Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WWAddToLocalAdmins.exe

Overview

General Information

Sample name:WWAddToLocalAdmins.exe
Analysis ID:1544497
MD5:cd54d0f310489d1cdcec2692cf9ef236
SHA1:18b7ade73903e3562d3989515e6a5ebdbb21e058
SHA256:291b83adc7d7d4bc86ddc24c75a26fd2c4d740a432da8d4cbf2b9e2fc4b517c4
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found decision node followed by non-executed suspicious APIs
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • WWAddToLocalAdmins.exe (PID: 2408 cmdline: "C:\Users\user\Desktop\WWAddToLocalAdmins.exe" MD5: CD54D0F310489D1CDCEC2692CF9EF236)
    • conhost.exe (PID: 5384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cscript.exe (PID: 1848 cmdline: "C:\Windows\system32\CScript.exe" //noLogo C:\Temp\60875D.vbs MD5: CB601B41D4C8074BE8A84AED564A94DC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\CScript.exe" //noLogo C:\Temp\60875D.vbs, CommandLine: "C:\Windows\system32\CScript.exe" //noLogo C:\Temp\60875D.vbs, CommandLine|base64offset|contains: .(, Image: C:\Windows\SysWOW64\cscript.exe, NewProcessName: C:\Windows\SysWOW64\cscript.exe, OriginalFileName: C:\Windows\SysWOW64\cscript.exe, ParentCommandLine: "C:\Users\user\Desktop\WWAddToLocalAdmins.exe", ParentImage: C:\Users\user\Desktop\WWAddToLocalAdmins.exe, ParentProcessId: 2408, ParentProcessName: WWAddToLocalAdmins.exe, ProcessCommandLine: "C:\Windows\system32\CScript.exe" //noLogo C:\Temp\60875D.vbs, ProcessId: 1848, ProcessName: cscript.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: WWAddToLocalAdmins.exeReversingLabs: Detection: 16%
Source: WWAddToLocalAdmins.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeCode function: 0_2_00401467 FindResourceA,LoadResource,GetVersionExA,SetCurrentDirectoryA,LockResource,SizeofResource,KiUserExceptionDispatcher,LogonUserA,GetTickCount,GetFileAttributesA,SetFileAttributesA,SetFileAttributesA,GetExitCodeProcess,GetExitCodeProcess,Sleep,GetLastError,FormatMessageA,CreateProcessAsUserA,GetExitCodeProcess,Sleep,GetLastError,FormatMessageA,CreateProcessA,GetExitCodeProcess,Sleep,GetLastError,FormatMessageA,GetFileAttributesA,SetFileAttributesA,0_2_00401467
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeCode function: 0_2_004027570_2_00402757
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeCode function: 0_2_004089170_2_00408917
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeCode function: 0_2_004037C10_2_004037C1
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeCode function: 0_2_00404DDD0_2_00404DDD
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeCode function: 0_2_00402FBA0_2_00402FBA
Source: WWAddToLocalAdmins.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal48.winEXE@4/3@0/0
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeCode function: 0_2_00401467 FindResourceA,LoadResource,GetVersionExA,SetCurrentDirectoryA,LockResource,SizeofResource,KiUserExceptionDispatcher,LogonUserA,GetTickCount,GetFileAttributesA,SetFileAttributesA,SetFileAttributesA,GetExitCodeProcess,GetExitCodeProcess,Sleep,GetLastError,FormatMessageA,CreateProcessAsUserA,GetExitCodeProcess,Sleep,GetLastError,FormatMessageA,CreateProcessA,GetExitCodeProcess,Sleep,GetLastError,FormatMessageA,GetFileAttributesA,SetFileAttributesA,0_2_00401467
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeCode function: 0_2_00401467 FindResourceA,LoadResource,GetVersionExA,SetCurrentDirectoryA,LockResource,SizeofResource,KiUserExceptionDispatcher,LogonUserA,GetTickCount,GetFileAttributesA,SetFileAttributesA,SetFileAttributesA,GetExitCodeProcess,GetExitCodeProcess,Sleep,GetLastError,FormatMessageA,CreateProcessAsUserA,GetExitCodeProcess,Sleep,GetLastError,FormatMessageA,CreateProcessA,GetExitCodeProcess,Sleep,GetLastError,FormatMessageA,GetFileAttributesA,SetFileAttributesA,0_2_00401467
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_03
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeFile created: C:\Temp\60875D.vbsJump to behavior
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeProcess created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\system32\CScript.exe" //noLogo C:\Temp\60875D.vbs
Source: WWAddToLocalAdmins.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: WWAddToLocalAdmins.exeReversingLabs: Detection: 16%
Source: unknownProcess created: C:\Users\user\Desktop\WWAddToLocalAdmins.exe "C:\Users\user\Desktop\WWAddToLocalAdmins.exe"
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeProcess created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\system32\CScript.exe" //noLogo C:\Temp\60875D.vbs
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeProcess created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\system32\CScript.exe" //noLogo C:\Temp\60875D.vbsJump to behavior
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: adsnt.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: activeds.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeCode function: 0_2_00401C42 LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,WinExec,0_2_00401C42
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeCode function: 0_2_004060C0 push eax; ret 0_2_004060EE
Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-6040
Source: cscript.exe, 00000002.00000003.2252805429.00000000031D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RA
Source: cscript.exe, 00000002.00000003.2252789003.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000002.00000003.2252770380.00000000031DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeCode function: 0_2_00407B44 WriteFile,LdrInitializeThunk,GetLastError,WriteFile,GetLastError,0_2_00407B44
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeCode function: 0_2_00401C42 LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,WinExec,0_2_00401C42
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeCode function: 0_2_00401467 FindResourceA,LoadResource,GetVersionExA,SetCurrentDirectoryA,LockResource,SizeofResource,KiUserExceptionDispatcher,LogonUserA,GetTickCount,GetFileAttributesA,SetFileAttributesA,SetFileAttributesA,GetExitCodeProcess,GetExitCodeProcess,Sleep,GetLastError,FormatMessageA,CreateProcessAsUserA,GetExitCodeProcess,Sleep,GetLastError,FormatMessageA,CreateProcessA,GetExitCodeProcess,Sleep,GetLastError,FormatMessageA,GetFileAttributesA,SetFileAttributesA,0_2_00401467
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeProcess created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\system32\CScript.exe" //noLogo C:\Temp\60875D.vbsJump to behavior
Source: C:\Users\user\Desktop\WWAddToLocalAdmins.exeCode function: 0_2_00401467 FindResourceA,LoadResource,GetVersionExA,SetCurrentDirectoryA,LockResource,SizeofResource,KiUserExceptionDispatcher,LogonUserA,GetTickCount,GetFileAttributesA,SetFileAttributesA,SetFileAttributesA,GetExitCodeProcess,GetExitCodeProcess,Sleep,GetLastError,FormatMessageA,CreateProcessAsUserA,GetExitCodeProcess,Sleep,GetLastError,FormatMessageA,CreateProcessA,GetExitCodeProcess,Sleep,GetLastError,FormatMessageA,GetFileAttributesA,SetFileAttributesA,0_2_00401467
Source: C:\Windows\SysWOW64\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		2
Valid Accounts		1
Native API		2
Valid Accounts		2
Valid Accounts		2
Valid Accounts		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Scripting		2
Access Token Manipulation		2
Access Token Manipulation		LSASS Memory3
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		11
Process Injection		11
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544497 Sample: WWAddToLocalAdmins.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 12 Multi AV Scanner detection for submitted file 2->12 6 WWAddToLocalAdmins.exe 3 2->6         started        process3 process4 8 cscript.exe 1 6->8         started        10 conhost.exe 6->10         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
WWAddToLocalAdmins.exe17%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544497
Start date and time:2024-10-29 14:07:01 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 4s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:WWAddToLocalAdmins.exe
Detection:MAL
Classification:mal48.winEXE@4/3@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 22
  • Number of non-executed functions: 27
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • VT rate limit hit for: WWAddToLocalAdmins.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Temp\60875D.vbs

Download File
Process:C:\Users\user\Desktop\WWAddToLocalAdmins.exe
File Type:ASCII text, with very long lines (2611), with no line terminators
Category:dropped
Size (bytes):2611
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3:v//////////////////////////////////////////////////////////////X:P
MD5:7DBE7E58FF8EE7A504F65B2EB0CE7E68
SHA1:A862D6B97147B26F28634606DA26658CF308BFA7
SHA-256:5048D4CEE2439D67EE5BB920C974A27EC39CEB6F4401BC509114510D85F735E7
SHA-512:197B4977BE912125FB343C12755E478ACA4E70EDBFAA7E6F472E42E5058927EC18BAF99AC0D973D9AD3B3103941E48488F8CB86CFFE6CD7E605835C8E41ACA16
Malicious:false
Reputation:low
Preview:ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ

\Device\Mup\849224*\MAILSLOT\NET\NETLOGON

Download File
Process:C:\Windows\SysWOW64\cscript.exe
File Type:data
Category:dropped
Size (bytes):64
Entropy (8bit):3.545063206984032
Encrypted:false
SSDEEP:3:5cl115lll55I2Y1AnWSgll//8lLn:Cl11sGWJltMLn
MD5:A512AF01F8D61D059A2D7BA9CD9DE5DD
SHA1:14016E22BA3F95C5B981AB14BC7DDE8E9F2F8BED
SHA-256:46BA59EFD5A050C1AE1841E73158FC85D997307553936C1412D212FCD52D1C76
SHA-512:86548C3C9F6134BFB55F08DA330DEBA82AA35DF5F70BCAFDB3009BEB0608E4C787F7116A68B5CA8C3B844D13D4F97637D02B3F51C0087852229B78BCA15C485A
Malicious:false
Reputation:low
Preview:....8.4.9.2.2.4.....\MAILSLOT\NET\GETDCD4937D94.................

\Device\Mup\SSO*\MAILSLOT\NET\NETLOGON

Download File
Process:C:\Windows\SysWOW64\cscript.exe
File Type:data
Category:dropped
Size (bytes):64
Entropy (8bit):3.7249034414266404
Encrypted:false
SSDEEP:3:5cl115lll55I2Y1AnJjUSRPlslLn:Cl11sGm1Ln
MD5:435F9258D5A586F18107CD87EE1B3B2E
SHA1:8E1943296338E330E9C8D5D98A93E59025195E37
SHA-256:D18141FAA09D353285AEB932775DF94EC72D4C3F950C057FDB18CE79414DD622
SHA-512:9EA0505B09A418E50C4FE345E4F7AECCE5760E6E91C74E8186DF746BC0C1252B31B224E315D6FA5129AAD4B998D06FE45347F6D450A357DF8D273CC3CE3E490A
Malicious:false
Reputation:low
Preview:....8.4.9.2.2.4.....\MAILSLOT\NET\GETDCF5F17330.................

Static File Info

General

File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):5.6126558170625005
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:WWAddToLocalAdmins.exe
File size:90'112 bytes
MD5:cd54d0f310489d1cdcec2692cf9ef236
SHA1:18b7ade73903e3562d3989515e6a5ebdbb21e058
SHA256:291b83adc7d7d4bc86ddc24c75a26fd2c4d740a432da8d4cbf2b9e2fc4b517c4
SHA512:f5b51b42cf57ccc1dce94739e1f727b16c51e0b29c575ea514e338f2fab8c8f022bbceac261aac5d50e0ccafa57f700b9d6339c230d0aa2b83b2476d9e2de1c2
SSDEEP:1536:Qpgvvf/afJnTsK8W1tBq5eGWclBjleBKBw/C:vvn/6wwt3hclBhX
TLSH:6F938C13B9D0CA7ED5B04232E8904BF26B79FE31E1695887A7487CC93D32594932739B
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........<..do..do..do..ho..doF.jo..do..no..doF.9o..do..eo..do..oo..do..bo..doRich..do................PE..L...uhNE...................

File Icon

Icon Hash:49033b1f17170d01

Static PE Info

General

Entrypoint:0x40689e
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x454E6875 [Sun Nov 5 22:40:53 2006 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:9ee1751483a7b7cb180cbb92cd46f3cc

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040D950h
push 00409F30h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 10h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0040C0C4h]
xor edx, edx
mov dl, ah
mov dword ptr [00412210h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0041220Ch], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [00412208h], ecx
shr eax, 10h
mov dword ptr [00412204h], eax
push 00000000h
call 00007F295D0B7B72h
pop ecx
test eax, eax
jne 00007F295D0B640Ah
push 0000001Ch
call 00007F295D0B649Fh
pop ecx
and dword ptr [ebp-04h], 00000000h
call 00007F295D0B9780h
call dword ptr [0040C0C0h]
mov dword ptr [00413764h], eax
call 00007F295D0B963Eh
mov dword ptr [0041226Ch], eax
call 00007F295D0B93E7h
call 00007F295D0B9329h
call 00007F295D0B5916h
mov eax, dword ptr [00412220h]
mov dword ptr [00412224h], eax
push eax
push dword ptr [00412218h]
push dword ptr [00412214h]
call 00007F295D0B0AB3h
add esp, 0Ch
mov dword ptr [ebp-1Ch], eax
push eax
call 00007F295D0B591Bh
mov eax, dword ptr [ebp-14h]
mov ecx, dword ptr [eax]
mov ecx, dword ptr [ecx]

Rich Headers

Programming Language:
  • [ C ] VS98 (6.0) SP6 build 8804
  • [C++] VS98 (6.0) SP6 build 8804
  • [EXP] VC++ 6.0 SP5 build 8804

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xdd780x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x3fc0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xc0000x14c.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xafc70xb0005dec2932e9370d540d41369bf4fc5305False0.6299493963068182data6.635325183892252IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xc0000x24c60x30000d6280f6031e8522806e3c860459b92fFalse0.3296712239583333data3.847678121234383IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xf0000x477c0x30000ea8fb085d66882d27ec5e633512752cFalse0.10400390625data1.3123505764154129IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x140000x3fc00x4000d8de76a0b21f87ec7f5741ae5ec431c0False0.42315673828125data5.058362822093357IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x141780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.28921161825726144
RT_ICON0x167200xca8Device independent bitmap graphic, 32 x 64 x 24, image size 32000.6185185185185185
RT_ICON0x173c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.6897163120567376
RT_RCDATA0x178300x320data0.0475
RT_RCDATA0x17b500x43edata1.0101289134438305
RT_GROUP_ICON0x17f900x30data0.9166666666666666

Imports

DLLImport
KERNEL32.dllGetWindowsDirectoryA, LockResource, LoadResource, FindResourceA, SizeofResource, CreateProcessA, FormatMessageA, GetLastError, Sleep, GetExitCodeProcess, SetFileAttributesA, GetFileAttributesA, GetTickCount, GetVersionExA, FreeLibrary, MultiByteToWideChar, lstrlenA, GetProcAddress, GetSystemDirectoryA, WinExec, RemoveDirectoryA, DeleteFileA, SetFilePointer, GetFileType, DuplicateHandle, GetCurrentProcess, CreateFileA, CloseHandle, ReadFile, SystemTimeToFileTime, DosDateTimeToFileTime, CreateDirectoryA, SetFileTime, WriteFile, SetEnvironmentVariableA, CompareStringW, GetTempPathA, GetModuleHandleA, SetCurrentDirectoryA, GetCurrentDirectoryA, LoadLibraryA, ExitProcess, TerminateProcess, HeapAlloc, HeapFree, GetCommandLineA, GetVersion, WideCharToMultiByte, LCMapStringA, LCMapStringW, GetFullPathNameA, GetModuleFileNameA, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetStartupInfoA, RtlUnwind, GetStringTypeA, GetStringTypeW, GetDriveTypeA, SetStdHandle, FlushFileBuffers, CompareStringA, SetEndOfFile
USER32.dllPostQuitMessage
ADVAPI32.dllLogonUserA, CreateProcessAsUserA

