrefs: 00405E60, 00405E72
%ls=%ls, xrefs: 00405DEC
NUL, xrefs: 00405D88

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 222337774-899692902
Opcode ID: 32b57ce3ca8940dfd53990341f9ef3c7080b2e07a05584e4532bbcc5854619bf
Instruction ID: 0ee0d7f4969d0e8ff8498481139b35b4394cb67f0e1a7fb2b2bdcfef73d002b4
Opcode Fuzzy Hash: 32b57ce3ca8940dfd53990341f9ef3c7080b2e07a05584e4532bbcc5854619bf
Instruction Fuzzy Hash: 59310230200B147BD2207B619D49F6B3A6CDF45759F14003BBA85F62D2DA7C9E018EEC

Uniqueness

Uniqueness Score: -1.00%

Function 004062E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00406347
CharNextW.USER32(?,?,?,00000000), ref: 00406356
CharNextW.USER32(?,00000000,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040635B
CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040636E

Strings

"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe", xrefs: 004062E4
C:\Users\user\AppData\Local\Temp\, xrefs: 004062E5
*?|<>/":, xrefs: 00406336

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2785752501
Opcode ID: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
Instruction ID: 318300b0f17d4b51c4b24ffcfd5e9ca079934b39012f6efb3a6e40df4f12a45c
Opcode Fuzzy Hash: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
Instruction Fuzzy Hash: EF11B22680071695DB303B149C40AB7A2B8EF58790B56903FED8AB32C1F77C5C9286FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040417B Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404198
GetSysColor.USER32(00000000), ref: 004041B4
SetTextColor.GDI32(?,00000000), ref: 004041C0
SetBkMode.GDI32(?,?), ref: 004041CC
GetSysColor.USER32(?), ref: 004041DF
SetBkColor.GDI32(?,?), ref: 004041EF
DeleteObject.GDI32(?), ref: 00404209
CreateBrushIndirect.GDI32(?), ref: 00404213

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
Instruction ID: 1f16dc129e5574868776b4f98a2cc19ea4617ee8107c94e5cfbd03f7ded5ca1d
Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
Instruction Fuzzy Hash: 1F2181B1500704ABCB219F68DE08B5BBBF8AF41714B04896DF992F66A0D734E944CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004051AF Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042C228,00000000,0041C400,762323A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
lstrlenW.KERNEL32(0040318B,0042C228,00000000,0041C400,762323A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
lstrcatW.KERNEL32(0042C228,0040318B), ref: 0040520A
SetWindowTextW.USER32(0042C228,0042C228), ref: 0040521C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: e3fc960ff43bac39058fc79546c11771123aad835ff3a9f0579e84c03a5b243d
Instruction ID: 3abc69651b1b947d68a29ef5f67bb3ab151c750651a003a3f474b57aa403b91e
Opcode Fuzzy Hash: e3fc960ff43bac39058fc79546c11771123aad835ff3a9f0579e84c03a5b243d
Instruction Fuzzy Hash: E6216D71900518BACB119FA5DD85ECFBFB8EF45354F14807AF944B62A0C7798A50CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00404A79 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A94
GetMessagePos.USER32 ref: 00404A9C
ScreenToClient.USER32(?,?), ref: 00404AB6
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AC8
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AEE

Strings

f, xrefs: 00404ACA

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
Instruction ID: f7db0f90848f06194adfa2b80852422f0d01f782293f8b66888e1da33f3275eb
Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
Instruction Fuzzy Hash: 28015271E4021CBADB00DB94DD85FFEBBBCAF59711F10012BBA51B61C0C7B495018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
MulDiv.KERNEL32(002952A5,00000064,002974C8), ref: 00402D4D
wsprintfW.USER32 ref: 00402D5D
SetWindowTextW.USER32(?,?), ref: 00402D6D
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F

Strings

verifying installer: %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 9823b761f001492aa494ef634f2695fad7e965f30442b605b2107c3f38143bb8
Instruction ID: e3b7989a6944ee3f74a5da6e22ee0ffb045f4e525cc1af55651639455de3416a
Opcode Fuzzy Hash: 9823b761f001492aa494ef634f2695fad7e965f30442b605b2107c3f38143bb8
Instruction Fuzzy Hash: F9014F7064020DBBEF249F61DE49FEA3B69FB04304F008439FA02A91E0DBB889559B58

Uniqueness

Uniqueness Score: -1.00%

Function 100022D0 Relevance: 9.1, APIs: 6, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 10002416

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000000.00000002.4528559441.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4528540751.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528571623.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528583295.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
Opcode Fuzzy Hash: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61