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:09:07:53
Start date:29/10/2024
Path:C:\Users\user\Desktop\WWAddToLocalAdmins.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\WWAddToLocalAdmins.exe"
Imagebase:0x400000
File size:90'112 bytes
MD5 hash:CD54D0F310489D1CDCEC2692CF9EF236
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:09:07:53
Start date:29/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6d64d0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:09:07:53
Start date:29/10/2024
Path:C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):true
Commandline:"C:\Windows\system32\CScript.exe" //noLogo C:\Temp\60875D.vbs
Imagebase:0xc60000
File size:144'896 bytes
MD5 hash:CB601B41D4C8074BE8A84AED564A94DC
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:11.3%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:8.7%
    Total number of Nodes:1121
    Total number of Limit Nodes:9
    execution_graph 6473 403a00 6474 406406 7 API calls 6473->6474 6475 403a09 6474->6475 6476 40b481 6477 40b48f 6476->6477 6478 40b4c0 6477->6478 6479 40b493 MultiByteToWideChar 6477->6479 6479->6478 6480 40b4aa CompareStringW 6479->6480 6480->6478 6523 406ba5 6524 406bb2 6523->6524 6525 406355 12 API calls 6524->6525 6526 406bcc 6525->6526 6527 406355 12 API calls 6526->6527 6529 406bf7 6526->6529 6528 406be5 6527->6528 6528->6529 6530 40697d 7 API calls 6528->6530 6530->6529 6531 409f28 6532 409f30 6531->6532 6533 409fc2 6532->6533 6535 409e38 RtlUnwind 6532->6535 6536 409e50 6535->6536 6536->6532 6481 406c4a 6487 407ace 6481->6487 6483 406c5d 6484 406c4f 6484->6483 6485 4061c2 16 API calls 6484->6485 6486 406406 7 API calls 6484->6486 6485->6484 6486->6484 6490 407ad7 6487->6490 6491 407ad5 6490->6491 6492 407ae8 6490->6492 6491->6484 6492->6491 6493 407a37 8 API calls 6492->6493 6493->6492 6494 406e8d 6495 406e9b 6494->6495 6496 406e53 6495->6496 6497 406e9f LCMapStringW 6495->6497 6497->6496 6498 406eb7 WideCharToMultiByte 6497->6498 6498->6496 6537 40a3ed 6538 40a3f4 6537->6538 6539 40a425 6538->6539 6540 40a3fc MultiByteToWideChar 6538->6540 6540->6539 6541 40a415 GetStringTypeW 6540->6541 6541->6539 6500 40b24e 6501 40697d 7 API calls 6500->6501 6502 40b255 6501->6502 5244 4039f0 5247 406355 5244->5247 5246 4039fd 5251 406369 5247->5251 5248 4063c0 RtlAllocateHeap 5248->5251 5253 4063eb 5248->5253 5250 4063ae 5250->5248 5254 4063ff 5250->5254 5261 408f05 5250->5261 5251->5248 5251->5250 5251->5253 5255 408462 5251->5255 5253->5246 5254->5253 5258 408494 5255->5258 5256 408533 5260 408542 5256->5260 5275 40881c 5256->5275 5258->5256 5258->5260 5268 40876b 5258->5268 5260->5251 5262 408f13 5261->5262 5263 4090d4 5262->5263 5266 408fff VirtualAlloc 5262->5266 5267 408fd0 5262->5267 5279 408c0d 5263->5279 5266->5267 5267->5250 5269 4087ae HeapAlloc 5268->5269 5270 40877e HeapReAlloc 5268->5270 5272 4087fe 5269->5272 5273 4087d4 VirtualAlloc 5269->5273 5271 40879d 5270->5271 5270->5272 5271->5269 5272->5256 5273->5272 5274 4087ee HeapFree 5273->5274 5274->5272 5276 40882e VirtualAlloc 5275->5276 5278 408877 5276->5278 5278->5260 5280 408c21 HeapAlloc 5279->5280 5281 408c1a 5279->5281 5282 408c3e VirtualAlloc 5280->5282 5287 408c76 5280->5287 5281->5282 5283 408d33 5282->5283 5284 408c5e VirtualAlloc 5282->5284 5285 408d3b HeapFree 5283->5285 5283->5287 5286 408d25 VirtualFree 5284->5286 5284->5287 5285->5287 5286->5283 5287->5267 6542 409f30 6543 409fc2 6542->6543 6545 409f4e 6542->6545 6544 409e38 RtlUnwind 6544->6545 6545->6543 6545->6544 5288 407a72 5289 407a88 5288->5289 5290 407aa3 5288->5290 5289->5290 5292 407b44 5289->5292 5294 407b5f 5292->5294 5303 407b8e 5292->5303 5293 407ba2 5296 407c74 WriteFile 5293->5296 5298 407bb3 5293->5298 5294->5293 5294->5303 5304 40a1ba 5294->5304 5297 407c96 GetLastError 5296->5297 5296->5303 5297->5303 5299 407bff WriteFile 5298->5299 5298->5303 5300 407c26 5299->5300 5301 407c69 GetLastError 5299->5301 5300->5298 5302 407c3b 5300->5302 5301->5302 5302->5303 5303->5290 5305 40a1c9 5304->5305 5308 40a1f2 5304->5308 5306 40a1fe SetFilePointer 5305->5306 5305->5308 5307 40a216 GetLastError 5306->5307 5306->5308 5307->5308 5308->5293 6503 40b412 6504 40b424 6503->6504 6505 40b4c0 6504->6505 6506 40b42d MultiByteToWideChar 6504->6506 6506->6505 6507 40b447 MultiByteToWideChar 6506->6507 6507->6505 6508 40b45f 6507->6508 6508->6505 6509 40b493 MultiByteToWideChar 6508->6509 6509->6505 6510 40b4aa CompareStringW 6509->6510 6510->6505 6546 406972 6553 405e85 6546->6553 6548 40697d 6549 40698b 6548->6549 6550 40a008 7 API calls 6548->6550 6551 40a041 7 API calls 6549->6551 6550->6549 6552 406994 6551->6552 6554 405e96 3 API calls 6553->6554 6555 405e92 6554->6555 6555->6548 6511 406dd9 6512 406de8 6511->6512 6513 406e53 6512->6513 6514 406ded MultiByteToWideChar 6512->6514 6514->6513 6515 406e06 LCMapStringW 6514->6515 6515->6513 6516 406e21 6515->6516 6517 406e27 6516->6517 6519 406e67 6516->6519 6517->6513 6518 406e35 LCMapStringW 6517->6518 6518->6513 6519->6513 6520 406e9f LCMapStringW 6519->6520 6520->6513 6521 406eb7 WideCharToMultiByte 6520->6521 6521->6513 5309 40689e GetVersion 5330 408069 HeapCreate 5309->5330 5311 4068fc 5312 406901 5311->5312 5313 406909 5311->5313 5417 4069a2 5312->5417 5342 409c8d 5313->5342 5317 406912 GetCommandLineA 5356 409b5b 5317->5356 5321 40692c 5388 409855 5321->5388 5323 406931 5401 401000 GetModuleHandleA 5323->5401 5331 408089 5330->5331 5332 4080bf 5330->5332 5423 407f21 5331->5423 5332->5311 5335 408098 5435 4080c6 HeapAlloc 5335->5435 5337 4080c2 5337->5311 5338 4080a5 5338->5337 5340 408c0d 5 API calls 5338->5340 5339 4080a2 5339->5337 5341 4080b3 HeapDestroy 5339->5341 5340->5339 5341->5332 5491 4064f4 5342->5491 5345 409cac GetStartupInfoA 5353 409dbd 5345->5353 5355 409cf8 5345->5355 5348 409e24 SetHandleCount 5348->5317 5349 409de4 GetStdHandle 5351 409df2 GetFileType 5349->5351 5349->5353 5350 4064f4 12 API calls 5350->5355 5351->5353 5352 409d69 5352->5353 5354 409d8b GetFileType 5352->5354 5353->5348 5353->5349 5354->5352 5355->5350 5355->5352 5355->5353 5357 409b76 GetEnvironmentStringsW 5356->5357 5358 409ba9 5356->5358 5359 409b8a GetEnvironmentStrings 5357->5359 5360 409b7e 5357->5360 5358->5360 5361 409b9a 5358->5361 5359->5361 5362 406922 5359->5362 5363 409bb6 GetEnvironmentStringsW 5360->5363 5367 409bc2 WideCharToMultiByte 5360->5367 5361->5362 5364 409c3c GetEnvironmentStrings 5361->5364 5366 409c48 5361->5366 5379 40990e 5362->5379 5363->5362 5363->5367 5364->5362 5364->5366 5370 4064f4 12 API calls 5366->5370 5368 409bf6 5367->5368 5369 409c28 FreeEnvironmentStringsW 5367->5369 5371 4064f4 12 API calls 5368->5371 5369->5362 5377 409c63 5370->5377 5372 409bfc 5371->5372 5372->5369 5373 409c05 WideCharToMultiByte 5372->5373 5375 409c1f 5373->5375 5376 409c16 5373->5376 5374 409c79 FreeEnvironmentStringsA 5374->5362 5375->5369 5535 406406 5376->5535 5377->5374 5380 409920 5379->5380 5381 409925 GetModuleFileNameA 5379->5381 5565 40969e 5380->5565 5383 409948 5381->5383 5384 4064f4 12 API calls 5383->5384 5385 409969 5384->5385 5386 409979 5385->5386 5387 40697d 7 API calls 5385->5387 5386->5321 5387->5386 5389 409862 5388->5389 5391 409867 5388->5391 5390 40969e 19 API calls 5389->5390 5390->5391 5392 4064f4 12 API calls 5391->5392 5393 409894 5392->5393 5394 40697d 7 API calls 5393->5394 5399 4098a8 5393->5399 5394->5399 5395 4098eb 5396 406406 7 API calls 5395->5396 5397 4098f7 5396->5397 5397->5323 5398 4064f4 12 API calls 5398->5399 5399->5395 5399->5398 5400 40697d 7 API calls 5399->5400 5400->5399 5408 401020 5401->5408 5404 4010a1 5622 4055be 5404->5622 5405 4010ae 5613 4010b6 5405->5613 5589 4010d5 FindResourceA 5408->5589 5409 4010ab 5410 405e74 5409->5410 6468 405e96 5410->6468 5413 4096d1 5415 4096dd 5413->5415 5414 409806 UnhandledExceptionFilter 5416 40696f 5414->5416 5415->5414 5415->5416 5418 4069b0 5417->5418 5419 4069ab 5417->5419 5421 40a041 7 API calls 5418->5421 5420 40a008 7 API calls 5419->5420 5420->5418 5422 4069b9 ExitProcess 5421->5422 5437 4060c0 5423->5437 5426 407f64 GetEnvironmentVariableA 5430 407f83 5426->5430 5434 408041 5426->5434 5427 407f4a 5427->5426 5428 407f5c 5427->5428 5428->5335 5428->5338 5431 407fc8 GetModuleFileNameA 5430->5431 5432 407fc0 5430->5432 5431->5432 5432->5434 5439 40ac30 5432->5439 5434->5428 5442 407ef4 GetModuleHandleA 5434->5442 5436 4080e2 5435->5436 5436->5339 5438 4060cc GetVersionExA 5437->5438 5438->5426 5438->5427 5444 40ac47 5439->5444 5443 407f0b 5442->5443 5443->5428 5446 40ac5f 5444->5446 5447 40ac8f 5446->5447 5451 406ee9 5446->5451 5448 406ee9 6 API calls 5447->5448 5450 40ac43 5447->5450 5455 405cc0 5447->5455 5448->5447 5450->5434 5452 406f07 5451->5452 5454 406efb 5451->5454 5461 40a2f0 5452->5461 5454->5446 5456 405ceb 5455->5456 5460 405cce 5455->5460 5457 405d07 5456->5457 5458 406ee9 6 API calls 5456->5458 5457->5460 5473 406cc5 5457->5473 5458->5457 5460->5447 5462 40a321 GetStringTypeW 5461->5462 5463 40a339 5461->5463 5462->5463 5466 40a33d GetStringTypeA 5462->5466 5464 40a364 GetStringTypeA 5463->5464 5465 40a388 5463->5465 5468 40a425 5464->5468 5465->5468 5469 40a39e MultiByteToWideChar 5465->5469 5466->5463 5466->5468 5468->5454 5469->5468 5470 40a3c2 5469->5470 5470->5468 5471 40a3fc MultiByteToWideChar 5470->5471 5471->5468 5472 40a415 GetStringTypeW 5471->5472 5472->5468 5474 406cf5 LCMapStringW 5473->5474 5475 406d11 5473->5475 5474->5475 5476 406d19 LCMapStringA 5474->5476 5477 406d77 5475->5477 5478 406d5a LCMapStringA 5475->5478 5476->5475 5485 406e53 5476->5485 5479 406d8d MultiByteToWideChar 5477->5479 5477->5485 5478->5485 5480 406db7 5479->5480 5479->5485 5481 406ded MultiByteToWideChar 5480->5481 5480->5485 5482 406e06 LCMapStringW 5481->5482 5481->5485 5483 406e21 5482->5483 5482->5485 5484 406e27 5483->5484 5486 406e67 5483->5486 5484->5485 5487 406e35 LCMapStringW 5484->5487 5485->5460 5486->5485 5488 406e9f LCMapStringW 5486->5488 5487->5485 5488->5485 5489 406eb7 WideCharToMultiByte 5488->5489 5489->5485 5500 406506 5491->5500 5494 40697d 5495 406986 5494->5495 5496 40698b 5494->5496 5515 40a008 5495->5515 5521 40a041 5496->5521 5501 406503 5500->5501 5503 40650d 5500->5503 5501->5345 5501->5494 5503->5501 5504 406532 5503->5504 5505 406541 5504->5505 5509 406556 5504->5509 5506 40654f 5505->5506 5507 408462 5 API calls 5505->5507 5508 406595 RtlAllocateHeap 5506->5508 5511 406554 5506->5511 5507->5506 5510 4065a4 5508->5510 5509->5506 5509->5508 5512 406576 5509->5512 5510->5503 5511->5503 5513 408f05 6 API calls 5512->5513 5514 406581 5513->5514 5514->5508 5514->5510 5516 40a012 5515->5516 5517 40a041 7 API calls 5516->5517 5520 40a03f 5516->5520 5518 40a029 5517->5518 5519 40a041 7 API calls 5518->5519 5519->5520 5520->5496 5523 40a054 5521->5523 5522 406994 5522->5345 5523->5522 5524 40a16b 5523->5524 5525 40a094 5523->5525 5526 40a17e GetStdHandle WriteFile 5524->5526 5525->5522 5527 40a0a0 GetModuleFileNameA 5525->5527 5526->5522 5528 40a0b8 5527->5528 5530 40b1c5 5528->5530 5531 40b1d2 LoadLibraryA 5530->5531 5533 40b214 5530->5533 5532 40b1e3 GetProcAddress 5531->5532 5531->5533 5532->5533 5534 40b1fa GetProcAddress GetProcAddress 5532->5534 5533->5522 5534->5533 5536 406412 5535->5536 5537 40642e 5535->5537 5538 406432 5536->5538 5539 40641c 5536->5539 5537->5375 5540 40645d 5538->5540 5544 40644c 5538->5544 5541 40645e HeapFree 5539->5541 5542 406428 5539->5542 5540->5541 5541->5537 5546 408139 5542->5546 5552 408ec0 5544->5552 5547 408177 5546->5547 5551 40842d 5546->5551 5548 408373 VirtualFree 5547->5548 5547->5551 5549 4083d7 5548->5549 5550 4083e6 VirtualFree HeapFree 5549->5550 5549->5551 5550->5551 5551->5537 5553 408f03 5552->5553 5554 408eed 5552->5554 5553->5537 5554->5553 5556 408da7 5554->5556 5559 408db4 5556->5559 5557 408e64 5557->5553 5558 408dd5 VirtualFree 5558->5559 5559->5557 5559->5558 5561 408d51 VirtualFree 5559->5561 5562 408d6e 5561->5562 5563 408d9e 5562->5563 5564 408d7e HeapFree 5562->5564 5563->5559 5564->5559 5566 4096a7 5565->5566 5567 4096ae 5565->5567 5569 4092da 5566->5569 5567->5381 5576 409473 5569->5576 5573 40931d GetCPInfo 5575 409331 5573->5575 5574 409467 5574->5567 5575->5574 5581 409519 GetCPInfo 5575->5581 5577 409493 5576->5577 5578 409483 GetOEMCP 5576->5578 5579 409498 GetACP 5577->5579 5580 4092eb 5577->5580 5578->5577 5579->5580 5580->5573 5580->5574 5580->5575 5582 40953c 5581->5582 5588 409604 5581->5588 5583 40a2f0 6 API calls 5582->5583 5584 4095b8 5583->5584 5585 406cc5 9 API calls 5584->5585 5586 4095dc 5585->5586 5587 406cc5 9 API calls 5586->5587 5587->5588 5588->5574 5590 4010f8 LoadResource 5589->5590 5612 40109d 5589->5612 5591 40110d LockResource 5590->5591 5590->5612 5631 4058f0 5591->5631 5594 401152 5595 401164 GetSystemDirectoryA 5594->5595 5596 40116e 5594->5596 5597 401174 5595->5597 5598 401d23 17 API calls 5596->5598 5599 401201 GetCurrentDirectoryA 5597->5599 5600 401186 5597->5600 5602 401199 5597->5602 5598->5597 5608 4011ca 5599->5608 5600->5602 5604 4011e6 SetCurrentDirectoryA 5600->5604 5600->5608 5633 401d23 5602->5633 5605 4011f1 5604->5605 5604->5608 5606 401d23 17 API calls 5605->5606 5606->5608 5607 4011ac 5607->5608 5609 4011c2 GetTempPathA 5607->5609 5610 40121d 5607->5610 5645 401e6f 5608->5645 5609->5608 5611 4055be 18 API calls 5610->5611 5611->5612 5612->5404 5612->5405 5674 40122c FindResourceA 5613->5674 5623 4069c6 12 API calls 5622->5623 5624 4055d0 5623->5624 5625 406218 18 API calls 5624->5625 5626 4055ea 5625->5626 5628 406a90 18 API calls 5626->5628 5630 4055f9 5626->5630 5627 406a53 6 API calls 5629 40561c 5627->5629 5628->5630 5629->5409 5630->5627 5632 401124 GetWindowsDirectoryA 5631->5632 5632->5594 5650 405c25 GetFileAttributesA 5633->5650 5635 401dd7 5636 405c25 2 API calls 5635->5636 5637 401de2 5636->5637 5637->5607 5638 401db9 5653 40be46 SetCurrentDirectoryA 5638->5653 5640 40be46 13 API calls 5642 401d36 5640->5642 5641 401dc5 5641->5635 5643 4060ef 2 API calls 5641->5643 5642->5635 5642->5638 5642->5640 5661 4060ef CreateDirectoryA 5642->5661 5643->5635 5668 405d8c 5645->5668 5647 401e77 5671 40611b 5647->5671 5651 405c34 GetLastError 5650->5651 5652 405c40 5650->5652 5651->5652 5652->5642 5654 40beba GetLastError 5653->5654 5655 40be5c GetCurrentDirectoryA 5653->5655 5657 40bec6 5654->5657 5655->5654 5656 40be72 5655->5656 5658 40beb6 5656->5658 5664 40bf4c 5656->5664 5657->5641 5658->5641 5662 4060ff GetLastError 5661->5662 5663 406107 5661->5663 5662->5663 5663->5642 5665 40bf5c 5664->5665 5667 40be95 SetEnvironmentVariableA 5664->5667 5666 406cc5 9 API calls 5665->5666 5665->5667 5666->5667 5667->5654 5667->5658 5669 406506 12 API calls 5668->5669 5670 405d97 5669->5670 5670->5647 5672 406406 7 API calls 5671->5672 5673 401ea9 5672->5673 5673->5612 5675 4010bb 5674->5675 5676 40124d LoadResource 5674->5676 5694 401334 FindResourceA 5675->5694 5676->5675 5677 401267 5676->5677 5678 405cc0 15 API calls 5677->5678 5679 401274 5678->5679 5779 405c69 5679->5779 5681 40127d SetCurrentDirectoryA LockResource SizeofResource 5682 4012ae 5681->5682 5785 4054ac 5682->5785 5684 4012b7 5796 40550a 5684->5796 5686 4012c8 5687 401326 5686->5687 5688 40550a 23 API calls 5686->5688 5690 405c25 2 API calls 5686->5690 5691 4012fd 5686->5691 5816 405577 5687->5816 5688->5686 5690->5686 5691->5686 5800 40553d 5691->5800 5804 401c42 5691->5804 5695 401355 LoadResource 5694->5695 5696 4010c0 5694->5696 5695->5696 5697 40136f 5695->5697 5714 401467 FindResourceA 5696->5714 5698 405cc0 15 API calls 5697->5698 5699 40137c 5698->5699 5700 405c69 2 API calls 5699->5700 5701 401385 SetCurrentDirectoryA LockResource SizeofResource 5700->5701 5702 4013b6 5701->5702 5703 4054ac 31 API calls 5702->5703 5704 4013bf 5703->5704 5705 40550a 23 API calls 5704->5705 5706 4013d0 5705->5706 5707 405d8c 12 API calls 5706->5707 5713 4013e9 5706->5713 5707->5713 5708 401459 5709 405577 8 API calls 5708->5709 5709->5696 5710 40550a 23 API calls 5710->5713 5711 405c25 2 API calls 5711->5713 5712 40553d 29 API calls 5712->5713 5713->5708 5713->5710 5713->5711 5713->5712 5715 40148c LoadResource 5714->5715 5733 4010c5 5714->5733 5716 4014a9 5715->5716 5715->5733 5717 4014bc GetVersionExA 5716->5717 5718 4014db 5717->5718 5719 405cc0 15 API calls 5718->5719 5720 4014f8 5719->5720 5721 405c69 2 API calls 5720->5721 5722 401501 SetCurrentDirectoryA LockResource SizeofResource 5721->5722 5723 401534 5722->5723 5724 4054ac 31 API calls 5723->5724 5725 40153d 5724->5725 5726 40550a 23 API calls 5725->5726 5727 40154f 5726->5727 6132 405f49 5727->6132 5729 401a56 5732 405577 8 API calls 5729->5732 5730 401595 5734 4015e5 LogonUserA 5730->5734 5750 40160f 5730->5750 5731 40550a 23 API calls 5731->5750 5732->5733 5766 401deb 5733->5766 5735 4015fd 5734->5735 5734->5750 5736 4055be 18 API calls 5735->5736 5738 401607 5736->5738 5737 401641 GetTickCount 6152 405dcb 5737->6152 5740 405e74 3 API calls 5738->5740 5740->5750 5741 405c25 GetFileAttributesA GetLastError 5741->5750 5742 4016bd GetFileAttributesA SetFileAttributesA 5742->5750 5743 40553d 29 API calls 5743->5750 5744 405d9a 26 API calls 5744->5750 5745 401a67 6182 405d9a 5745->6182 5747 401726 SetFileAttributesA 5747->5750 5749 405e74 3 API calls 5750->5729 5750->5731 5750->5737 5750->5741 5750->5742 5750->5743 5750->5744 5750->5745 5750->5747 5751 401955 CreateProcessA 5750->5751 5752 4018cb CreateProcessAsUserA 5750->5752 5758 401998 Sleep 5750->5758 5759 401909 Sleep 5750->5759 5760 401a1d GetFileAttributesA SetFileAttributesA 5750->5760 5762 401660 5750->5762 5753 4019a5 GetLastError FormatMessageA 5751->5753 5754 401976 GetExitCodeProcess 5751->5754 5755 4018e3 GetExitCodeProcess 5752->5755 5756 401916 GetLastError FormatMessageA 5752->5756 5753->5750 5754->5750 5755->5750 5756->5750 5758->5754 5759->5755 6142 401f25 5760->6142 5761 40188c GetLastError FormatMessageA 5761->5762 5762->5750 5762->5761 5764 40185d GetExitCodeProcess 5762->5764 5765 401878 Sleep 5762->5765 6157 401a85 LoadLibraryA 5762->6157 5764->5750 5764->5762 5765->5764 5767 401e59 5766->5767 5768 401dfa 5766->5768 5769 401e63 RemoveDirectoryA 5767->5769 5770 4010ca PostQuitMessage 5767->5770 5771 401e4d 5768->5771 5772 405cc0 15 API calls 5768->5772 5769->5770 5770->5409 5773 40611b 7 API calls 5771->5773 5774 401e11 5772->5774 5773->5767 5775 405c69 2 API calls 5774->5775 5776 401e1a SetCurrentDirectoryA 5775->5776 5777 401e34 5776->5777 5777->5771 5778 401f25 40 API calls 5777->5778 5778->5777 5780 405c74 5779->5780 5784 405ca4 5779->5784 5781 405c79 SetCurrentDirectoryA 5780->5781 5780->5784 5782 405c94 5781->5782 5783 405c98 GetLastError 5781->5783 5782->5681 5783->5784 5784->5681 5786 405d8c 12 API calls 5785->5786 5787 4054b7 5786->5787 5825 404d5a 5787->5825 5790 4054f7 5793 405d8c 12 API calls 5790->5793 5791 4054ec 5792 40611b 7 API calls 5791->5792 5794 4054f2 5792->5794 5795 4054fe 5793->5795 5794->5684 5795->5684 5797 405512 5796->5797 5798 405519 5796->5798 5797->5686 5798->5797 5972 404ddd 5798->5972 5801 405547 5800->5801 5802 40554e 5800->5802 5801->5691 5802->5801 6046 4051b3 5802->6046 5805 401c5a 5804->5805 5806 401c71 LoadLibraryA 5805->5806 5807 401cca 5805->5807 5809 401cb6 GetLastError 5806->5809 5810 401c8e GetProcAddress 5806->5810 5812 401cf9 WinExec 5807->5812 5813 401cc2 5809->5813 5811 401c9e GetLastError 5810->5811 5814 401c9a 5810->5814 5811->5814 5812->5813 5813->5691 5815 401cab FreeLibrary 5814->5815 5815->5813 5817 405580 5816->5817 5818 405587 5816->5818 5817->5675 5818->5817 6117 405483 5818->6117 5821 40611b 7 API calls 5822 4055ae 5821->5822 5823 40611b 7 API calls 5822->5823 5824 4055b4 5823->5824 5824->5675 5826 404da1 5825->5826 5827 404d66 5825->5827 5826->5790 5826->5791 5827->5826 5828 404d6c GetCurrentDirectoryA 5827->5828 5829 404d8a 5828->5829 5830 404d93 GetFileType 5829->5830 5831 404da8 5829->5831 5830->5826 5830->5831 5835 403ebf 5831->5835 5836 403ecf 5835->5836 5837 403ef9 5836->5837 5838 403f2a GetCurrentProcess GetCurrentProcess DuplicateHandle 5836->5838 5844 403ed9 5836->5844 5839 403f67 5837->5839 5840 403efe CreateFileA 5837->5840 5841 403f54 GetFileType 5838->5841 5838->5844 5842 405d8c 12 API calls 5839->5842 5840->5841 5840->5844 5841->5839 5843 403f6e 5842->5843 5843->5844 5845 403fad SetFilePointer 5843->5845 5844->5826 5846 404306 5844->5846 5845->5844 5847 40431d 5846->5847 5851 40443c 5846->5851 5848 404436 5847->5848 5875 404208 5847->5875 5905 403fc9 5848->5905 5851->5826 5859 404150 ReadFile 5860 404384 5859->5860 5861 404150 ReadFile 5860->5861 5862 40439a 5861->5862 5863 404150 ReadFile 5862->5863 5864 4043ad 5863->5864 5865 404194 ReadFile 5864->5865 5866 4043de 5865->5866 5867 404194 ReadFile 5866->5867 5868 4043f1 5867->5868 5869 404150 ReadFile 5868->5869 5870 404407 5869->5870 5870->5848 5871 404441 5870->5871 5872 4064f4 12 API calls 5871->5872 5873 404467 5872->5873 5912 404804 5873->5912 5876 404037 SetFilePointer 5875->5876 5877 40421c 5876->5877 5878 404252 5877->5878 5916 404006 5877->5916 5887 404037 5878->5887 5880 40422b 5881 4064f4 12 API calls 5880->5881 5886 40424b 5881->5886 5882 4042f7 5883 406406 7 API calls 5882->5883 5883->5878 5884 404037 SetFilePointer 5884->5886 5886->5878 5886->5882 5886->5884 5920 4040b3 5886->5920 5888 40407b 5887->5888 5890 404045 5887->5890 5891 404194 5888->5891 5889 404070 SetFilePointer 5889->5888 5890->5888 5890->5889 5923 404118 5891->5923 5893 4041a6 5894 404118 ReadFile 5893->5894 5895 4041b9 5893->5895 5894->5895 5896 404118 ReadFile 5895->5896 5897 4041d1 5895->5897 5896->5897 5898 404118 ReadFile 5897->5898 5899 4041e9 5897->5899 5898->5899 5900 404150 5899->5900 5901 404118 ReadFile 5900->5901 5902 404161 5901->5902 5903 404176 5902->5903 5904 404118 ReadFile 5902->5904 5903->5859 5904->5903 5906 403fd2 5905->5906 5907 403fd7 5905->5907 5906->5851 5908 403fe5 5907->5908 5909 403fdc CloseHandle 5907->5909 5910 40611b 7 API calls 5908->5910 5909->5908 5911 403feb 5910->5911 5911->5851 5913 404810 5912->5913 5914 404815 5912->5914 5913->5851 5926 404502 5914->5926 5917 404013 5916->5917 5919 40402a 5916->5919 5918 404018 SetFilePointer 5917->5918 5917->5919 5918->5880 5919->5880 5921 4040de 5920->5921 5922 4040c7 ReadFile 5920->5922 5921->5886 5922->5921 5924 4040b3 ReadFile 5923->5924 5925 40412c 5924->5925 5925->5893 5927 40451e 5926->5927 5961 404516 5926->5961 5928 404037 SetFilePointer 5927->5928 5929 40452e 5928->5929 5930 404194 ReadFile 5929->5930 5931 404535 5929->5931 5930->5931 5932 404150 ReadFile 5931->5932 5933 404572 5932->5933 5934 404150 ReadFile 5933->5934 5935 404586 5934->5935 5936 404150 ReadFile 5935->5936 5937 40459a 5936->5937 5938 404150 ReadFile 5937->5938 5939 4045ae 5938->5939 5940 404194 ReadFile 5939->5940 5941 4045c2 5940->5941 5942 404194 ReadFile 5941->5942 5943 4045e2 5942->5943 5944 404194 ReadFile 5943->5944 5945 4045f7 5944->5945 5946 404194 ReadFile 5945->5946 5947 40460b 5946->5947 5948 404150 ReadFile 5947->5948 5949 40461f 5948->5949 5950 404150 ReadFile 5949->5950 5951 404633 5950->5951 5952 404150 ReadFile 5951->5952 5953 404647 5952->5953 5954 404150 ReadFile 5953->5954 5955 40465b 5954->5955 5956 404150 ReadFile 5955->5956 5957 40466f 5956->5957 5958 404194 ReadFile 5957->5958 5959 404683 5958->5959 5960 404194 ReadFile 5959->5960 5963 404697 5960->5963 5961->5913 5962 404740 5962->5961 5967 404786 5962->5967 5969 404037 SetFilePointer 5962->5969 5963->5962 5965 4046e0 5963->5965 5968 4040b3 ReadFile 5963->5968 5964 404718 5964->5962 5970 4040b3 ReadFile 5964->5970 5965->5962 5965->5964 5966 404037 SetFilePointer 5965->5966 5966->5964 5967->5961 5971 4040b3 ReadFile 5967->5971 5968->5965 5969->5967 5970->5962 5971->5961 5973 404dfc 5972->5973 5985 404e1e 5972->5985 5974 404e12 5973->5974 5973->5985 6005 404c99 5973->6005 5976 404e97 5974->5976 5977 404804 2 API calls 5974->5977 5974->5985 5978 404ea7 5976->5978 6011 404842 5976->6011 5977->5976 6015 4047dd 5978->6015 5984 404ee8 5986 404037 SetFilePointer 5984->5986 5985->5797 5987 404ef5 5986->5987 5988 405d8c 12 API calls 5987->5988 5997 404f23 5987->5997 5989 404f04 5988->5989 5990 4040b3 ReadFile 5989->5990 5991 404f15 5990->5991 5992 404f1d 5991->5992 5995 404f2e 5991->5995 5993 40611b 7 API calls 5992->5993 5993->5997 5994 404fd6 DosDateTimeToFileTime 5996 40506a 5994->5996 5999 40502e 5994->5999 5995->5994 5996->5997 5998 40611b 7 API calls 5996->5998 5997->5985 5998->5997 5999->5996 6000 405099 5999->6000 6041 404cf9 5999->6041 6002 4050b9 6000->6002 6003 404cf9 SystemTimeToFileTime 6000->6003 6002->5996 6004 404cf9 SystemTimeToFileTime 6002->6004 6003->6002 6004->5996 6006 404ca9 6005->6006 6010 404cb0 6005->6010 6007 404cd1 6006->6007 6008 406406 7 API calls 6006->6008 6006->6010 6009 406406 7 API calls 6007->6009 6008->6007 6009->6010 6010->5974 6012 404852 6011->6012 6014 40484e 6011->6014 6013 404502 2 API calls 6012->6013 6012->6014 6013->6014 6014->5976 6016 404502 2 API calls 6015->6016 6017 4047ff 6016->6017 6018 40489c 6017->6018 6019 404037 SetFilePointer 6018->6019 6020 4048c8 6019->6020 6021 404194 ReadFile 6020->6021 6040 4048cf 6020->6040 6022 4048e2 6021->6022 6023 404150 ReadFile 6022->6023 6024 404904 6023->6024 6025 404150 ReadFile 6024->6025 6026 404918 6025->6026 6027 404150 ReadFile 6026->6027 6028 40492c 6027->6028 6029 404194 ReadFile 6028->6029 6030 40495a 6029->6030 6031 404194 ReadFile 6030->6031 6032 40496e 6031->6032 6033 404194 ReadFile 6032->6033 6034 404999 6033->6034 6035 404194 ReadFile 6034->6035 6036 4049c4 6035->6036 6037 404150 ReadFile 6036->6037 