Uniqueness

Uniqueness Score: -1.00%

Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 10002572
GlobalFree.KERNEL32(00000000), ref: 100025AD

Memory Dump Source

Source File: 00000000.00000002.4528559441.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4528540751.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528571623.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528583295.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: f1eabbae7b06e92946478ab2060b3523c0261a503aecf3c78af0c62330ce9ec7
Instruction ID: 1aef917cd227803a683e0008524bb9a83fcfbb8b8ade77014dfab24c7f5e3f69
Opcode Fuzzy Hash: f1eabbae7b06e92946478ab2060b3523c0261a503aecf3c78af0c62330ce9ec7
Instruction Fuzzy Hash: F121C172800128BBCF216FA5CE49D9E7E79EF09324F20023AF510762E1C7795D418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsy10D5.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsy10D5.tmp\System.dll,00000400,?,?,00000021), ref: 00402583
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsy10D5.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsy10D5.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsy10D5.tmp\System.dll,00000400,?,?,00000021), ref: 0040258E

Strings

C:\Users\user\AppData\Local\Temp\nsy10D5.tmp\System.dll, xrefs: 00402552, 00402575, 00402589, 004025D5
C:\Users\user\AppData\Local\Temp\nsy10D5.tmp, xrefs: 0040257C

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsy10D5.tmp$C:\Users\user\AppData\Local\Temp\nsy10D5.tmp\System.dll
API String ID: 3109718747-1853346970
Opcode ID: 9638f0c716bd08f9217f8ac97dbdde4665538f929ad9b7691c1d64753cc7c8ee
Instruction ID: 0e395622636dcde05068836be4baa4a456a4d64089cc24394ac90f0f0b10d43f
Opcode Fuzzy Hash: 9638f0c716bd08f9217f8ac97dbdde4665538f929ad9b7691c1d64753cc7c8ee
Instruction Fuzzy Hash: A511E772A01204BADB10AFB18F4EA9E32659F54354F24403BF502F61C1DAFC9A41966E

Uniqueness

Uniqueness Score: -1.00%

Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 10001908
GlobalFree.KERNEL32(?), ref: 10001A93
GlobalFree.KERNEL32(?), ref: 10001A98

Memory Dump Source

Source File: 00000000.00000002.4528559441.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4528540751.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528571623.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528583295.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
Opcode Fuzzy Hash: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792

Uniqueness

Uniqueness Score: -1.00%

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 1537f09e12a9e60e0b2a8eae30c6507c5457e656f0290ab1b216bb77a8747b60
Instruction ID: a55e164afb4a2c5db24f06852be026e23ac61ce6859740a963365f2f7f7eec81
Opcode Fuzzy Hash: 1537f09e12a9e60e0b2a8eae30c6507c5457e656f0290ab1b216bb77a8747b60
Instruction Fuzzy Hash: 2F116771904119FFEF11AF90DF8CEAE3B79FB54388B10003AF905E10A0D7B49E55AA28

Uniqueness

Uniqueness Score: -1.00%

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000000.00000002.4528559441.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4528540751.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528571623.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528583295.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 0fd3fa23c975e38c6d473a192a1cf371983019d3a64ccaac555819f547ea3512
Instruction ID: d5b0b812c52730b156692ce296a05b57ce8d9064807eae1c9fc7a35bbe74f0db
Opcode Fuzzy Hash: 0fd3fa23c975e38c6d473a192a1cf371983019d3a64ccaac555819f547ea3512
Instruction Fuzzy Hash: C7F0E172501504AFD701DBE4DE88CEEBBBDEB48311B10447AF541F51A1CA749D018B28

Uniqueness

Uniqueness Score: -1.00%

Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040CDD8), ref: 00401DD1

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 300463627e1e3070db780a64cda68b10aef53be99f4a2aa47825be2f225bc760
Instruction ID: 1901d7d296450183f5894fa9bbb5198f988e596920eebf68b9e2cfe033e75292
Opcode Fuzzy Hash: 300463627e1e3070db780a64cda68b10aef53be99f4a2aa47825be2f225bc760
Instruction Fuzzy Hash: 0A016271984640FFEB01ABB4AF8AB9A3F75AF65301F104579E541F61E2D97800059B2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040496B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A0C
wsprintfW.USER32 ref: 00404A15
SetDlgItemTextW.USER32(?,0042D248), ref: 00404A28

Strings

%u.%u%s%s, xrefs: 004049F6

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: c39695ae270452159a58bdee07ca0e289f121739e597b4873a1b490847d35dae
Instruction ID: 0b736bf888c47b86caf201b097c22cff5488322ea99b5df57e3066faec5b3164
Opcode Fuzzy Hash: c39695ae270452159a58bdee07ca0e289f121739e597b4873a1b490847d35dae
Instruction Fuzzy Hash: 9011E773A041283BDB10957D9C41EAF329CAB85334F254237FA25F31D1D978CD2182E9

Uniqueness

Uniqueness Score: -1.00%

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: d1ce46bd28cc36f50990ff65351f506775fb0047ee6065fba40e47d3ae025a49
Instruction ID: 7183083e97b306686418f33f328e020de39305092e82b8c4ae23370839422ec4
Opcode Fuzzy Hash: d1ce46bd28cc36f50990ff65351f506775fb0047ee6065fba40e47d3ae025a49
Instruction Fuzzy Hash: 48219071940209BEEF01AFB5CE4AABE7B75EB44744F10403EF601B61D1D6B89A40DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00403B6F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(00000000,Bistandspengene Setup), ref: 00403C07

Strings

"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe", xrefs: 00403B70
1033, xrefs: 00403B73, 00403B7D, 00403BEE
Bistandspengene Setup, xrefs: 00403BF6

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe"$1033$Bistandspengene Setup
API String ID: 530164218-1203452425
Opcode ID: 0db0831f5ec28912bcf09a08f50af73a8a69499f9d1cd40cf7ad1787c9be3605
Instruction ID: 847b53d7ec13df621055667e1e13bb36484023f01c55a5fe093bb98d5154ae24
Opcode Fuzzy Hash: 0db0831f5ec28912bcf09a08f50af73a8a69499f9d1cd40cf7ad1787c9be3605
Instruction Fuzzy Hash: 0611F035B046118BC3209F15DC40A737BBDEB8971A328417FE901AB3E1CB3DAD028B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405B0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,Bistandspengene Setup,NSIS Error), ref: 0040605D

Part of subcall function 00405AAF: CharNextW.USER32(?,?,0042FA50,?,00405B23,0042FA50,0042FA50, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405861,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405ABD
Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405AC2
Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405ADA

lstrlenW.KERNEL32(0042FA50,00000000,0042FA50,0042FA50, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405861,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B65
GetFileAttributesW.KERNEL32(0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,00000000,0042FA50,0042FA50, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405861,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 00405B75

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B0C
4#v, xrefs: 00405B0E

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4#v$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3758603893
Opcode ID: 1860d25d1cedceeae653fbc66b59fe140c8df0ce2729e3c8c9131a1b177ba99c
Instruction ID: 63a6569c831ee5581447f3e1e8ec18e6ac74a78ddfb021a14ce772f4501d9fee
Opcode Fuzzy Hash: 1860d25d1cedceeae653fbc66b59fe140c8df0ce2729e3c8c9131a1b177ba99c
Instruction Fuzzy Hash: 32F0F435100E1119D62632361C49BAF2664CF82324B4A023FF952B22D1DB3CB993CC7E

Uniqueness

Uniqueness Score: -1.00%

Function 00405A04 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405A0A
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405A14
lstrcatW.KERNEL32(?,0040A014), ref: 00405A26

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A04

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
Instruction ID: e6cb25dffc9e5a2bb3a1dbad45cd46e4450efeecdd43702cab0598af126a0af2
Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
Instruction Fuzzy Hash: 06D05E31211534AAC211AB589D05CDB629C9E46304341442AF241B20A1C779595186FE

Uniqueness

Uniqueness Score: -1.00%

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004051AF: lstrlenW.KERNEL32(0042C228,00000000,0041C400,762323A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,0042C228,00000000,0041C400,762323A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
Part of subcall function 004051AF: lstrcatW.KERNEL32(0042C228,0040318B), ref: 0040520A
Part of subcall function 004051AF: SetWindowTextW.USER32(0042C228,0042C228), ref: 0040521C
Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A

Part of subcall function 00405730: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405759
Part of subcall function 00405730: CloseHandle.KERNEL32(?), ref: 00405766

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 9379c59bfbec92586b7bea6de4fb4a4f736cfbaa92e5777ace76eb21c172b2cc
Instruction ID: 5d6a9cd2629b2ba724fb53646afbed83d489e6abcf8a7a9a4f308d22f643bc11
Opcode Fuzzy Hash: 9379c59bfbec92586b7bea6de4fb4a4f736cfbaa92e5777ace76eb21c172b2cc
Instruction Fuzzy Hash: 2011AD31900508EBDF21AFA1CD849DE7AB6EF40354F21403BF605B61E1C7798A82DB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",00403536,?), ref: 00402D9D
GetTickCount.KERNEL32 ref: 00402DBB
CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
ShowWindow.USER32(00000000,00000005,?,?,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",00403536,?), ref: 00402DE6