6038 4049ef 6037->6038 6039 404150 ReadFile 6038->6039 6039->6040 6040->5984 6040->5985 6044 4065a6 6041->6044 6045 404d08 SystemTimeToFileTime 6044->6045 6045->6000 6047 4051c0 6046->6047 6048 4051e9 6047->6048 6049 4051cd 6047->6049 6050 40522d 6048->6050 6052 4051ff 6048->6052 6055 404c99 7 API calls 6048->6055 6053 40527a 6049->6053 6056 404c99 7 API calls 6049->6056 6090 4051df 6049->6090 6106 404b2c 6050->6106 6058 405216 6052->6058 6062 404804 2 API calls 6052->6062 6052->6090 6057 405298 6053->6057 6059 404804 2 API calls 6053->6059 6053->6090 6055->6052 6056->6053 6060 4052a8 6057->6060 6066 404842 2 API calls 6057->6066 6063 405226 6058->6063 6064 404842 2 API calls 6058->6064 6059->6057 6067 404ddd 23 API calls 6060->6067 6061 404c99 7 API calls 6061->6090 6062->6058 6094 404a3f 6063->6094 6064->6058 6066->6057 6068 4052b7 6067->6068 6069 4052c0 6068->6069 6079 4052e3 6068->6079 6071 4052cc 6069->6071 6069->6090 6070 4052e8 6075 404a3f 21 API calls 6070->6075 6070->6090 6113 40511a 6071->6113 6072 4053a7 CreateFileA 6072->6070 6076 4053d9 6075->6076 6077 404b2c 2 API calls 6076->6077 6088 4053ef 6077->6088 6078 405427 6081 405429 GetFileType 6078->6081 6079->6070 6079->6072 6091 405392 6079->6091 6080 4053f8 WriteFile 6080->6078 6080->6088 6082 405437 6081->6082 6083 405459 6081->6083 6082->6083 6085 40543b SetFileTime 6082->6085 6086 405468 6083->6086 6087 40545f CloseHandle 6083->6087 6084 404b2c 2 API calls 6084->6088 6085->6083 6089 404c99 7 API calls 6086->6089 6087->6086 6088->6078 6088->6080 6088->6081 6088->6084 6089->6090 6090->5801 6092 40511a CreateDirectoryA 6091->6092 6093 4053a5 6092->6093 6093->6072 6095 404a54 6094->6095 6104 404a50 6094->6104 6096 404a64 6095->6096 6097 404c99 7 API calls 6095->6097 6095->6104 6098 40489c 2 API calls 6096->6098 6097->6096 6099 404a77 6098->6099 6100 4064f4 12 API calls 6099->6100 6099->6104 6101 404a89 6100->6101 6102 4064f4 12 API calls 6101->6102 6101->6104 6103 404a9a 6102->6103 6103->6104 6105 406406 7 API calls 6103->6105 6104->6050 6105->6104 6107 404b47 6106->6107 6112 404b43 6106->6112 6107->6107 6109 404ba0 6107->6109 6107->6112 6108 404037 SetFilePointer 6108->6109 6109->6107 6109->6108 6110 404c8c 6109->6110 6111 4040b3 ReadFile 6109->6111 6110->6112 6111->6109 6112->6061 6112->6090 6114 4051b1 6113->6114 6115 40512e 6113->6115 6114->6090 6115->6114 6116 40519d CreateDirectoryA 6115->6116 6116->6114 6118 405493 6117->6118 6119 40548c 6117->6119 6121 4054a4 6118->6121 6123 404485 6118->6123 6120 404c99 7 API calls 6119->6120 6120->6118 6121->5821 6124 40448e 6123->6124 6126 404493 6123->6126 6124->6121 6125 40449f 6128 403fc9 8 API calls 6125->6128 6126->6125 6127 404c99 7 API calls 6126->6127 6127->6125 6129 4044a7 6128->6129 6130 406406 7 API calls 6129->6130 6131 4044ad 6130->6131 6131->6121 6133 405c25 2 API calls 6132->6133 6134 405f5f 6133->6134 6135 405f65 6134->6135 6136 405f88 6134->6136 6195 4078b6 6135->6195 6189 407839 6136->6189 6139 405f90 6140 405c25 2 API calls 6139->6140 6141 405f76 6139->6141 6140->6139 6141->5730 6316 406342 6142->6316 6144 401f34 6145 401f6e DeleteFileA 6144->6145 6319 40becc 6144->6319 6145->5750 6147 401f66 6334 4061c2 6147->6334 6151 401f48 6151->6147 6328 406218 6151->6328 6448 406f5e 6152->6448 6155 405e03 6155->5762 6156 406a90 18 API calls 6156->6155 6158 401aa2 6157->6158 6159 401aaa GetProcAddress 6157->6159 6158->5762 6159->6158 6160 401ac5 6159->6160 6161 401af5 6160->6161 6162 401afa lstrlenA 6160->6162 6165 401b34 lstrlenA 6161->6165 6166 401b2f 6161->6166 6163 4060c0 6162->6163 6164 401b0f MultiByteToWideChar 6163->6164 6164->6161 6167 4060c0 6165->6167 6169 401b69 6166->6169 6170 401b6e lstrlenA 6166->6170 6168 401b49 MultiByteToWideChar 6167->6168 6168->6166 6173 401ba3 6169->6173 6174 401ba8 lstrlenA 6169->6174 6171 4060c0 6170->6171 6172 401b83 MultiByteToWideChar 6171->6172 6172->6169 6177 401be1 lstrlenA 6173->6177 6178 401bdd FreeLibrary 6173->6178 6175 4060c0 6174->6175 6176 401bbd MultiByteToWideChar 6175->6176 6176->6173 6179 4060c0 6177->6179 6178->6158 6180 401bf6 MultiByteToWideChar 6179->6180 6180->6178 6457 4069c6 6182->6457 6185 406f5e 26 API calls 6186 405db9 6185->6186 6461 406a53 6186->6461 6188 401a7b 6188->5749 6190 40784b 6189->6190 6194 4078a8 6189->6194 6191 40785c 6190->6191 6190->6194 6215 40a5d4 6190->6215 6191->6194 6210 40a595 6191->6210 6194->6139 6196 4078c6 6195->6196 6197 407948 6195->6197 6196->6197 6199 4078cb 6196->6199 6301 40a642 6197->6301 6200 4078f6 GetFullPathNameA 6199->6200 6203 4064f4 12 API calls 6199->6203 6201 407923 6200->6201 6202 40790a 6200->6202 6206 407933 GetLastError 6201->6206 6207 4078e3 6201->6207 6208 406406 7 API calls 6201->6208 6205 406406 7 API calls 6202->6205 6202->6207 6204 4078dc 6203->6204 6204->6200 6204->6207 6205->6207 6206->6207 6207->6141 6209 407932 6208->6209 6209->6206 6211 40a5a2 6210->6211 6212 40a59e 6210->6212 6222 40b257 6211->6222 6212->6191 6216 40a635 6215->6216 6219 40a5e7 6215->6219 6216->6191 6217 40a5ed WideCharToMultiByte 6217->6216 6217->6219 6218 4064f4 12 API calls 6218->6219 6219->6216 6219->6217 6219->6218 6220 40a60e WideCharToMultiByte 6219->6220 6238 40b4ff 6219->6238 6220->6216 6220->6219 6223 40b28a CompareStringW 6222->6223 6225 40b29f 6222->6225 6224 40b2a7 CompareStringA 6223->6224 6223->6225 6224->6225 6229 40a5c1 6224->6229 6226 40b300 CompareStringA 6225->6226 6227 40b31b 6225->6227 6226->6229 6228 40b3d5 MultiByteToWideChar 6227->6228 6227->6229 6230 40b35a GetCPInfo 6227->6230 6228->6229 6232 40b3f1 6228->6232 6229->6191 6230->6229 6231 40b36f 6230->6231 6231->6228 6231->6229 6232->6229 6233 40b42d MultiByteToWideChar 6232->6233 6233->6229 6234 40b447 MultiByteToWideChar 6233->6234 6234->6229 6235 40b45f 6234->6235 6235->6229 6236 40b493 MultiByteToWideChar 6235->6236 6236->6229 6237 40b4aa CompareStringW 6236->6237 6237->6229 6239 40b563 6238->6239 6240 40b50e 6238->6240 6239->6219 6240->6239 6241 40b543 6240->6241 6263 40b6de 6240->6263 6243 40b55f 6241->6243 6245 40b56b 6241->6245 6247 40b55a 6241->6247 6243->6239 6272 40b686 6243->6272 6245->6239 6250 4064f4 12 API calls 6245->6250 6249 40a5d4 42 API calls 6247->6249 6248 40b601 6248->6239 6253 40ba81 24 API calls 6248->6253 6249->6243 6252 40b57a 6250->6252 6251 40b5c3 6254 406406 7 API calls 6251->6254 6257 40b5f1 6251->6257 6252->6239 6252->6243 6256 4064f4 12 API calls 6252->6256 6253->6257 6255 40b5d2 6254->6255 6276 40ba81 6255->6276 6256->6243 6257->6239 6259 4064f4 12 API calls 6257->6259 6260 40b649 6259->6260 6260->6239 6261 40b65a SetEnvironmentVariableA 6260->6261 6262 406406 7 API calls 6261->6262 6262->6239 6264 40b6e9 6263->6264 6265 40b6ed 6263->6265 6264->6241 6266 4064f4 12 API calls 6265->6266 6267 40b70f 6266->6267 6268 40b71f 6267->6268 6269 40697d 7 API calls 6267->6269 6270 40b73b 6268->6270 6297 40bd94 6268->6297 6269->6268 6270->6241 6273 40b5b6 6272->6273 6275 40b694 6272->6275 6273->6248 6273->6251 6274 40a595 9 API calls 6274->6275 6275->6273 6275->6274 6277 40ba9c 6276->6277 6278 40ba8e 6276->6278 6280 40bab1 6277->6280 6281 40baa3 6277->6281 6279 4064f4 12 API calls 6278->6279 6285 40ba96 6279->6285 6283 40bbc1 6280->6283 6295 40babf 6280->6295 6282 406406 7 API calls 6281->6282 6282->6285 6284 40bcdc 6283->6284 6294 40bbca 6283->6294 6284->6285 6286 40bcea HeapReAlloc 6284->6286 6285->6257 6286->6284 6286->6285 6287 40bb7f HeapReAlloc 6287->6295 6288 40bca2 HeapReAlloc 6288->6294 6289 40bb38 HeapAlloc 6289->6295 6290 40bc66 HeapAlloc 6290->6294 6291 408462 5 API calls 6291->6295 6292 408f05 6 API calls 6292->6294 6293 408139 VirtualFree VirtualFree HeapFree 6293->6295 6294->6285 6294->6288 6294->6290 6294->6292 6296 408ec0 VirtualFree HeapFree VirtualFree 6294->6296 6295->6285 6295->6287 6295->6289 6295->6291 6295->6293 6296->6294 6298 40bdaa 6297->6298 6299 40bd9d 6297->6299 6298->6268 6300 4064f4 12 API calls 6299->6300 6300->6298 6304 40a655 6301->6304 6303 40a651 6303->6207 6305 40a666 6304->6305 6306 40a6b8 GetCurrentDirectoryA 6304->6306 6313 40a726 6305->6313 6308 40a6ca 6306->6308 6309 40a671 6308->6309 6312 4064f4 12 API calls 6308->6312 6309->6303 6311 40a68a GetFullPathNameA 6311->6308 6312->6309 6314 40a730 GetDriveTypeA 6313->6314 6315 40a66c 6313->6315 6314->6315 6315->6309 6315->6311 6344 406322 6316->6344 6318 406351 6318->6144 6320 40bf2e 6319->6320 6321 40bed9 6319->6321 6320->6151 6321->6320 6322 40a1ba 2 API calls 6321->6322 6323 40befd 6322->6323 6324 40bf25 6323->6324 6325 40a1ba 2 API calls 6323->6325 6324->6151 6326 40bf13 6325->6326 6326->6324 6327 40a1ba 2 API calls 6326->6327 6327->6324 6329 406235 6328->6329 6330 40623c 6328->6330 6329->6151 6330->6329 6333 407b44 6 API calls 6330->6333 6425 407a72 6330->6425 6429 406a90 6330->6429 6333->6330 6335 401f6d 6334->6335 6336 4061d7 6334->6336 6335->6145 6336->6335 6337 407a72 6 API calls 6336->6337 6338 4061e1 6337->6338 6444 407a0c 6338->6444 6341 407959 3 API calls 6342 4061f1 6341->6342 6342->6335 6343 406406 7 API calls 6342->6343 6343->6335 6350 407e61 6344->6350 6347 40632b 6347->6318 6351 407e75 6350->6351 6353 406327 6350->6353 6352 4064f4 12 API calls 6351->6352 6351->6353 6352->6353 6353->6347 6354 407cf1 6353->6354 6355 407d10 6354->6355 6356 40633e 6355->6356 6358 40a977 6355->6358 6356->6318 6359 40a994 6358->6359 6363 40a9d3 6359->6363 6381 40a75d 6359->6381 6362 40ab10 CreateFileA 6364 40ab41 GetLastError 6362->6364 6365 40ab2f GetFileType 6362->6365 6363->6356 6364->6363 6366 40ab55 6365->6366 6367 40ab3a CloseHandle 6365->6367 6385 40a7f2 6366->6385 6367->6364 6370 40a1ba 2 API calls 6371 40abae 6370->6371 6372 40abc7 6371->6372 6373 40abb9 6371->6373 6396 40b88b 6372->6396 6373->6363 6389 407959 6373->6389 6375 40abd7 6376 40abed 6375->6376 6405 40b745 6375->6405 6376->6373 6378 40a1ba 2 API calls 6376->6378 6380 40abfe 6378->6380 6380->6363 6380->6373 6382 40a76c 6381->6382 6383 4064f4 12 API calls 6382->6383 6384 40a7a7 6382->6384 6383->6384 6384->6362 6384->6363 6386 40a848 6385->6386 6387 40a800 6385->6387 6386->6363 6386->6370 6387->6386 6388 40a842 SetStdHandle 6387->6388 6388->6386 6392 4079da 6389->6392 6393 40796d 6389->6393 6390 4079d2 6421 40a869 6390->6421 6392->6363 6393->6390 6393->6392 6394 4079bc CloseHandle 6393->6394 6394->6390 6395 4079c8 GetLastError 6394->6395 6395->6390 6397 40b8a3 6396->6397 6400 40b926 6396->6400 6398 40b900 ReadFile 6397->6398 6397->6400 6399 40b919 GetLastError 6398->6399 6401 40b953 6398->6401 6399->6400 6400->6375 6401->6400 6402 40b9cc ReadFile 6401->6402 6404 40a1ba 2 API calls 6401->6404 6402->6401 6403 40b9ea GetLastError 6402->6403 6403->6401 6404->6401 6406 40b752 6405->6406 6407 40a1ba 2 API calls 6406->6407 6416 40b872 6406->6416 6408 40b78a 6407->6408 6409 40a1ba 2 API calls 6408->6409 6408->6416 6410 40b7a2 6409->6410 6411 40b827 6410->6411 6410->6416 6420 40b7b8 6410->6420 6412 40b804 6411->6412 6413 40a1ba 2 API calls 6411->6413 6414 40a1ba 2 API calls 6412->6414 6415 40b834 6413->6415 6414->6416 6417 40b83a SetEndOfFile 6415->6417 6416->6376 6417->6412 6418 40b852 GetLastError 6417->6418 6418->6412 6419 407b44 6 API calls 6419->6420 6420->6412 6420->6419 6422 40a8c2 6421->6422 6423 40a877 6421->6423 6422->6392 6423->6422 6424 40a8bc SetStdHandle 6423->6424 6424->6422 6426 407a88 6425->6426 6427 407aa3 6425->6427 6426->6427 6428 407b44 6 API calls 6426->6428 6427->6330 6428->6427 6436 406aa6 6429->6436 6439 406b2a 6429->6439 6430 406b01 6431 406b0b 6430->6431 6432 406b6f 6430->6432 6434 406b32 6431->6434 6435 406b22 6431->6435 6433 407b44 6 API calls 6432->6433 6433->6439 6434->6439 6440 40a1ba 2 API calls 6434->6440 6438 407b44 6 API calls 6435->6438 6436->6430 6436->6439 6441 40a254 6436->6441 6438->6439 6439->6330 6440->6439 6442 4064f4 12 API calls 6441->6442 6443 40a264 6442->6443 6443->6430 6445 4061e9 6444->6445 6446 407a18 6444->6446 6445->6341 6446->6445 6447 406406 7 API calls 6446->6447 6447->6445 6449 405df9 6448->6449 6454 406f86 __aulldiv __aullrem 6448->6454 6449->6155 6449->6156 6450 4076fc 18 API calls 6450->6454 6451 4064f4 12 API calls 6451->6454 6452 40a439 WideCharToMultiByte 6452->6454 6453 406406 7 API calls 6453->6454 6454->6449 6454->6450 6454->6451 6454->6452 6454->6453 6455 407762 18 API calls 6454->6455 6456 407731 18 API calls 6454->6456 6455->6454 6456->6454 6458 4069d3 6457->6458 6459 405da8 6458->6459 6460 4064f4 12 API calls 6458->6460 6459->6185 6460->6459 6462 406a5b 6461->6462 6463 406a7d 6461->6463 6464 406a8d 6462->6464 6465 407a72 6 API calls 6462->6465 6463->6464 6466 407a72 6 API calls 6463->6466 6464->6188 6467 406a6b 6465->6467 6466->6464 6467->6188 6469 405ea2 GetCurrentProcess TerminateProcess 6468->6469 6470 405eb3 6468->6470 6469->6470 6471 405e81 6470->6471 6472 405f1d ExitProcess 6470->6472 6471->5413

    Executed Functions

    Function 00401467 Relevance: 74.0, APIs: 27, Strings: 15, Instructions: 475sleepwindowprocessCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 401467-40148a FindResourceA 1 4014a2-4014a4 0->1 2 40148c-4014a0 LoadResource 0->2 4 401a62-401a66 1->4 2->1 3 4014a9-4014d9 call 406060 GetVersionExA 2->3 7 4014eb-401561 call 405cc0 call 405c69 SetCurrentDirectoryA LockResource SizeofResource call 401eae call 4054ac call 40550a 3->7 8 4014db-4014e2 3->8 20 401563-401568 7->20 21 40156a 7->21 8->7 9 4014e4 8->9 9->7 22 40156f-4015d3 call 405780 call 405f49 call 405780 call 405790 * 2 20->22 21->22 33 4015d5-4015e3 call 405870 22->33 34 40160f-401614 22->34 33->34 42 4015e5-4015fb LogonUserA 33->42 36 401a56-401a61 call 405577 34->36 37 40161a-40163f call 40550a call 405e20 34->37 36->4 48 401641-401663 GetTickCount call 405dcb 37->48 49 401665-40169d call 405780 call 405790 * 2 37->49 42->34 44 4015fd-40160a call 4055be call 405e74 42->44 44->34 56 4016a2-4016bb call 405c25 48->56 49->56 63 4016da-401704 call 40553d call 405c25 56->63 64 4016bd-4016d4 GetFileAttributesA SetFileAttributesA 56->64 69 401706-401718 call 405d9a 63->69 70 401719-40171c 63->70 64->63 69->70 72 401722-401724 70->72 73 401a67-401a80 call 405d9a call 405e74 70->73 76 401735-401747 call 4056c0 72->76 77 401726-40172f SetFileAttributesA 72->77 82 401780-401794 call 405780 76->82 83 401749-40177e call 405780 call 405790 * 2 76->83 77->76 88 401795-4017a3 call 405870 82->88 83->88 95 4017a5-4017c3 call 405790 * 2 88->95 96 4017c6-401818 call 406060 call 405780 call 405790 call 405870 88->96 95->96 109 401955-401974 CreateProcessA 96->109 110 40181e-40182d 96->110 113 4019a5-4019d9 GetLastError FormatMessageA call 405870 109->113 114 401976-401989 GetExitCodeProcess 109->114 111 401833-40184e call 401a85 110->111 112 4018cb-4018e1 CreateProcessAsUserA 110->112 132 401850-40185a 111->132 133 40188c-4018c6 GetLastError FormatMessageA call 405870 111->133 115 4018e3-4018f6 GetExitCodeProcess 112->115 116 401916-401950 GetLastError FormatMessageA call 405870 112->116 128 4019df 113->128 118 401a10-401a13 114->118 119 40198f-401996 114->119 115->118 121 4018fc-401903 115->121 116->128 123 401a15-401a1b 118->123 124 401a47-401a50 118->124 119->118 126 401998-4019a3 Sleep 119->126 121->118 129 401909-401914 Sleep 121->129 123->124 131 401a1d-401a41 GetFileAttributesA SetFileAttributesA call 401f25 123->131 124->36 124->37 126->114 135 4019e1 128->135 136 4019e6-4019f9 call 405d9a 128->136 129->115 141 401a46 131->141 138 40185d-401865 GetExitCodeProcess 132->138 133->128 135->136 136->118 145 4019fb-401a0d call 405d9a 136->145 138->118 142 40186b-401872 138->142 141->124 142->118 144 401878-40188a Sleep 142->144 144->138 145->118
    APIs
    • FindResourceA.KERNEL32(00000004,0000000A), ref: 0040147D
    • LoadResource.KERNEL32(00000000), ref: 00401496
    • GetVersionExA.KERNEL32(?), ref: 004014CC
    • SetCurrentDirectoryA.KERNELBASE(C:\Temp), ref: 00401508
    • LockResource.KERNEL32(00000000), ref: 0040150F
    • SizeofResource.KERNEL32(?), ref: 00401520
    • LogonUserA.ADVAPI32(00412060,00000000,004120A0,00000002,00000000,004010B3), ref: 004015F3
    • GetTickCount.KERNEL32 ref: 00401642
    • GetFileAttributesA.KERNEL32(?), ref: 004016C4
    • SetFileAttributesA.KERNEL32(?,00000000), ref: 004016D4
    • SetFileAttributesA.KERNELBASE(?,00000002), ref: 0040172F
    • GetExitCodeProcess.KERNEL32(?,?), ref: 0040185D
    • Sleep.KERNEL32(000001F4), ref: 0040187D
    • GetLastError.KERNEL32(00412060,00000000,004120A0,00000001,00000000,?,00000020,00000000,C:\Temp,?,?), ref: 0040188C
    • FormatMessageA.KERNEL32(00001200,00000000,00000000,00000400,?,00000104,00000000), ref: 004018AB
    • CreateProcessAsUserA.ADVAPI32(004010B3,00000000,?,00000000,00000000,00000000,00000020,00000000,C:\Temp,?,?), ref: 004018D9
    • GetExitCodeProcess.KERNEL32(?,?), ref: 004018EA
    • Sleep.KERNEL32(000001F4), ref: 0040190E
    • GetLastError.KERNEL32 ref: 00401916
    • FormatMessageA.KERNEL32(00001200,00000000,00000000,00000400,?,00000104,00000000), ref: 00401935
      • Part of subcall function 00401A85: LoadLibraryA.KERNEL32(ADVAPI32.DLL,C:\Temp,00000000,00000000), ref: 00401A93
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000020,00000000,C:\Temp,?,?), ref: 0040196C
    • GetExitCodeProcess.KERNELBASE(?,?), ref: 0040197D
    • Sleep.KERNELBASE(000001F4), ref: 0040199D
    • GetLastError.KERNEL32 ref: 004019A5
    • FormatMessageA.KERNEL32(00001200,00000000,00000000,00000400,?,00000104,00000000), ref: 004019C4
    • GetFileAttributesA.KERNELBASE(?), ref: 00401A24
    • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00401A34
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: AttributesFileProcess$Resource$CodeErrorExitFormatLastMessageSleep$CreateLoadUser$CountCurrentDirectoryFindLibraryLockLogonSizeofTickVersion
    • String ID: " //noLogo $%s\%lX%s$Attempted to run %s in %s$C:\Temp$CScript.exe$Cannot run Script, error: %s$Cannot write Script %s, error: %lX$Could not authenticate user.$Could not create Script %s$PATH$Unknown error$WScript.exe$` A$hsdiafwiuera$ A
    • API String ID: 3301788104-2447094157
    • Opcode ID: d375ef8543d51523e7b4bc8a60d577cf8fd657b75d507abcd1158d50155941e2
    • Instruction ID: e918a6faa2df6874cc42cb38bddcd89b605ddef7fcad1811ab43352918cc14cf
    • Opcode Fuzzy Hash: d375ef8543d51523e7b4bc8a60d577cf8fd657b75d507abcd1158d50155941e2
    • Instruction Fuzzy Hash: BFF16F72940618EAEB20EBA1DD89EDF777CEB04744F504177F609F2091DA789A84CF68
    Function 00407B44 Relevance: 6.1, APIs: 4, Instructions: 139fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 550 407b44-407b59 551 407cd8-407cdf 550->551 552 407b5f-407b7b 550->552 554 407ce9 551->554 552->551 553 407b81-407b8c 552->553 555 407b95-407b97 553->555 556 407b8e-407b90 553->556 557 407cec-407cf0 554->557 558 407ba5-407bad 555->558 559 407b99-407ba2 call 40a1ba 555->559 556->557 561 407bb3-407bbf 558->561 562 407c74-407c89 WriteFile 558->562 559->558 566 407bc5 561->566 567 407cac-407cb3 561->567 564 407c96-407c9f GetLastError 562->564 565 407c8b-407c94 562->565 568 407c3d-407c42 564->568 565->568 569 407bcb-407bd4 566->569 570 407cc1-407cd1 567->570 571 407cb5-407cbb 567->571 574 407cd3-407cd6 568->574 575 407c48-407c4b 568->575 572 407bd6-407be1 569->572 573 407bff-407c24 WriteFile 569->573 570->554 571->556 571->570 577 407be3-407be9 572->577 578 407bea-407bfd 572->578 579 407c26-407c2e 573->579 580 407c69-407c72 GetLastError 573->580 574->557 575->567 576 407c4d-407c53 575->576 581 407ca1-407caa call 406c5e 576->581 582 407c55-407c64 576->582 577->578 578->569 578->573 583 407c3b 579->583 584 407c30-407c39 579->584 580->583 581->554 582->554 583->568 584->566 584->583
    APIs
    • WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,?), ref: 00407C1C
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: 73d54d88d52b8ceae6ecfa69a519c1f4018bb9d428d6ba41dadd3f09c591db4a
    • Instruction ID: 0e682b5179343e49248b36a4ff5e99b2184ab8e0deec907a994f54ade6ff0f55
    • Opcode Fuzzy Hash: 73d54d88d52b8ceae6ecfa69a519c1f4018bb9d428d6ba41dadd3f09c591db4a
    • Instruction Fuzzy Hash: C851E471D08208EFDB11CF68C984AAE7BB0FF45344F20817AE815EB2D1D374AA40DB5A
    Function 004010D5 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 108COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • FindResourceA.KERNEL32(00000001,0000000A), ref: 004010EA
    • LoadResource.KERNEL32(00000000), ref: 004010FF
    • LockResource.KERNEL32(00000000), ref: 0040110E
    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00401134
    • GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 00401166
    • GetTempPathA.KERNEL32(00000104,C:\Temp), ref: 004011C4
    • SetCurrentDirectoryA.KERNEL32(C:\Temp), ref: 004011E7
    • GetCurrentDirectoryA.KERNEL32(00000104,C:\Temp), ref: 00401207
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: Directory$Resource$Current$FindLoadLockPathSystemTempWindows
    • String ID: :\Temp$C:\Temp$C:\Windows\system32$Cannot create temporary folder, please repackage with a specific folder.$WWAddToLocalAdmins
    • API String ID: 780872135-4288872780
    • Opcode ID: d2bff73f274509ca4c9be196e664c1e963386f4b45b4bd8c7cd39236907d45f8
    • Instruction ID: 4486252a737e8019c9e66440aacd954fea89cf482f7f45f74bf97b6ae9de44dc
    • Opcode Fuzzy Hash: d2bff73f274509ca4c9be196e664c1e963386f4b45b4bd8c7cd39236907d45f8
    • Instruction Fuzzy Hash: 5031D531500104FBE625A7A2AE49FDB36ADDF15745F10013BFA04F51E1EBBC8A45C96D
    Function 004051B3 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 241COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 192 4051b3-4051cb call 4060c0 195 4051e9-4051f1 192->195 196 4051cd-4051d0 192->196 199 405231-405245 call 404b2c 195->199 200 4051f3-4051f6 195->200 197 4051d6-4051d9 196->197 198 40526d-405271 196->198 197->198 201 4051df-4051e4 197->201 205 405273-40527a call 404c99 198->205 206 40527b-405287 198->206 215 405251-405268 call 404c99 199->215 216 405247-40524c 199->216 203 405200-405209 200->203 204 4051f8-4051ff call 404c99 200->204 208 40547c-405480 201->208 203->201 211 40520b-40520e 203->211 204->203 205->206 206->201 207 40528d-405290 206->207 213 405292-405293 call 404804 207->213 214 405299-40529e 207->214 218 405210-405211 call 404804 211->218 219 405217-40521c 211->219 230 405298 213->230 222 4052a0-4052a6 call 404842 214->222 223 4052a8-4052be call 404ddd 214->223 215->208 216->208 234 405216 218->234 226 405226-40522e call 404a3f 219->226 227 40521e-405224 call 404842 219->227 222->230 239 4052c0-4052c3 223->239 240 4052e3-4052e6 223->240 226->199 227->234 230->214 234->219 243 4052c5-4052c7 239->243 244 4052cc-4052e1 call 40511a 239->244 241 4052f0-4052fb 240->241 242 4052e8-4052eb 240->242 246 405301-405303 241->246 247 4053a7-4053ba CreateFileA 241->247 245 4053c0-4053c6 242->245 243->208 244->243 252 4053d2-4053ef call 404a3f call 404b2c 245->252 253 4053c8-4053cd 245->253 250 405305-405307 246->250 251 405309 246->251 247->245 250->251 254 40530c-405312 250->254 251->254 262 4053f2-4053f4 252->262 253->208 254->246 256 405314-405316 254->256 256->247 258 40531c-40533c call 405780 256->258 266 405356 258->266 267 40533e-405345 258->267 264 4053f6 262->264 265 405427 262->265 269 4053f8-405411 WriteFile 264->269 270 405429-405435 GetFileType 264->270 265->270 268 40535a-405390 call 406729 * 2 266->268 267->266 271 405347-40534e 267->271 268->247 287 405392-4053a6 call 40511a 268->287 269->265 273 405413-405425 call 404b2c 269->273 274 405437-405439 270->274 275 405459-40545d 270->275 271->266 276 405350-405354 271->276 273->262 274->275 279 40543b-405453 SetFileTime 274->279 280 405468-40547a call 404c99 275->280 281 40545f-405462 CloseHandle 275->281 276->268 279->275 280->208 281->280 287->247
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID:
    • String ID: ../$..\$:$\
    • API String ID: 0-80979867
    • Opcode ID: 098fd24160655073bd609300c283440aa3e54eed2f455fa83b508cd1f0f440e7
    • Instruction ID: 608a6b31dc1b68860e86a3379f04e42f945a3dd6272acdf9cb53df45074aca12
    • Opcode Fuzzy Hash: 098fd24160655073bd609300c283440aa3e54eed2f455fa83b508cd1f0f440e7
    • Instruction Fuzzy Hash: 09811072500A04EBDB20AE64D884BAB77A8EF40314F2445BFF994B32D1D7399D858E19
    Function 0040B257 Relevance: 13.7, APIs: 9, Instructions: 221COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 290 40b257-40b288 291 40b2ca-40b2cf 290->291 292 40b28a-40b29d CompareStringW 290->292 293 40b2e1-40b2e4 291->293 294 40b2d1-40b2de call 40b4d4 291->294 295 40b2a7-40b2ba CompareStringA 292->295 296 40b29f-40b2a5 292->296 300 40b2f6-40b2fe 293->300 301 40b2e6-40b2f3 call 40b4d4 293->301 294->293 297 40b4c0 295->297 298 40b2c0 295->298 296->291 303 40b4c2-40b4d3 297->303 298->291 305 40b300-40b316 CompareStringA 300->305 306 40b31b-40b31d 300->306 301->300 305->303 306->297 308 40b323-40b326 306->308 309 40b330-40b332 308->309 310 40b328-40b32d 308->310 311 40b334-40b337 309->311 312 40b33d-40b340 309->312 310->309 311->312 313 40b3d5-40b3eb MultiByteToWideChar 311->313 314 40b342 312->314 315 40b34a-40b34d 312->315 313->297 319 40b3f1-40b427 call 4060c0 313->319 316 40b344-40b345 314->316 317 40b356-40b358 315->317 318 40b34f-40b351 315->318 316->303 320 40b35a-40b369 GetCPInfo 317->320 321 40b39b-40b39d 317->321 318->303 319->297 330 40b42d-40b445 MultiByteToWideChar 319->330 320->297 323 40b36f-40b371 320->323 321->316 325 40b373-40b377 323->325 326 40b39f-40b3a2 323->326 325->321 329 40b379-40b37f 325->329 326->313 328 40b3a4-40b3a8 326->328 328->318 331 40b3aa-40b3b0 328->331 329->321 332 40b381-40b386 329->332 330->297 333 40b447-40b45d MultiByteToWideChar 330->333 331->318 334 40b3b2-40b3b7 331->334 332->321 335 40b388-40b38f 332->335 333->297 336 40b45f-40b491 call 4060c0 333->336 334->318 338 40b3b9-40b3c0 334->338 339 40b391-40b393 335->339 340 40b395-40b399 335->340 336->297 346 40b493-40b4a8 MultiByteToWideChar 336->346 342 40b3c2-40b3c4 338->342 343 40b3ca-40b3ce 338->343 339->314 339->340 340->321 340->332 342->314 342->343 343->334 345 40b3d0 343->345 345->318 346->297 347 40b4aa-40b4be CompareStringW 346->347 347->303
    APIs
    • CompareStringW.KERNEL32(00000000,00000000,0040D960,00000001,0040D960,00000001,00000000,02010C6C,?,0040789C,00000000,?,00000000,?,00000000,00000000), ref: 0040B295
    • CompareStringA.KERNEL32(00000000,00000000,0040D95C,00000001,0040D95C,00000001), ref: 0040B2B2
    • CompareStringA.KERNEL32(00000000,?,00000000,00405F90,00000000,00000000,00000000,02010C6C,?,0040789C,00000000,?,00000000,?,00000000,00000000), ref: 0040B310
    • GetCPInfo.KERNEL32(?,00000000,00000000,02010C6C,?,0040789C,00000000,?,00000000,?,00000000,00000000,00405F90), ref: 0040B361
    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000), ref: 0040B3E0
    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 0040B441
    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000), ref: 0040B454
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0040B4A0
    • CompareStringW.KERNEL32(00000000,?,00000000,00000000,?,00000000,?,00000000), ref: 0040B4B8
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: ByteCharCompareMultiStringWide$Info
    • String ID:
    • API String ID: 1651298574-0
    • Opcode ID: a5a2720d8c65915fd193b2154b074084265cb018b18010a80a50086f9a861c72
    • Instruction ID: 09a9e0b578cbae60a846b3132b9d2162a968b3ca070cf25f5d7143338ae21658
    • Opcode Fuzzy Hash: a5a2720d8c65915fd193b2154b074084265cb018b18010a80a50086f9a861c72
    • Instruction Fuzzy Hash: 9871AA31900249EFCF229F948C85AAF7BB9EF05714F24413BF915B22A1D3398951DB9C
    Function 0040A977 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 230fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 348 40a977-40a992 349 40a994-40a99b 348->349 350 40a99d-40a9a1 348->350 351 40a9a8-40a9af 349->351 350->351 352 40a9b1-40a9b4 351->352 353 40a9c2-40a9cb 351->353 356 40a9b6-40a9bc 352->356 357 40a9be 352->357 354 40a9fa 353->354 355 40a9cd-40a9ce 353->355 360 40aa01-40aa07 354->360 358 40a9d0-40a9d1 355->358 359 40a9f1-40a9f8 355->359 356->353 356->357 357->353 361 40a9d3-40a9e3 358->361 362 40a9e8-40a9ef 358->362 359->360 363 40aa09-40aa0c 360->363 364 40aa2f 360->364 365 40ac0d-40ac10 361->365 362->360 366 40aa26-40aa2d 363->366 367 40aa0e-40aa11 363->367 368 40aa32-40aa45 364->368 369 40ac2b-40ac2f 365->369 366->368 372 40aa13-40aa16 367->372 373 40aa1d-40aa24 367->373 370 40aa47 368->370 371 40aa7c-40aa82 368->371 374 40aa77-40aa7a 370->374 375 40aa49-40aa4b 370->375 376 40aa84-40aa8a 371->376 377 40aa9e 371->377 372->361 378 40aa18-40aa1b 372->378 373->368 380 40aaa5-40aaaf 374->380 375->374 379 40aa4d-40aa4f 375->379 381 40aa95-40aa9c 376->381 382 40aa8c-40aa8e 376->382 377->380 378->368 383 40aa51-40aa57 379->383 384 40aa6e-40aa75 379->384 386 40aab1-40aabf 380->386 387 40aac4-40aac6 380->387 381->380 382->377 385 40aa90 382->385 383->381 391 40aa59-40aa5f 383->391 384->380 385->361 386->387 388 40aac1-40aac3 386->388 389 40aad2-40aad5 387->389 390 40aac8-40aace 387->390 388->387 392 40aad7 389->392 393 40aad9-40aadb 389->393 390->389 391->361 394 40aa65-40aa6c 391->394 392->393 395 40aae5-40aae7 393->395 396 40aadd-40aae3 393->396 394->380 397 40aaef-40aafb call 40a75d 395->397 398 40aae9 395->398 396->397 401 40ab10-40ab2d CreateFileA 397->401 402 40aafd-40ab0e 397->402 398->397 404 40ab41-40ab4d GetLastError call 406c5e 401->404 405 40ab2f-40ab38 GetFileType 401->405 403 40ab4e-40ab50 402->403 403->369 404->403 407 40ab55-40ab58 405->407 408 40ab3a-40ab3b CloseHandle 405->408 410 40ab60-40ab63 407->410 411 40ab5a-40ab5e 407->411 408->404 412 40ab69-40ab98 call 40a7f2 410->412 413 40ab65 410->413 411->412 416 40ac12-40ac16 412->416 417 40ab9a-40ab9c 412->417 413->412 418 40ac18-40ac1c 416->418 419 40ac29 416->419 417->416 420 40ab9e-40aba2 417->420 418->419 421 40ac1e-40ac25 418->421 419->369 420->416 422 40aba4-40abb7 call 40a1ba 420->422 421->419 425 40abc7-40abdc call 40b88b 422->425 426 40abb9-40abc3 422->426 431 40abf4-40ac04 call 40a1ba 425->431 432 40abde-40abe2 425->432 426->416 427 40abc5 426->427 429 40ac06-40ac07 call 407959 427->429 436 40ac0c 429->436 431->416 431->429 432->431 434 40abe4-40abf2 call 40b745 432->434 434->429 434->431 436->365
    APIs
    • CreateFileA.KERNELBASE(00000001,80000000,?,0000000C,00000001,00000080,00000000,00000001,00000000,00000000), ref: 0040AB23
    • GetFileType.KERNELBASE(00000000), ref: 0040AB30
    • CloseHandle.KERNEL32(00000000), ref: 0040AB3B
    • GetLastError.KERNEL32 ref: 0040AB41
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: File$CloseCreateErrorHandleLastType
    • String ID: @$H
    • API String ID: 1809617866-104103126
    • Opcode ID: dfe4def5e1587e50a71c1d94a33598ac66e38608b3f4543a3698f3156f830137
    • Instruction ID: b23a8f7d8326d3abc55ea2deab760222e5db5aabd53c33d92e542b4d051bae52
    • Opcode Fuzzy Hash: dfe4def5e1587e50a71c1d94a33598ac66e38608b3f4543a3698f3156f830137
    • Instruction Fuzzy Hash: 4381D671A083059BEF208B6889447EF7B60AB01318F25863BE961762D1C7BD4DA5DB4F
    Function 0040BE46 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 440 40be46-40be5a SetCurrentDirectoryA 441 40beba-40becb GetLastError call 406c5e 440->441 442 40be5c-40be70 GetCurrentDirectoryA 440->442 442->441 443 40be72-40be7a 442->443 445 40be80-40be86 443->445 446 40be7c-40be7e 443->446 448 40be88-40beb4 call 40bf4c SetEnvironmentVariableA 445->448 449 40beb6-40beb9 445->449 446->445 446->448 448->441 448->449
    APIs
    • SetCurrentDirectoryA.KERNELBASE(00401DC5), ref: 0040BE52
    • GetCurrentDirectoryA.KERNEL32(00000105,?), ref: 0040BE68
    • SetEnvironmentVariableA.KERNEL32(0000003D,?), ref: 0040BEAC
    • GetLastError.KERNEL32 ref: 0040BEBA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: CurrentDirectory$EnvironmentErrorLastVariable
    • String ID: :$=
    • API String ID: 373561786-2134709475
    • Opcode ID: baae35d1e41d6b42a2b544fe7a6bfdcfd7b39894f94f77840b4b72554d617489
    • Instruction ID: 62db2d784908df531214304bdf886296fe33e598e1e228673604f14bc714f9d5
    • Opcode Fuzzy Hash: baae35d1e41d6b42a2b544fe7a6bfdcfd7b39894f94f77840b4b72554d617489
    • Instruction Fuzzy Hash: 7E01D431204148AADF219BB4DC44BDB3BAD8B15344F0441B6EAC8E51C1DB78C6C9C7ED
    Function 00409C8D Relevance: 7.6, APIs: 5, Instructions: 143COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 452 409c8d-409ca3 call 4064f4 455 409ca5-409cac call 40697d 452->455 456 409cad-409cbd 452->456 455->456 457 409cc3-409cc5 456->457 459 409ce1-409cf2 GetStartupInfoA 457->459 460 409cc7-409cdf 457->460 462 409cf8-409cfe 459->462 463 409dbd 459->463 460->457 462->463 464 409d04-409d13 462->464 465 409dbf-409dcb 463->465 466 409d15 464->466 467 409d17-409d1d 464->467 468 409e1a 465->468 469 409dcd-409dd3 465->469 466->467 471 409d71-409d75 467->471 472 409d1f 467->472 470 409e1e-409e22 468->470 473 409dd5-409dd8 469->473 474 409dda-409de1 469->474 470->465 476 409e24-409e37 SetHandleCount 470->476 471->463 475 409d77-409d7c 471->475 477 409d24-409d31 call 4064f4 472->477 478 409de4-409df0 GetStdHandle 473->478 474->478 479 409db4-409dbb 475->479 480 409d7e-409d84 475->480 490 409d33-409d3c 477->490 491 409d6b 477->491 482 409df2-409dfb GetFileType 478->482 483 409e09-409e0d 478->483 479->463 479->475 480->479 484 409d86-409d89 480->484 482->483 486 409dfd-409e07 482->486 483->470 488 409d96-409db1 484->488 489 409d8b-409d94 GetFileType 484->489 486->483 487 409e0f-409e12 486->487 487->470 492 409e14-409e18 487->492 488->479 489->479 489->488 493 409d42-409d44 490->493 491->471 492->470 494 409d46-409d5c 493->494 495 409d5e-409d67 493->495 494->493 495->477 496 409d69 495->496 496->471
    APIs
    • GetStartupInfoA.KERNEL32(?), ref: 00409CE6
    • GetFileType.KERNEL32(00000800), ref: 00409D8C
    • GetStdHandle.KERNEL32(-000000F6), ref: 00409DE5
    • GetFileType.KERNELBASE(00000000), ref: 00409DF3
    • SetHandleCount.KERNEL32 ref: 00409E2A
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: FileHandleType$CountInfoStartup
    • String ID:
    • API String ID: 1710529072-0
    • Opcode ID: 4015822d68b95a3e461a97c81ee0ab713367f3eb2842ebde40fb01baa5aca4d8
    • Instruction ID: 5d08c526bcdc084a3a6ede86523a1377e4bf278c30fd4f585b16d6e8718200cd
    • Opcode Fuzzy Hash: 4015822d68b95a3e461a97c81ee0ab713367f3eb2842ebde40fb01baa5aca4d8
    • Instruction Fuzzy Hash: 885124715482408BD7218F28CD84BA67BA0AF51324F19833EE4A6EB3E3D7789C55C79D
    Function 00401000 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 497 401000-40101e GetModuleHandleA 498 401020-401021 497->498 499 40107b-40108c call 405630 497->499 500 401026-40102f call 405870 498->500 504 401098-40109f call 4010d5 499->504 505 40108e 499->505 508 401031-40103d call 405790 500->508 509 40103e-40104b call 4056c0 500->509 514 4010a1-4010ac call 4055be 504->514 515 4010ae call 4010b6 504->515 505->504 508->509 517 401068-401071 call 405790 509->517 518 40104d-401066 call 405790 * 3 509->518 524 4010b3-4010b5 514->524 515->524 528 401072-401078 517->528 518->528 528->500 530 40107a 528->530 530->499
    APIs
    • GetModuleHandleA.KERNEL32(00000000,?,?,00406952,02010C70), ref: 00401004
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: /DIAG$Corrupt image file!$ A
    • API String ID: 4139908857-2500719215
    • Opcode ID: a6714358d863857f0070df51bbfdf8cad990ca1bce6a0dd81486542c388b0182
    • Instruction ID: 7b2249f0f974e851b4cdf7c302836ab6fa53be86b1d261b2a57aa044d99181cd
    • Opcode Fuzzy Hash: a6714358d863857f0070df51bbfdf8cad990ca1bce6a0dd81486542c388b0182
    • Instruction Fuzzy Hash: 8911C632504341A9F635BB229C86F7B23A8DF41728F60003FF884B56D2DB7D58C1992E
    Function 00405E96 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 533 405e96-405ea0 534 405ea2-405ead GetCurrentProcess TerminateProcess 533->534 535 405eb3-405ec9 533->535 534->535 536 405f07-405f1b call 405f2f 535->536 537 405ecb-405ed2 535->537 548 405f2d-405f2e 536->548 549 405f1d-405f27 ExitProcess 536->549 538 405ed4-405ee0 537->538 539 405ef6-405f06 call 405f2f 537->539 541 405ee2-405ee6 538->541 542 405ef5 538->542 539->536 545 405ee8 541->545 546 405eea-405ef3 541->546 542->539 545->546 546->541 546->542
    APIs
    • GetCurrentProcess.KERNEL32(00401A85,C:\Temp,00405E81,00000000,00000000,00000000,00401A85,00000001), ref: 00405EA6
    • TerminateProcess.KERNEL32(00000000), ref: 00405EAD
    • ExitProcess.KERNEL32 ref: 00405F27
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID: C:\Temp
    • API String ID: 1703294689-984105843
    • Opcode ID: 0cb5bf8f8a793ebc4945a21551dd41bf13c9db70fb5804bb92f44856e766ced3
    • Instruction ID: 0d8711f069f6ad519bdffe1f7ca9d3ba300f9ed896b8a6131d8e13c5b37178e4
    • Opcode Fuzzy Hash: 0cb5bf8f8a793ebc4945a21551dd41bf13c9db70fb5804bb92f44856e766ced3
    • Instruction Fuzzy Hash: 8C0180B1604A41DBD6209F69FE89A5B7BA4FB84314B10813BE480B21E1DB796A44CF6D
    Function 0040689E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetVersion.KERNEL32 ref: 004068C4
      • Part of subcall function 00408069: HeapCreate.KERNELBASE(00000000,00001000,00000000,004068FC,00000000), ref: 0040807A
      • Part of subcall function 00408069: HeapDestroy.KERNEL32 ref: 004080B9
    • GetCommandLineA.KERNEL32 ref: 00406912
      • Part of subcall function 004069A2: ExitProcess.KERNEL32 ref: 004069BF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: Heap$CommandCreateDestroyExitLineProcessVersion
    • String ID: $/
    • API String ID: 1387771204-3188213859
    • Opcode ID: 9288b119891a44d6506e9c13f41e88025181ea9bb74fdbb80cdd9ca44a034c24
    • Instruction ID: 2efe7ca91c5146f39dc8c46c34f82c9a2b89eda9845153d788af090991f350dd
    • Opcode Fuzzy Hash: 9288b119891a44d6506e9c13f41e88025181ea9bb74fdbb80cdd9ca44a034c24
    • Instruction Fuzzy Hash: A41160B19406059FE708AFA6DE46B6977A4EB44304F10817EF511E72E2DA7C4910CB5D
    Function 00401F25 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 610 401f25-401f3a call 406342 613 401f3c-401f4c call 40bf44 call 40becc 610->613 614 401f6e-401f79 DeleteFileA 610->614 619 401f67-401f6d call 4061c2 613->619 620 401f4e-401f4f 613->620 619->614 622 401f51-401f64 call 406218 620->622 626 401f66 622->626 626->619
    APIs
    • DeleteFileA.KERNELBASE(00401A46,00000000,00401A46,?), ref: 00401F72
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: DeleteFile
    • String ID: C:\Temp$r+b
    • API String ID: 4033686569-657028590
    • Opcode ID: d5485071e094d885dc6be93397eaf6692831278514cbcbb92fff3306e7c6b516
    • Instruction ID: 70a1ea3c8e72db8569322dda9569e27dfc438ed77bd5eea858534cc8199ba7f3
    • Opcode Fuzzy Hash: d5485071e094d885dc6be93397eaf6692831278514cbcbb92fff3306e7c6b516
    • Instruction Fuzzy Hash: 12E0ED3224861235DA21326AAC06B9F6A49CF82778F21017FF408B92E2DB7D884240DD
    Function 00405C69 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 627 405c69-405c72 628 405c74-405c77 627->628 629 405ca7-405cb1 627->629 628->629 630 405c79-405c92 SetCurrentDirectoryA 628->630 631 405cbb-405cbf 629->631 632 405c94-405c97 630->632 633 405c98-405ca5 GetLastError call 406c5e 630->633 633->631
    APIs
    • SetCurrentDirectoryA.KERNELBASE(?,?,0040127D,-00000040,00000000), ref: 00405C8A
    • GetLastError.KERNEL32(?,0040127D,-00000040,00000000), ref: 00405C98
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: CurrentDirectoryErrorLast
    • String ID: :
    • API String ID: 152501406-336475711
    • Opcode ID: d3d322219eed68f5ba2c8ea391bc9d1e865504202b0f248afd6a35fdb85c0b55
    • Instruction ID: 5883ee4a9f5f26ae96e6c7cee46c698dbc8f21274b4e510c5e90d3e2e25b049b
    • Opcode Fuzzy Hash: d3d322219eed68f5ba2c8ea391bc9d1e865504202b0f248afd6a35fdb85c0b55
    • Instruction Fuzzy Hash: 53F0A7711086499EFB009FA4D94878A3F98EB0135CF108176F56DDE2C1D778C5548F59
    Function 0040A1BA Relevance: 3.1, APIs: 2, Instructions: 51COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 636 40a1ba-40a1c7 637 40a1c9-40a1e4 636->637 638 40a23c-40a243 636->638 637->638 640 40a1e6-40a1f0 call 40a8e3 637->640 639 40a24d 638->639 641 40a250-40a253 639->641 644 40a1f2-40a1fc 640->644 645 40a1fe-40a214 SetFilePointer 640->645 644->639 646 40a216-40a21c GetLastError 645->646 647 40a21e 645->647 648 40a220-40a222 646->648 647->648 649 40a224-40a22b call 406c5e 648->649 650 40a22d-40a23a 648->650 649->639 650->641
    APIs
    • SetFilePointer.KERNELBASE(00000000,00407BA2,00000000,00401227,00000000,00401227,?,00407BA2,00401227,00000000,00000002,00000001,?,?), ref: 0040A209
    • GetLastError.KERNEL32 ref: 0040A216
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID:
    • API String ID: 2976181284-0
    • Opcode ID: af44716e2dbff77b9c48b1bcfb5e7fca248be1cd744590c1be24b44883aca208
    • Instruction ID: 8e06b0b98e8b5163bc1f639ae4622e3fced4bf3c930368a3184e95425e106e84
    • Opcode Fuzzy Hash: af44716e2dbff77b9c48b1bcfb5e7fca248be1cd744590c1be24b44883aca208
    • Instruction Fuzzy Hash: 0A1104325083019BC710DBB89D88A563790AB45338F21477EE532E73E2D77AC865D70A
    Function 00408069 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 653 408069-408087 HeapCreate 654 408089-408096 call 407f21 653->654 655 4080bf-4080c1 653->655 658 4080a5-4080a8 654->658 659 408098-4080a3 call 4080c6 654->659 661 4080c2-4080c5 658->661 662 4080aa call 408c0d 658->662 665 4080af-4080b1 659->665 662->665 665->661 666 4080b3-4080b9 HeapDestroy 665->666 666->655
    APIs
    • HeapCreate.KERNELBASE(00000000,00001000,00000000,004068FC,00000000), ref: 0040807A
      • Part of subcall function 00407F21: GetVersionExA.KERNEL32 ref: 00407F40
    • HeapDestroy.KERNEL32 ref: 004080B9
      • Part of subcall function 004080C6: HeapAlloc.KERNEL32(00000000,00000140,004080A2,000003F8), ref: 004080D3
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: Heap$AllocCreateDestroyVersion
    • String ID:
    • API String ID: 2507506473-0
    • Opcode ID: 006f06b5b64bdd850d6f085a5395eab8e7166bab1cd7ec123ba1ca1db08b8992
    • Instruction ID: 682c225415af963ada1f81d6e2be094aa027d906d8257a4d767d7ebd7d6c45c6
    • Opcode Fuzzy Hash: 006f06b5b64bdd850d6f085a5395eab8e7166bab1cd7ec123ba1ca1db08b8992
    • Instruction Fuzzy Hash: 87F0ED30A55202DAEB302BB09F4A36A35D4DB10385F11843FF181E91E0EFB88484E50E
    Function 00405C25 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesA.KERNELBASE(00000000,00401D36,00401174,00000000), ref: 00405C29
    • GetLastError.KERNEL32 ref: 00405C34
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: AttributesErrorFileLast
    • String ID:
    • API String ID: 1799206407-0
    • Opcode ID: ea93e283f85052d32674e5dc0906a6a0042ec20e4dffa219ed6709de4ef9c1f1
    • Instruction ID: 0514cc873e2fec5dac6a091e39a699ec2d92ff5bbeaf9aef268bcb6818ec584c
    • Opcode Fuzzy Hash: ea93e283f85052d32674e5dc0906a6a0042ec20e4dffa219ed6709de4ef9c1f1
    • Instruction Fuzzy Hash: A9E04F7000870096E70457709E4DB473A51AF41338F14876AE575A11E0C77885D4AF09
    Function 004060EF Relevance: 3.0, APIs: 2, Instructions: 17COMMON
    Download Yara Rule
    APIs
    • CreateDirectoryA.KERNELBASE(00000000,00000000,00401DD7,?,?,?,C:\Windows\system32), ref: 004060F5
    • GetLastError.KERNEL32(?,?,C:\Windows\system32), ref: 004060FF
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: CreateDirectoryErrorLast
    • String ID:
    • API String ID: 1375471231-0
    • Opcode ID: 3d3e036ac298863ee8e6720c251a863e352e7cd4734cd597915e2c11bfce4341
    • Instruction ID: 3af6577d5b6731aa80c13da9b4ace1ec58e4f2b2cf44c323c5b5eddee6668fb8
    • Opcode Fuzzy Hash: 3d3e036ac298863ee8e6720c251a863e352e7cd4734cd597915e2c11bfce4341
    • Instruction Fuzzy Hash: 01D0A930200202D2EE002B709D0870B36945B40321F658B3AB01AF80E2EB78C8A0A419
    Function 00407959 Relevance: 2.6, APIs: 2, Instructions: 66COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(00000000,00000100,00000000,?,00000000,0040AC0C,00000000), ref: 004079BE
    • GetLastError.KERNEL32(?,00000000,0040AC0C,00000000), ref: 004079C8
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: CloseErrorHandleLast
    • String ID:
    • API String ID: 918212764-0
    • Opcode ID: 043498f00bb74f7825b5244d18491a8620e66036629b85e54749b1a3d49db123
    • Instruction ID: c2fc600a40ef96b2a81b3450e8cc045333a5a44d02f120eab54ed0736bee021b
    • Opcode Fuzzy Hash: 043498f00bb74f7825b5244d18491a8620e66036629b85e54749b1a3d49db123
    • Instruction Fuzzy Hash: 17112B73E0C2049AE210A7A5ED8476A3354EB42729F15423FE410BB1D1DABCAC55965F
    Function 004096D1 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
    Download Yara Rule
    APIs
    • UnhandledExceptionFilter.KERNELBASE(?,?,?,0040696F,?,?,00000000), ref: 00409809
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: f14d06d052ffa44639dde9d2ebd4d0a9ab52a2d53f5ebbb3f52358ac368c2f99
    • Instruction ID: 572fc96877acae4735ca67d2067cf727a4c456a594ad748f908c0c510c717bbe
    • Opcode Fuzzy Hash: f14d06d052ffa44639dde9d2ebd4d0a9ab52a2d53f5ebbb3f52358ac368c2f99
    • Instruction Fuzzy Hash: 31318F36525101DEDB148F10E984BA57760B755324F25C13BDA46A73F2EF789C818B4E
    Function 00406355 Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000008,?), ref: 004063C9
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 57e44b5f676807dc4bde4be0ea4a5a171c5a6852537fab65597e738d7f7e81a1
    • Instruction ID: c3e458dfc669340cf7b6ac2915cd0f61fe2f611aa44ca84ac91d6f4c9fd4709a
    • Opcode Fuzzy Hash: 57e44b5f676807dc4bde4be0ea4a5a171c5a6852537fab65597e738d7f7e81a1
    • Instruction Fuzzy Hash: A0110036400924A6DB2196289D41A9B7225DB813B0F23813BFC57FB3E0CB78EC7196CD
    Function 00406532 Relevance: 1.5, APIs: 1, Instructions: 46memoryCOMMON
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000000,?,?,00406516,000000E0,00406503,?,00409C9E,00000100), ref: 0040659E
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 7fb311165520402941655bd1e6b9a1f181fae7d3338fd8a2f7e2312952eeed54
    • Instruction ID: cf6252139c9e4325123a9ceec45151b7cc1f9ab362881082ac388c0de40c3901
    • Opcode Fuzzy Hash: 7fb311165520402941655bd1e6b9a1f181fae7d3338fd8a2f7e2312952eeed54
    • Instruction Fuzzy Hash: 51F0D132905520BADA20A728BD407CB2355DB04360F170633FC56FB2E8D778ECB1868D
    Function 004010B6 Relevance: 1.5, APIs: 1, Instructions: 8windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040122C: FindResourceA.KERNEL32(00000002,0000000A), ref: 00401241
      • Part of subcall function 0040122C: LoadResource.KERNEL32(00000000), ref: 00401254
      • Part of subcall function 00401334: FindResourceA.KERNEL32(00000003,0000000A), ref: 00401349
      • Part of subcall function 00401334: LoadResource.KERNEL32(00000000), ref: 0040135C
      • Part of subcall function 00401467: FindResourceA.KERNEL32(00000004,0000000A), ref: 0040147D
      • Part of subcall function 00401467: LoadResource.KERNEL32(00000000), ref: 00401496
      • Part of subcall function 00401DEB: SetCurrentDirectoryA.KERNEL32(C:\Temp,?,?,004010CA,004010B3,00406952,02010C70), ref: 00401E1D
      • Part of subcall function 00401DEB: RemoveDirectoryA.KERNEL32(C:\Temp,?,004010CA,004010B3,00406952,02010C70), ref: 00401E64
    • PostQuitMessage.USER32(00000000), ref: 004010CC
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: Resource$FindLoad$Directory$CurrentMessagePostQuitRemove
    • String ID:
    • API String ID: 2424967511-0
    • Opcode ID: 9b0974e1c05ca15360a731211924880ebeaa8ba6a4e103af36bb5ef6d68bb730
    • Instruction ID: a19378402931b92c3d18c6f3c2988d76f50037f8c0c77d8dc61273735249f48a
    • Opcode Fuzzy Hash: 9b0974e1c05ca15360a731211924880ebeaa8ba6a4e103af36bb5ef6d68bb730
    • Instruction Fuzzy Hash: 11B09920A02000AAE2003BF22A8B38E20A00F0A30FF0008BFB000F80F3AE382000082F

    Non-executed Functions

    Function 00401C42 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 73libraryprocessloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(00000000,00000000,00000000), ref: 00401C82
    • GetProcAddress.KERNEL32(00000000,DllUnregisterServer), ref: 00401C90
    • GetLastError.KERNEL32 ref: 00401C9E
    • FreeLibrary.KERNEL32(00000000), ref: 00401CAE
    • GetLastError.KERNEL32 ref: 00401CB6
    • WinExec.KERNEL32(?,00000000), ref: 00401D05
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: ErrorLastLibrary$AddressExecFreeLoadProc
    • String ID: .WSC$.wsc$DllRegisterServer$DllUnregisterServer$regsvr32 scrobj.dll /n /i:"file://
    • API String ID: 390581759-2585386122
    • Opcode ID: fcfaf696a8d7f8cdc508c1cbc23b8d9ad9a8760556e8c3ee3c71b0d58d73487b
    • Instruction ID: 5afef6b34bda9e0d23eba7401d9adee522cc5dee57257b0d7833439319c2e802
    • Opcode Fuzzy Hash: fcfaf696a8d7f8cdc508c1cbc23b8d9ad9a8760556e8c3ee3c71b0d58d73487b
    • Instruction Fuzzy Hash: 851100B6944510EBDB20B7F1AC4DA8B33AC8F44324B60057BF904F31D1EA7CD9498AAC
    Function 00404DDD Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 265COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID:
    • String ID: 7U@
    • API String ID: 0-1869988486
    • Opcode ID: d635e9eeebc94a6c803d08760003b16c3dcb35be832c8a412f436ccb6714deb4
    • Instruction ID: bcafebdf1a2d875a350eb63c55a0fe1a5094f2e8c86803f19a1a4c443a4327bb
    • Opcode Fuzzy Hash: d635e9eeebc94a6c803d08760003b16c3dcb35be832c8a412f436ccb6714deb4
    • Instruction Fuzzy Hash: 74A1C3B1904644AFCB25CFA8C441BDBBBF4EF44304F14857FE599AB282C779A544CB98
    Function 00402757 Relevance: .7, Instructions: 681COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 43c706d9e41836376d7e933e65d268e2c2d93b9f3cd133d49fa2d7fc833ae050
    • Instruction ID: bc919f1cfe57e20b710b131fa944e87a88d5cb6ab0d6f0fdfc3ffe4fa386c13e
    • Opcode Fuzzy Hash: 43c706d9e41836376d7e933e65d268e2c2d93b9f3cd133d49fa2d7fc833ae050
    • Instruction Fuzzy Hash: 85520F75900606EFCB14CF69C684AAABBF1FF48314F10852EE85AA7780D378EA55DF44
    Function 00402FBA Relevance: .3, Instructions: 333COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bd456d0a2ac21f22572992089a0a9e31470b378cf8197db732d88eec0fe28859
    • Instruction ID: af894359beaddcc2ce52179a952eaaab2aa5b99a09cec0b42aec96077bba2180
    • Opcode Fuzzy Hash: bd456d0a2ac21f22572992089a0a9e31470b378cf8197db732d88eec0fe28859
    • Instruction Fuzzy Hash: D4D11571A002199FDF18CFA9D8805EDBBB5FF88315F25827AD819B7391D734AA42CB44
    Function 00408917 Relevance: .3, Instructions: 259COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
    • Instruction ID: 201f1171485459bda58d5e11fb484342f72e17f8d6f8643914d83c2c9fdacb85
    • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
    • Instruction Fuzzy Hash: EAB17F75A0020ADFDB15CF04C6D0AA9BBA1BF58314F14C1AED8596B782DB35FA42CF94
    Function 004037C1 Relevance: .1, Instructions: 104COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8ed0f164fed82f9ac8f52ec8c8882a6a4305a3065b2b61dc034e22c4e9027543
    • Instruction ID: 824e0285a62d5f1bcd73da554a8541ea15a1c03f1a81e75757b060958326733f
    • Opcode Fuzzy Hash: 8ed0f164fed82f9ac8f52ec8c8882a6a4305a3065b2b61dc034e22c4e9027543
    • Instruction Fuzzy Hash: 84317C33E285B607C364CEBA8C40026F7D1AB8A13674A87B5EDD8F7251E138ED59C6D4
    Function 00401A85 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 180libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(ADVAPI32.DLL,C:\Temp,00000000,00000000), ref: 00401A93
    • GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 00401AB0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: ADVAPI32.DLL$C:\Temp$CreateProcessWithLogonW
    • API String ID: 2574300362-574701402
    • Opcode ID: b145b83ac4a3aef92451d4112d5cd12f11878ab6b496ddcc8232cf482edba3c3
    • Instruction ID: b6ada4a75b711fb35fc7f87ae417241eade80d1bc67f75d3df4f252d30f9eefb
    • Opcode Fuzzy Hash: b145b83ac4a3aef92451d4112d5cd12f11878ab6b496ddcc8232cf482edba3c3
    • Instruction Fuzzy Hash: 20516871940219FFCF119FA5CC458DE7FB4FF09370B204626F825A22A0D3398A61DBA9
    Function 00409B5B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,00406922), ref: 00409B76
    • GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,00406922), ref: 00409B8A
    • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,00406922), ref: 00409BB6
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00406922), ref: 00409BEE
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00406922), ref: 00409C10
    • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,?,00406922), ref: 00409C29
    • GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,00406922), ref: 00409C3C
    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00409C7A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: EnvironmentStrings$ByteCharFreeMultiWide
    • String ID: "i@
    • API String ID: 1823725401-107731682
    • Opcode ID: d89070a92739fc2796e77cb5414c833da9f757392d7e30c84c35e933de504e15
    • Instruction ID: 94e1259f872e4914e771df492c50690a73832ef06b9b9c7de2987bfeef47e925
    • Opcode Fuzzy Hash: d89070a92739fc2796e77cb5414c833da9f757392d7e30c84c35e933de504e15
    • Instruction Fuzzy Hash: 753124B290C2655FF7203BB85CC483BB6DCF689314715053BF952E3283E6385C4186AD
    Function 0040B1C5 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,0040A165,?,Microsoft Visual C++ Runtime Library,00012010,?,0040DC88,?,0040DCD8,?,?,?,Runtime Error!Program: ), ref: 0040B1D7
    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040B1EF
    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0040B200
    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040B20D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
    • API String ID: 2238633743-4044615076
    • Opcode ID: 6dfa0b7cc4f67fe8872337b4a380bae8fede927f76dd41b834cf8e45c9ce6dde
    • Instruction ID: 05fbd66abe9ce7c237790b4204e0f1ef7c21c0d2e14d305025a9e371f713d731
    • Opcode Fuzzy Hash: 6dfa0b7cc4f67fe8872337b4a380bae8fede927f76dd41b834cf8e45c9ce6dde
    • Instruction Fuzzy Hash: F3017531A403099FD7109FF49D84A9B7AE8EE59BC0704447FB914E22A0D7FC88559BAD
    Function 00406CC5 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
    Download Yara Rule
    APIs
    • LCMapStringW.KERNEL32(00000000,00000100,0040D960,00000001,00000000,00000000,00000103,00000001,?,?,0040AD77,00200020,00000000,?,?,00000000), ref: 00406D07
    • LCMapStringA.KERNEL32(00000000,00000100,0040D95C,00000001,00000000,00000000,?,0040AD77,00200020,00000000,?,?,00000000,00000001), ref: 00406D23
    • LCMapStringA.KERNEL32(?,?,00000000,00200020,0040AD77,?,00000103,00000001,?,?,0040AD77,00200020,00000000,?,?,00000000), ref: 00406D6C
    • MultiByteToWideChar.KERNEL32(?,00000002,00000000,00200020,00000000,00000000,00000103,00000001,?,?,0040AD77,00200020,00000000,?,?,00000000), ref: 00406DA4
    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,0040AD77,00200020,00000000), ref: 00406DFC
    • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,0040AD77,00200020,00000000), ref: 00406E12
    • LCMapStringW.KERNEL32(?,?,0040AD77,00000000,0040AD77,?,?,0040AD77,00200020,00000000), ref: 00406E45
    • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,0040AD77,00200020,00000000), ref: 00406EAD
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: String$ByteCharMultiWide
    • String ID:
    • API String ID: 352835431-0
    • Opcode ID: 9e92d4d4351f2e05af2cb40de8b6b938a16e2c8d0823cb613cc3cdd9841c90e0
    • Instruction ID: af85f41c90454e270544ce4d013514648539a93f9ccd7443570df16a1398394f
    • Opcode Fuzzy Hash: 9e92d4d4351f2e05af2cb40de8b6b938a16e2c8d0823cb613cc3cdd9841c90e0
    • Instruction Fuzzy Hash: 5C518E31900209EFCF219F94CD45ADF7FB5FB48B54F11812AF916B22A0D3398921DBA8
    Function 00401334 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • FindResourceA.KERNEL32(00000003,0000000A), ref: 00401349
    • LoadResource.KERNEL32(00000000), ref: 0040135C
    • SetCurrentDirectoryA.KERNEL32(C:\Temp), ref: 0040138C
    • LockResource.KERNEL32(00000000), ref: 00401393
    • SizeofResource.KERNEL32(00000000), ref: 004013A2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: Resource$CurrentDirectoryFindLoadLockSizeof
    • String ID: C:\Temp$hsdiafwiuera
    • API String ID: 1796454961-707658950
    • Opcode ID: de88e136f147ee5bc5e434993557e715239736817a89eba247ada6407f615412
    • Instruction ID: 29e710c566d4959c2791851d6b61095080c5a340387e2b2aae7574b25f24c880
    • Opcode Fuzzy Hash: de88e136f147ee5bc5e434993557e715239736817a89eba247ada6407f615412
    • Instruction Fuzzy Hash: 4031F732900610BAE722AB61DD4AFDF366CDB45754F10417BF900F21E1DA789B41CA6C
    Function 0040A041 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 0040A0AE
    • GetStdHandle.KERNEL32(000000F4,0040DC88,00000000,?,00000000,00000000), ref: 0040A184
    • WriteFile.KERNEL32(00000000), ref: 0040A18B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: File$HandleModuleNameWrite
    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
    • API String ID: 3784150691-4022980321
    • Opcode ID: 0c5ebb539f968db322c75e07349606a0b90fc57d7a54e2a32721a8344c2796e1
    • Instruction ID: 8244f97efe4f3eb91ac7641534c6eaeae898094714453c5effc5a3d2ddc1360e
    • Opcode Fuzzy Hash: 0c5ebb539f968db322c75e07349606a0b90fc57d7a54e2a32721a8344c2796e1
    • Instruction Fuzzy Hash: B731A272A40208AEEF20EB60CD86FDB336CEB45304F50057BF545F61D0D678E994CA5A
    Function 0040122C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93COMMON
    Download Yara Rule
    APIs
    • FindResourceA.KERNEL32(00000002,0000000A), ref: 00401241
    • LoadResource.KERNEL32(00000000), ref: 00401254
    • SetCurrentDirectoryA.KERNEL32(C:\Windows\system32), ref: 00401284
    • LockResource.KERNEL32(00000000), ref: 0040128B
    • SizeofResource.KERNEL32(00000000), ref: 0040129A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: Resource$CurrentDirectoryFindLoadLockSizeof
    • String ID: C:\Windows\system32$hsdiafwiuera
    • API String ID: 1796454961-1451634567
    • Opcode ID: 3e59e55266f2ef64c96964f32da3999bbbe2091ecabaed5028506e86537535cd
    • Instruction ID: 55f1bcc0f2d2fdba3e565c3dce5fc56ee00eb4c5a17519726feeabf05d4f4b63
    • Opcode Fuzzy Hash: 3e59e55266f2ef64c96964f32da3999bbbe2091ecabaed5028506e86537535cd
    • Instruction Fuzzy Hash: A021D672900610BAE721A7719D0AFDF766CDF85750F10017AFA01F61E1DA78DA018AAD
    Function 0040A2F0 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
    Download Yara Rule
    APIs
    • GetStringTypeW.KERNEL32(00000001,0040D960,00000001,?,00000103,00000001,?,0040AD77,00200020,00000000,?,?,00000000,00000001), ref: 0040A32F
    • GetStringTypeA.KERNEL32(00000000,00000001,0040D95C,00000001,?,?,?,00000000,00000001), ref: 0040A349
    • GetStringTypeA.KERNEL32(?,?,?,00000000,00200020,00000103,00000001,?,0040AD77,00200020,00000000,?,?,00000000,00000001), ref: 0040A37D
    • MultiByteToWideChar.KERNEL32(0040AD77,00000002,?,00000000,00000000,00000000,00000103,00000001,?,0040AD77,00200020,00000000,?,?,00000000,00000001), ref: 0040A3B5
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 0040A40B
    • GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 0040A41D
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: StringType$ByteCharMultiWide
    • String ID:
    • API String ID: 3852931651-0
    • Opcode ID: b2d121207fa3acec4dedabfb98e039319e6b803671e8b5dae72f73dadcc49b53
    • Instruction ID: c48cd55efd676305c8ee148f184b1436a8f3d4f3304d3e6b7a2e38095fc1850f
    • Opcode Fuzzy Hash: b2d121207fa3acec4dedabfb98e039319e6b803671e8b5dae72f73dadcc49b53
    • Instruction Fuzzy Hash: 83418D76900219EFCF219F94CC89EAF3F68EB08754F104536F911E2290D3788960CB96
    Function 00403EBF Relevance: 9.1, APIs: 6, Instructions: 104fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?,0040F150,0040F150,?,00404DBA,?,?), ref: 00403F0F
    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,?,0040F150,0040F150,?,00404DBA,?,?,00000001,?,004054E3), ref: 00403F38
    • GetCurrentProcess.KERNEL32(?,00000000,?,00000000,?,0040F150,0040F150,?,00404DBA,?,?,00000001,?,004054E3,00000000,00000000), ref: 00403F3C
    • DuplicateHandle.KERNEL32(00000000,?,00000000,?,0040F150,0040F150,?,00404DBA,?,?,00000001,?,004054E3,00000000,00000000,00000000), ref: 00403F3F
    • GetFileType.KERNEL32(?,?,00000000,?,0040F150,0040F150,?,00404DBA,?,?,00000001,?,004054E3,00000000,00000000,00000000), ref: 00403F57
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000000,?,0040F150,0040F150,?,00404DBA,?,?,00000001,?,004054E3), ref: 00403FB4
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: File$CurrentProcess$CreateDuplicateHandlePointerType
    • String ID:
    • API String ID: 3364526186-0
    • Opcode ID: 285bf0fe0c087221b4a8362fc5d0f559cc79482a17957e5985dbb6e5847a0a94
    • Instruction ID: a50cb37393e663217fafab8c3b5f7ea66dc72f9b7629ebc68b04251fe7fd08d8
    • Opcode Fuzzy Hash: 285bf0fe0c087221b4a8362fc5d0f559cc79482a17957e5985dbb6e5847a0a94
    • Instruction Fuzzy Hash: 7231AEB0904346EFDB21CF69D884AAABFF8EB05304F10456FF585A7280C3759E45CB25
    Function 00407F21 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
    Download Yara Rule
    APIs
    • GetVersionExA.KERNEL32 ref: 00407F40
    • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00407F75
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00407FD5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: EnvironmentFileModuleNameVariableVersion
    • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
    • API String ID: 1385375860-4131005785
    • Opcode ID: 2ac008044fa46832c24f9c74d6315bbf1f1f2528545629dd9902514b44da0ffe
    • Instruction ID: a25e26a89c14d68997db0fc0c447714964b3a35302d8c92fd51af37b3928528a
    • Opcode Fuzzy Hash: 2ac008044fa46832c24f9c74d6315bbf1f1f2528545629dd9902514b44da0ffe
    • Instruction Fuzzy Hash: A0313971C452896DEB3196705C81BEF77689B06304F1400FFE184F62C2DA39AE8DCB1A
    Function 0040A655 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66COMMON
    Download Yara Rule
    APIs
    • GetCurrentDirectoryA.KERNEL32(00000104,?,?), ref: 0040A6C4
      • Part of subcall function 0040A726: GetDriveTypeA.KERNEL32(00000000,?,0040A66C,00000000,?), ref: 0040A745
    • GetFullPathNameA.KERNEL32(00000000,00000104,?,00000000,?), ref: 0040A6B0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: CurrentDirectoryDriveFullNamePathType
    • String ID: .$:
    • API String ID: 3995704478-4202072812
    • Opcode ID: 527862646a73509c1b87d2488bc40414a97d04ab29ed0a298b802d938cbb142b
    • Instruction ID: d0d7adeba3d55cac9c0e97b675772e4d7d8b2ddf163c6e72a244caea50d2a54d
    • Opcode Fuzzy Hash: 527862646a73509c1b87d2488bc40414a97d04ab29ed0a298b802d938cbb142b
    • Instruction Fuzzy Hash: FE21C371204305AFEB10CF54C884BEA37BCAB10308F18847BED91E61C1DAB9D5A89B1F
    Function 0040BA81 Relevance: 6.5, APIs: 5, Instructions: 246COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1549d2bf6c9b3ab25e7f724843e39966609f9ba4f811e2543127d7056baac74a
    • Instruction ID: cf1df4f8894d31fcc75c1994c72c5d5a06e42c8ae05ae8b2d5161b8ed9708502
    • Opcode Fuzzy Hash: 1549d2bf6c9b3ab25e7f724843e39966609f9ba4f811e2543127d7056baac74a
    • Instruction Fuzzy Hash: ED710432500511BBEB226A25CD41FAB3A29DF507A4F15413AFC14BA3E2EB78ED5197CC
    Function 00408C0D Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
    Download Yara Rule
    APIs
    • HeapAlloc.KERNEL32(00000000,00002020,?,?,?,?,004080AF), ref: 00408C2E
    • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,?,?,004080AF), ref: 00408C52
    • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,?,?,004080AF), ref: 00408C6C
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,004080AF), ref: 00408D2D
    • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,004080AF), ref: 00408D44
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: AllocVirtual$FreeHeap
    • String ID:
    • API String ID: 714016831-0
    • Opcode ID: f2b80fa3411928d67fe619ad67d36df7e9011d6a4e4a13ec76101a7497c8b7c1
    • Instruction ID: 0e0310a963c65e94c388ecc36a93ac941a661daba8f536ae0d05e24d5c8470ba
    • Opcode Fuzzy Hash: f2b80fa3411928d67fe619ad67d36df7e9011d6a4e4a13ec76101a7497c8b7c1
    • Instruction Fuzzy Hash: A4319E71640705DBE7308F24DE85B22B7A4EB54764F10823EE1AAB6AD0DB78A8449B5C
    Function 00408139 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 265memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualFree.KERNEL32(?,00008000,00004000,7591DFF0,?,00000000), ref: 00408391
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 004083EC
    • HeapFree.KERNEL32(00000000,?), ref: 004083FE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: Free$Virtual$Heap
    • String ID: "i@
    • API String ID: 2016334554-107731682
    • Opcode ID: 381dadccf8a02492c5b931a84fa54eb20eddd9c8c26bac619cb6f2ccd54e09e3
    • Instruction ID: 98aa62cd6c22a1406a8100b1fe6e4a77c99e6256c610f6b9dd8956f9e9411f38
    • Opcode Fuzzy Hash: 381dadccf8a02492c5b931a84fa54eb20eddd9c8c26bac619cb6f2ccd54e09e3
    • Instruction Fuzzy Hash: AEB14D35A00205DFDB18CF44DAD0AAABBA1FB58314F24C1AED8596F392DB75ED41CB44
    Function 0040B88B Relevance: 6.2, APIs: 4, Instructions: 174fileCOMMON
    Download Yara Rule
    APIs
    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000100,00000000), ref: 0040B90F
    • GetLastError.KERNEL32 ref: 0040B919
    • ReadFile.KERNEL32(?,?,00000001,00000000,00000000), ref: 0040B9E0
    • GetLastError.KERNEL32 ref: 0040B9EA
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: ErrorFileLastRead
    • String ID:
    • API String ID: 1948546556-0
    • Opcode ID: b2f4c1c601df130273a3fce86dc77e676e33ae042848530fd29d4a04c5ee9d08
    • Instruction ID: b9c471dc716487e451a362c20dc039e76419b6aff140a08e5a0f9b602173eb0a
    • Opcode Fuzzy Hash: b2f4c1c601df130273a3fce86dc77e676e33ae042848530fd29d4a04c5ee9d08
    • Instruction Fuzzy Hash: F061D570A04385DFDB118F58C884BAA7BB1EF02314F1481BBE961AB3D1D3799946CB9D
    Function 0040B412 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 0040B441
    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000), ref: 0040B454
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0040B4A0
    • CompareStringW.KERNEL32(00000000,?,00000000,00000000,?,00000000,?,00000000), ref: 0040B4B8
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: ByteCharMultiWide$CompareString
    • String ID:
    • API String ID: 376665442-0
    • Opcode ID: b7b3f07b48c9e36fe601482ba537f4b12fe32fe19777de958c498be900a6cc78
    • Instruction ID: b1ac21c2b05d2af04f814aee59bdd92160d358ff5afb255c5cc9886bcf31a569
    • Opcode Fuzzy Hash: b7b3f07b48c9e36fe601482ba537f4b12fe32fe19777de958c498be900a6cc78
    • Instruction Fuzzy Hash: 87211A72910249EBCF228F94CC41ADE7FB5FF48754F10422AFA15722A0C3369A61DB98
    Function 004092DA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
    Download Yara Rule
    APIs
    • GetCPInfo.KERNEL32(00000000,?,?,?,00000000,?,?,0040692C), ref: 00409322
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: Info
    • String ID: &A$ &A
    • API String ID: 1807457897-867171739
    • Opcode ID: 00e7c2d3ed4bc82c66f44946780b955a361cbd1b3950f41a68451ed522669418
    • Instruction ID: 2445c3f2c9308626724333ca318f69eac529f370d44fbfe06a0bbbbae862447a
    • Opcode Fuzzy Hash: 00e7c2d3ed4bc82c66f44946780b955a361cbd1b3950f41a68451ed522669418
    • Instruction Fuzzy Hash: 2841297190C150AED711CF74D9903AB7BA1DB49308F24807BD945EB2D3D27D4D568B8D
    Function 00409519 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
    Download Yara Rule
    APIs
    • GetCPInfo.KERNEL32(?,00000000), ref: 0040952D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: Info
    • String ID: $
    • API String ID: 1807457897-3032137957
    • Opcode ID: f92b3679540dce79cc676c1bd81217f44bb2d80ca95de5b9ed7c3c9e1f6076af
    • Instruction ID: 28a485a423bafadc3e6c3eef1310479a3dd225f578bb93d465437164b642b0e6
    • Opcode Fuzzy Hash: f92b3679540dce79cc676c1bd81217f44bb2d80ca95de5b9ed7c3c9e1f6076af
    • Instruction Fuzzy Hash: 04417B310042586EEB168754CEA9BF77FA9DB05700F1408F6D54AEB1D3C2BA4D64CBAE
    Function 00401DEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
    Download Yara Rule
    APIs
    • RemoveDirectoryA.KERNEL32(C:\Temp,?,004010CA,004010B3,00406952,02010C70), ref: 00401E64
      • Part of subcall function 00405C69: SetCurrentDirectoryA.KERNELBASE(?,?,0040127D,-00000040,00000000), ref: 00405C8A
    • SetCurrentDirectoryA.KERNEL32(C:\Temp,?,?,004010CA,004010B3,00406952,02010C70), ref: 00401E1D
      • Part of subcall function 00401F25: DeleteFileA.KERNELBASE(00401A46,00000000,00401A46,?), ref: 00401F72
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: Directory$Current$DeleteFileRemove
    • String ID: C:\Temp
    • API String ID: 3214568825-984105843
    • Opcode ID: 54cf79a39e3e3a9006f30395d77832fdfd4183540962d0a43cf782960d39855a
    • Instruction ID: 30fa742a723170139d6ae70fb92aa88087bccd2281eea06a35cdd0a985e60323
    • Opcode Fuzzy Hash: 54cf79a39e3e3a9006f30395d77832fdfd4183540962d0a43cf782960d39855a
    • Instruction Fuzzy Hash: 57F0FF32508200EAE62023A2FD4EBAB2E68DB01764F10403BF904F91F2CBBD4891C59C
    Function 0040A726 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
    Download Yara Rule
    APIs
    • GetDriveTypeA.KERNEL32(00000000,?,0040A66C,00000000,?), ref: 0040A745
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: DriveType
    • String ID: :$\
    • API String ID: 338552980-1166558509
    • Opcode ID: 89430a0576dfbcd3bfa4ef4d4caf674c4aee9498fdd7a7be1406ea59f922ea3a
    • Instruction ID: 22cb121c1e7cbb52da834dc01990f0aabc534af87251f75d6e6a69d830149672
    • Opcode Fuzzy Hash: 89430a0576dfbcd3bfa4ef4d4caf674c4aee9498fdd7a7be1406ea59f922ea3a
    • Instruction Fuzzy Hash: 5CE0D83120838C99EF019F74949478A3FA84B01784F08C066F94CDE281D1B4D655C396
    Function 0040876B Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
    Download Yara Rule
    APIs
    • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00408533,?,?,?,00000100), ref: 00408793
    • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00408533,?,?,?,00000100), ref: 004087C7
    • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00408533,?,?,?,00000100), ref: 004087E1
    • HeapFree.KERNEL32(00000000,?,?,00000000,00408533,?,?,?,00000100), ref: 004087F8
    Memory Dump Source
    • Source File: 00000000.00000002.2257332837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2257310034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257352202.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257369707.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257386782.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257403242.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257420562.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_WWAddToLocalAdmins.jbxd
    Similarity
    • API ID: AllocHeap$FreeVirtual
    • String ID:
    • API String ID: 3499195154-0
    • Opcode ID: 853f28b01196f95eff01be115f6dd33f179c89e7d789a2ce60d310de0f6083ae
    • Instruction ID: a4a623b30882b7fb99c15638d422b73f65525efb1e349e4a451275745edb24fd
    • Opcode Fuzzy Hash: 853f28b01196f95eff01be115f6dd33f179c89e7d789a2ce60d310de0f6083ae
    • Instruction Fuzzy Hash: 16112B31200601DFD7219F59EE859937BB6FB84764760863EF1A2D61F0C7B19861DB18