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: df109012b7806b8de8df2929ec67b86acfc6093236d2d9f47b9f955c0080d778
Instruction ID: 9565580f91e6c8b036764476f8379a8a9497e0cf8b36b33943f0ae23fa557cda
Opcode Fuzzy Hash: df109012b7806b8de8df2929ec67b86acfc6093236d2d9f47b9f955c0080d778
Instruction Fuzzy Hash: FFF05E30501520BBC671AB20FF4DA9B7B64FB40B11701447AF042B15E4C7B80D828B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00405730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405759
CloseHandle.KERNEL32(?), ref: 00405766

Strings

Error launching installer, xrefs: 00405743

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 4fc88ca41c3c45648a755c19479fc4b71f2ef519cf2e9afda518322c17047a2d
Instruction ID: 828b4cc1025806f2bb1dde6e09e5b56a6c7607ab0cffe69e3a18accb3258c2b6
Opcode Fuzzy Hash: 4fc88ca41c3c45648a755c19479fc4b71f2ef519cf2e9afda518322c17047a2d
Instruction Fuzzy Hash: 9CE092B4600209BFEB10AB64AE49F7BBBACEB04704F004565BA51F2190D774E8148A6C

Uniqueness

Uniqueness Score: -1.00%

Function 00403804 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,76233420,00000000,C:\Users\user\AppData\Local\Temp\,004037DC,004035F2,?), ref: 0040381E
GlobalFree.KERNEL32(?), ref: 00403825

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403804

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3936084776
Opcode ID: da2816148213eaf2ca9be615ca64e0b95c5ba1132a9b108e3e9160e8cd70995f
Instruction ID: c0ef5988400ca03a2919d730679f4c8cdc7c60ab336a91eb80d60266565c467d
Opcode Fuzzy Hash: da2816148213eaf2ca9be615ca64e0b95c5ba1132a9b108e3e9160e8cd70995f
Instruction Fuzzy Hash: D2E0C2735015309BC6212F45ED0871EB7ACAF59B22F0580BAF8907B26087781C428FD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe,C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",00403536,?), ref: 00405A56
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe,C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\RC_S23_3274 Or_amento ADP 231019_5_5009.exe",00403536,?), ref: 00405A66

Strings

C:\Users\user\Desktop, xrefs: 00405A50

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3125694417
Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
Instruction ID: 94586c4fc4af0aa81d4ff890ae3cf2b30e5be6a9e55ec7b9bf63862dfaa4d6e2
Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
Instruction Fuzzy Hash: 0ED05EB2411920AAC312A714DD44DAF73ACEF123007464466F441A6161D7785D818AAD

Uniqueness

Uniqueness Score: -1.00%

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000000.00000002.4528559441.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4528540751.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528571623.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4528583295.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Uniqueness

Uniqueness Score: -1.00%

Function 00405B8A Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9A
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BB2
CharNextA.USER32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BC3
lstrlenA.KERNEL32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCC

Memory Dump Source

Source File: 00000000.00000002.4527233066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4527207260.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527255166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527275048.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4527485883.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RC_S23_3274 Or_amento ADP 231019_5_5009.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
Instruction ID: 8848f7d8d782bbf7f3224fb8fd0babd0dea9e1ab2e05ea72f699364142252924
Opcode Fuzzy Hash: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
Instruction Fuzzy Hash: 72F0C231100914EFCB029FA5CD4099FBFB8EF06350B2540A9E840F7311D674FE019BA8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Arbejderungerne.nab

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Candlebeam.ove

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Dilators.rea

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Pneumonalgia.Tag

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Reaccomodated.alc

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Tangentialarm.cov

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Uncivilization.non

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\Unmolest71.txt

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\antiformant.spa

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\ceratinous.est

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\drankere.int

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\enchytraeid.fod

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\heartrot.fra

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\holdenes.ufo

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\inflamedness.grd

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\milieuaktivists.asc

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\overassistents.urt

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\sagvoldere.clo

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\sammenarbejde.sli

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\skaarlgger.sku

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\startskammelens.mor

C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\fusty\synesthesia.fir

Windows Analysis Report
RC_S23_3274 Or_amento ADP 231019_5_5009.exe

Function 004032A0 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 401
stringfilecomCOMMON

Function 00404B2B Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Function 00406072 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207
stringCOMMON

Function 00405841 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00403C3C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 00403899 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402DEE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00403027 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
COMMON

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151
fileCOMMON

Function 0040567E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 004063BA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 10001759 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118
COMMON

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Function 00405C54 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON